{"product_id":"supply-chain-cyber-security-risk-management","title":"Supply Chain Cyber Security Risk Management","description":"\u003cdiv\u003e\u003cp\u003eThis course provides an introduction to fundamental \u003cstrong\u003ecybersecurity risk management\u003c\/strong\u003e concepts and how they are applied to modern supply chains. Attendees will learn how to identify critical suppliers, assess risk in third and fourth-party relationships, and identify mitigation strategies. The course covers risks associated with hardware, software, and services acquired from external sources, and attendees will learn strategies for analyzing, treating, and monitoring cyber risk throughout the supply chain.\u003c\/p\u003e\u003c\/div\u003e\u003cdiv\u003e\n\u003ch3\u003eSupply Chain Cyber Security Risk Management Benefits\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eIdentify supply chain components in modern organizations, including hardware, software, and services\u003c\/p\u003e\u003c\/li\u003e\n\u003cli\u003e\u003cp\u003eInventory critical assets and suppliers, and assess the risks they pose to your organization\u003c\/p\u003e\u003c\/li\u003e\n\u003cli\u003e\u003cp\u003eUnderstand risk mitigation options, and how to adapt them to address complex risks across the supply chain\u003c\/p\u003e\u003c\/li\u003e\n\u003cli\u003e\u003cp\u003eImplement risk management frameworks and build a supply chain risk management plan\u003c\/p\u003e\u003c\/li\u003e\n\u003cli\u003e\u003cp\u003eAudit and perform oversight of supply chain risk to monitor risk mitigation effectiveness\u003c\/p\u003e\u003c\/li\u003e\n\u003cli\u003e\u003cp\u003eContinue learning and face new challenges with after-course one-on-one instructor coaching\u003c\/p\u003e\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e\u003cdiv\u003e\u003ch3\u003eSupply Chain Cyber Security Risk Management Instructor-Led Course Outline\u003c\/h3\u003e\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eImportant Supply Chain Cyber Security Risk Management Information\u003c\/h4\u003e\n\u003cp\u003e\u003cb\u003ePrerequisites:\u003c\/b\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eTo be successful in this course, some experience with risk management and business management is helpful but not required.\u003c\/li\u003e\n\u003cli\u003eBasic product development knowledge is beneficial, such as software development lifecycles and integrating components into a final product.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cb\u003eWho should attend?\u003c\/b\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eRisk managers, looking to extend risk management programs to external third parties, suppliers, and vendors.\u003c\/li\u003e\n\u003cli\u003eSecurity practitioners, tasked with holistic risk management.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eModule 1: Risk Management Basics\u003c\/h4\u003e\n\u003cp\u003eIn this module, you will learn to:\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eDefine Risk and determine its likelihood and probability.\u003c\/li\u003e\n\u003cli\u003eAssess Risk’s financial, reputational, and revenue impact.\u003c\/li\u003e\n\u003cli\u003eDefine Threats and Threat Actors.\u003c\/li\u003e\n\u003cli\u003eIdentify threat modeling approaches.\u003c\/li\u003e\n\u003cli\u003eDefine Vulnerabilities to networks and organizations.\u003c\/li\u003e\n\u003cli\u003eDiscuss methods of risk assessment: qualitative vs. quantitative.\u003c\/li\u003e\n\u003cli\u003eIdentify ways to mature risk assessment processes over time through an Iterative risk assessment.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cb\u003eExercise 1: Build a risk register for your fictional company.\u003c\/b\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eEvaluate Risk Treatment options: Avoid\/Mitigate\/Accept\/Transfer.\u003c\/li\u003e\n\u003cli\u003eDetermine when are certain options most appropriate?\u003c\/li\u003e\n\u003cli\u003eAsk what decision factors must be considered when selecting a risk option?\u003c\/li\u003e\n\u003cli\u003eDefine what limitations exist in choosing options.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cb\u003eExercise 2: Document risk treatment plans.\u003c\/b\u003e\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eModule 2: Supply Chain Basics\u003c\/h4\u003e\n\u003cp\u003eIn this module, you will learn about:\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eDefine Supply Chain, Vendor, Third\/Fourth Party, and key parts of a supply chain.\u003c\/li\u003e\n\u003cli\u003eOperational risk and understanding the business impact of prioritizing critical suppliers.\u003c\/li\u003e\n\u003cli\u003eCommon supply chain risks arising from Hardware (\u003cabbr title=\"Hardware\"\u003eHW\u003c\/abbr\u003e), Software \u003cabbr title=\"Software\"\u003eSW\u003c\/abbr\u003e), and Open-source software (\u003cabbr title=\"Open-source software\"\u003eOSS\u003c\/abbr\u003e).\u003c\/li\u003e\n\u003cli\u003eInherited\/platform risks (e.g., operating system risks that impact an application, underlying modules included in a larger application like Log4j).\u003c\/li\u003e\n\u003cli\u003eRisks from services such as key vendors, third parties, etc.\u003c\/li\u003e\n\u003cli\u003eIdentifying vulnerabilities - What do attackers target?\u003c\/li\u003e\n\u003cli\u003eWhat motivates supply chain attacks, and who are the victims?\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cem\u003e \u003c\/em\u003e\u003cstrong\u003eExercise 3: Assess supply chain risks.\u003c\/strong\u003e\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eModule 3: SCRM Tools \u0026amp; Practices\u003c\/h4\u003e\n\u003cp\u003eIn this module, you will learn how to:\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eBuild an \u003cabbr title=\"Supply Chain Risk Managment\"\u003eSCRM\u003c\/abbr\u003e plan.\u003c\/li\u003e\n\u003cli\u003eLeverage existing security and privacy controls in the organization.\u003c\/li\u003e\n\u003cli\u003eIdentify common framework elements that push compliance to other organizations, such as Business Associates in \u003cabbr title=\"Health Insurance Portability and Accountability Act\"\u003eHIPAA\u003c\/abbr\u003e and data subprocessors in \u003cabbr title=\"General Data Protection Regulation\"\u003eGDRP\u003c\/abbr\u003e.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cb\u003eExercise 4: Identify inputs and key outputs of SCRM planning. Document the required process elements needed. \u003c\/b\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eDefine the purpose of contracts and typical use cases.\u003c\/li\u003e\n\u003cli\u003eDefine service level requirements, service level agreements (\u003cabbr title=\"service level agreements\"\u003eSLA\u003c\/abbr\u003es), and the purpose\/typical use cases of each.\u003c\/li\u003e\n\u003cli\u003eDefine assurance and how the level of risk will impact the level of assurance required.\u003c\/li\u003e\n\u003cli\u003eConduct due diligence at contract initiation and then routinely throughout the service lifetime.\u003c\/li\u003e\n\u003cli\u003eImplement due care, such as supplier audits and identifying alternate suppliers.\u003c\/li\u003e\n\u003cli\u003eEnsure adequate insurance coverage for third- and fourth-party risks.\u003c\/li\u003e\n\u003cli\u003eConsume vendor-supplied audit reports and identify gaps against the organization’s internal compliance requirements.\u003c\/li\u003e\n\u003cli\u003eBuild an audit methodology and implement the program.\u003c\/li\u003e\n\u003cli\u003eTreat previously discussed hardware, software, and service supply chain risks.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cb\u003eCase Studies: SolarWinds, Kaseya, and Target breaches.\u003c\/b\u003e\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eModule 4: Compliance Frameworks, SCRM Vendors, and Tools\u003c\/h4\u003e\n\u003cp\u003eIn this module, you will learn about:\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eUsing a compliance framework to build SCRM capability internal to an organization.\u003c\/li\u003e\n\u003cli\u003eRequirements to comply with a framework as a vendor to other organizations.\u003c\/li\u003e\n\u003cli\u003e\n\u003cabbr title=\"Cybersecurity Maturity Model Certification\"\u003eCMMC\u003c\/abbr\u003e \u0026amp; \u003cabbr title=\"National Institute of Standards and Technology\"\u003eNIST\u003c\/abbr\u003e SP 800-171.\u003c\/li\u003e\n\u003cli\u003eCMMI for Acquisition (\u003ca href=\"http:\/\/www.sei.cmu.edu\/library\/abstracts\/reports\/10tr032.cfm\" title=\"CMMI for Acquisition\" target=\"_blank\" rel=\"external nofollow noopener\"\u003eCMMI-ACQ\u003c\/a\u003e).\u003c\/li\u003e\n\u003cli\u003eSOC 2\n\u003cul\u003e\n\u003cli\u003eIdentify as a proactive measure; service providers can undergo an audit and have a documented report of compliance available to share with business partners.\u003c\/li\u003e\n\u003cli\u003eDiscuss various \u003cabbr title=\"System and Organization Controls\"\u003eSOC\u003c\/abbr\u003e reports (1, 2, 3) and types (I, II).\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003eCloud Security Alliance (\u003cabbr title=\"Cloud Security Alliance\"\u003eCSA\u003c\/abbr\u003e), Cloud Controls Matrix (\u003cabbr title=\"Cloud Controls Matrix\"\u003eCCM\u003c\/abbr\u003e), Consensus Assessment Initiative Questionnaire (\u003cabbr title=\"Consensus Assessment Initiative Questionnaire\"\u003eCAIQ\u003c\/abbr\u003e), and the CSA \u003cabbr title=\"Security, Trust, Assurance, and Risk\"\u003eSTAR\u003c\/abbr\u003e Registry.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cb\u003eExercise: Review a sample CAIQ-Lite report or excerpts from a SOC 2 Type II.\u003c\/b\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eVendor Security Alliance (vendorsecurityalliance.org).\u003c\/li\u003e\n\u003cli\u003eVendor security questionnaires.\u003c\/li\u003e\n\u003cli\u003eOngoing risk monitoring\/supplier monitoring platforms (Security Scorecard, BitSight. etc.).\u003c\/li\u003e\n\u003cli\u003e\n\u003cabbr title=\"Governance, Risk, and Compliance\"\u003eGRC\u003c\/abbr\u003e platforms (ZenGRC, TugBoat Logic, etc.).\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e","brand":"Learning Tree","offers":[{"title":"268A63US \/ 2026-08-24T09:00:00 \/ Herndon, VA","offer_id":47534218051803,"sku":"US-2014-IL","price":1640.0,"currency_code":"USD","in_stock":true},{"title":"26BB76US \/ 2026-11-24T09:00:00 \/ Herndon, VA","offer_id":48216568266971,"sku":"US-2014-IL","price":1640.0,"currency_code":"USD","in_stock":true},{"title":"272B11US \/ 2027-02-22T09:00:00 \/ Herndon, VA","offer_id":48291027091675,"sku":"US-2014-IL","price":1640.0,"currency_code":"USD","in_stock":true},{"title":"275B60US \/ 2027-05-25T09:00:00 \/ Herndon, VA","offer_id":48804197400795,"sku":"US-2014-IL","price":1640.0,"currency_code":"USD","in_stock":true}],"url":"https:\/\/learningtreeinternational-dirinfosec-hhs.myshopify.com\/products\/supply-chain-cyber-security-risk-management","provider":"Learning Tree International","version":"1.0","type":"link"}