About this course

Course type Premium
Course code QAMCRITSC
Duration 1 Day

This course is intended for managers of organisations and businesses of any description and size. It is an overview of the risks that can potentially arise from a business's Supply Chain connections. This course looks at the cyber risk in the supply chain and describes what it is, the terminology around it, how it occurs, the way that it can affect all businesses and why managers need to understand more about it so that they can manage it more effectively.

Many businesses identify, manage and track risks to their physical supply chain but don't always pay the same attention to cyber risks in the same way. The cyber aspect of supply chain security has come into sharper focus over the past few years as outsourcing of IT core functions and the use of Cloud services becomes more common. The UK Government in particular is looking at this topic with renewed vigour.

Prerequisites

There are no specific prerequisites for this course.

It is suitable for all levels of management, IT, procurement, legal, finance, auditors, risk managers and anyone in an organisation responsible for internal and external supply chains. It is a good introductory course for those from a non-IT background who need to understand more about supply chain cyber risks to the business.

Delegates will learn how to

  • Understand what the cyber risks in the supply chain are and the terminology used around them
  • Understand some of the ways that this risk can affect businesses and organisations
  • Understand the means by which an organisation can protect itself against this risk

Outline

The course is split into 3 modules with each examining a different facet of the supply chain threat and its relevance to modern businesses:

Module 1: What are the cyber risks from the Supply Chain?

This section begins by considering; what is the supply chain? Since every organisation and business is different it makes sense that the risks they face are different, however common themes will include:

  1. Most businesses will have outsourced at least some aspects of their infrastructure and IT support to service providers and have therefore entrusted these providers with access to the systems and information to some degree. In many cases contracted IT system administrators become part of the Insider Threat for the organisation (See QAINTHREAT) since they may have significant system privileges. The same can be said for outsourced security or maintenance staff.
  2. All organisations buy products and services from suppliers and hardware and software items which can contain vulnerabilities (flaws and features) that can be exploited either directly or indirectly by potential attackers.
  3. Many organisations work collaboratively with partners and sub-contractors on projects and this means sharing information, often to a significant extent. This aspect is more acute for government which needs to share classified information to contractors and their supply chains. Supply chain concerns are not limited to those organisations with intellectual property or sensitive information to protect but also those delivering critical services to clients such as utility companies where the continued availability of the service is most important aspect. The risks from the supply chain can therefore stem from threats from any and all of the above and this module reviews the most significant ones.

Module 2: What are the impacts of Supply Chain risks on the business?

This module considers if the risks from supply chain partners is real or not, what the nature of those risks are, and how could they affect organisations and businesses.

The course examines the nature of the risks that the supply chain represents. It is not just about protecting information from unauthorised access but also because supply chain attacks can disrupt and disable critical business service delivery functions and can definitely have an impact on an organisation's valuable assets such as its reputation and share price.

Not all aspects of the threat are malicious, in many cases a supply chain company insider will accidentally do something to impact the organization, however people are almost always involved in some way in the other types of threat than can affect a business. This part of the course will look at:

  • The types of roles in an organization that could be exploited
  • The role of Supply chain partners and service providers such as Cloud services
  • The ways in which cyber-attacks could be conducted by insiders

Module 3: What can be done to manage Cyber Risk in the Supply Chain?

Every organisation is different so its degree of exposure to cyber risk in the supply chain will vary enormously. As outlined in the other modules there are some common features and a common approach that can be taken to identify the risks and similarly there are some common approaches that can be taken to manage them. This module will look at some of the ways of countering supply chain cyber risks to include:

The development of a tailored strategy for the organization with a focus of understanding the organisation's exposure to supply chin risks and identifying where risks are at their greatest so that resources can be focused.

Understanding how the holistic application of relevant physical, procedural, personnel and technical security controls within the organization can be part of risk management.

This part of the course will also look at the supply chain assurance schemes such as the Supplier Information Assurance Tool and HADRIAN and others that have come into prominence over the past couple of years such as the Cyber Essentials scheme and the Cyber Security Model.

Premium Course

1 Day

Duration

This course is authored by QA

Delivery Method

Delivery method

Classroom / Attend from Anywhere

Receive classroom training at one of our nationwide training centres, or attend remotely via web access from anywhere.

Trusted, awarded and accredited

Fully accredited to ensure we provide the highest possible standards in learning

All third party trademark rights acknowledged.