Supply Chain Cyber Security Risk Management

Module 1: Risk Management Basics

In this module, you will learn to:

• Define Risk and determine its likelihood and probability.
• Assess Risk’s financial, reputational, and revenue impact.
• Define Threats and Threat Actors.
• Identify threat modeling approaches.
• Define Vulnerabilities to networks and organizations.
• Discuss methods of risk assessment: qualitative vs. quantitative.
• Identify ways to mature risk assessment processes over time through an Iterative risk assessment.

Exercise 1: Build a risk register for your fictional company.

• Evaluate Risk Treatment options: Avoid/Mitigate/Accept/Transfer.
• Determine when are certain options most appropriate?
• Ask what decision factors must be considered when selecting a risk option?
• Define what limitations exist in choosing options.

Exercise 2: Document risk treatment plans.

Module 2: Supply Chain Basics

In this module, you will learn about:

• Define Supply Chain, Vendor, Third/Fourth Party, and key parts of a supply chain.
• Operational risk and understanding the business impact of prioritizing critical suppliers.
• Common supply chain risks arising from Hardware (HW), Software SW), and Open-source software (OSS).
• Inherited/platform risks (e.g., operating system risks that impact an application, underlying modules included in a larger application like Log4j).
• Risks from services such as key vendors, third parties, etc.
• Identifying vulnerabilities - What do attackers target?
• What motivates supply chain attacks, and who are the victims?

Exercise 3: Assess supply chain risks.

Module 3: SCRM Tools & Practices

In this module, you will learn how to:

• Build an SCRM plan.
• Leverage existing security and privacy controls in the organization.
• Identify common framework elements that push compliance to other organizations, such as Business Associates in HIPAA and data subprocessors in GDRP.

Exercise 4: Identify inputs and key outputs of SCRM planning. Document the required process elements needed.

• Define the purpose of contracts and typical use cases.
• Define service level requirements, service level agreements (SLAs), and the purpose/typical use cases of each.
• Define assurance and how the level of risk will impact the level of assurance required.
• Conduct due diligence at contract initiation and then routinely throughout the service lifetime.
• Implement due care, such as supplier audits and identifying alternate suppliers.
• Ensure adequate insurance coverage for third- and fourth-party risks.
• Consume vendor-supplied audit reports and identify gaps against the organization’s internal compliance requirements.
• Build an audit methodology and implement the program.
• Treat previously discussed hardware, software, and service supply chain risks.

Case Studies: SolarWinds, Kaseya, and Target breaches.

Module 4: Compliance Frameworks, SCRM Vendors, and Tools

In this module, you will learn about:

• Using a compliance framework to build SCRM capability internal to an organization.
• Requirements to comply with a framework as a vendor to other organizations.
• CMMC & NIST SP 800-171.
• CMMI for Acquisition (CMMI-ACQ).
• SOC 2
• Identify as a proactive measure; service providers can undergo an audit and have a documented report of compliance available to share with business partners.
• Discuss various SOC reports (1, 2, 3) and types (I, II).
• Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), and the CSA STAR Registry.

Exercise: Review a sample CAIQ-Lite report or excerpts from a SOC 2 Type II.

• Vendor Security Alliance (vendorsecurityalliance.org).
• Vendor security questionnaires.
• Ongoing risk monitoring/supplier monitoring platforms (Security Scorecard, BitSight. etc.).
• GRC platforms (ZenGRC, TugBoat Logic, etc.).