The course is split into 3 modules with each examining a different facet of the supply chain threat and its relevance to modern businesses:
Module 1: What are the cyber risks from the Supply Chain?
This section begins by considering; what is the supply chain? Since every organisation and business is different it makes sense that the risks they face are different, however common themes will include:
- Most businesses will have outsourced at least some aspects of their infrastructure and IT support to service providers and have therefore entrusted these providers with access to the systems and information to some degree. In many cases contracted IT system administrators become part of the Insider Threat for the organisation (See QAINTHREAT) since they may have significant system privileges. The same can be said for outsourced security or maintenance staff.
All organisations buy products and services from suppliers and hardware and software items which can contain vulnerabilities (flaws and features) that can be exploited either directly or indirectly by potential attackers.
Many organisations work collaboratively with partners and sub-contractors on projects and this means sharing information, often to a significant extent. This aspect is more acute for government which needs to share classified information to contractors and their supply chains. Supply chain concerns are not limited to those organisations with intellectual property or sensitive information to protect but also those delivering critical services to clients such as utility companies where the continued availability of the service is most important aspect. The risks from the supply chain can therefore stem from threats from any and all of the above and this module reviews the most significant ones.
Module 2: What are the impacts of Supply Chain risks on the business?
This module considers if the risks from supply chain partners is real or not, what the nature of those risks are, and how could they affect organisations and businesses.
The course examines the nature of the risks that the supply chain represents. It is not just about protecting information from unauthorised access but also because supply chain attacks can disrupt and disable critical business service delivery functions and can definitely have an impact on an organisation's valuable assets such as its reputation and share price.
Not all aspects of the threat are malicious, in many cases a supply chain company insider will accidentally do something to impact the organization, however people are almost always involved in some way in the other types of threat than can affect a business. This part of the course will look at:
The types of roles in an organization that could be exploited
The role of Supply chain partners and service providers such as Cloud services
The ways in which cyber-attacks could be conducted by insiders
Module 3: What can be done to manage Cyber Risk in the Supply Chain?
Every organisation is different so its degree of exposure to cyber risk in the supply chain will vary enormously. As outlined in the other modules there are some common features and a common approach that can be taken to identify the risks and similarly there are some common approaches that can be taken to manage them. This module will look at some of the ways of countering supply chain cyber risks to include:
The development of a tailored strategy for the organization with a focus of understanding the organisation's exposure to supply chin risks and identifying where risks are at their greatest so that resources can be focused.
Understanding how the holistic application of relevant physical, procedural, personnel and technical security controls within the organization can be part of risk management.
This part of the course will also look at the supply chain assurance schemes such as the Supplier Information Assurance Tool and HADRIAN and others that have come into prominence over the past couple of years such as the Cyber Essentials scheme and the Cyber Security Model.