Udemy
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
Turn what you know into an opportunity and reach millions around the world.
Learn More
Your cart is empty.
Keep shopping
Supply Chain Risk Management(SCRM) ISO/IEC27036 / ISO28000
Rating: 4.1 out of 5(55 ratings)
230 students

Supply Chain Risk Management(SCRM) ISO/IEC27036 / ISO28000

Understanding Supply-Chain Information Security Risk Management
Last updated 9/2023
English

What you'll learn

  • Understand Supply-Chain
  • Understand ICT Supply-Chain Risks
  • Understand how to address Information Security risks
  • Understand what ISO/IEC27036 is and how it links to the 2700X family

Course content

3 sections17 lectures3h 23m total length
  • Introduction to this course (Updated 2023)29:46

    This is an introduction to the course, what we will be looking at and why this is important to anyone interested in information security and supply chain security.

  • What is Supply-Chain Risk Management? (Updated 2023)13:05

    This section explains risk management and the significant components of a simple risk management approach and program. We also go into a simple review of ISO 27036:2021 and 28000:2022 and the differences between these two standards as they relate to Supply Chain Risk Management.

  • Components of SCRM (Supply-Chain Risk Manegement (new 09/2023)14:00

    This explains the components of SCRM according to the latest information in 09/2023.

    1. Risk Identification:

      • Recognizing potential risks and vulnerabilities within the supply chain.

    2. Risk Assessment:

      • Evaluating and analyzing the identified risks to understand their potential impact.

    3. Risk Mitigation:

      • Developing and implementing strategies to reduce or eliminate the impacts of identified risks.

    4. Risk Monitoring:

      • Continually observing and assessing supply chain activities to detect emerging risks and evaluate the effectiveness of mitigation strategies.

    5. Risk Reporting and Communication:

      • Systematically conveying risk assessments, mitigation strategies, and monitoring results to relevant stakeholders to ensure informed decision-making.

  • Terms and definitions6:42

    This lecture discusses the terms and some definitions commonly used in supply chain information security and the ISO/IEC 27036.

  • Reasons for information security in outsourcing and for supply chain8:24

    This section discusses the need for external companies that may be needed based on process, product, service or a mixture of services in order to fulfill production and manufacturing needs.

  • Supplier relationships14:38

    This section explains different types of suppliers and supplier types. Each supplier type has a specific relationship and requirements as well as risk aspects.

  • Info Sec risks and threats in the supply chain12:13

    Introducing suppliers into any supply chain that are not from the company (external) are additional risks to governance and information security. This section explains the underlying issues with external companies and securing data and information while producing products and services.

  • Supply-Chain Risks in Sept 2023 (New 2023)25:06

    This lecture discusses the types of Supply Chain Risks, the top 7 risks in 2023, and the top five attack vectors in the supply chain in 2023.

    1. Operational Risks:

      • These encompass issues like equipment failures, human errors, and process disruptions, which can adversely impact the daily operations of a supply chain, causing delays and losses.

    2. Strategic Risks:

      • Pertaining to decision-making processes, these involve risks related to poor planning, resource allocation, and partnerships, potentially compromising an organization's competitive advantage and long-term viability.

    3. Supply Risks:

      • Originating from disruptions in the availability of raw materials or products, these can result from factors like supplier insolvency, geopolitical instability, or natural disasters affecting production and fulfillment.

    4. Demand Risks:

      • These relate to unpredictable or misunderstood customer or market demands, which can lead to excess inventory, obsolescence, or lost sales, impacting financial performance.

    5. Cybersecurity Risks:

      • Entailing potential breaches, data theft, or cyber-attacks, these risks can compromise information integrity, availability, and confidentiality, causing reputational damage and financial losses.

  • ICT Supply Chain and additional risks of outsourcing9:29

    As multiple suppliers are added into the mix of risks, outsourcing it, data and information security into a multi-tiered supplier network makes governance and security more complex. This section discussed the unique challenges involving multi-tiered suppliers and their IT security risks.

  • Managing supplier and supply chain information security7:16

    Guidance on implementing controls and mechanisms to manage information security within the supply chain.

  • ISO/IEC27036 IT Security for supplier relationships12:56

    This is the structure of the ISO/IEC standard for Information security in supplier relationships.

  • National considerations to supply chain info sec8:58

    Supply chains can also be involved in critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the national level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain.

  • International considerations to supply chain info sec11:35

    Supply chains can also be involved in (globally relevant) critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the international level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain. As the supply chain becomes more dispersed into multi-tiers, so does the complexity and range of monitoring that is needed to ensure proper security measures are in place.

  • Internal, Self and External Audits of Suppliers11:40

    In order to satisfy the reporting and mitigating of risks at certain levels an acquirer or regulatory entity may request that suppliers either submit to a 2nd party audit or submit proof of an internal audit. In reality many suppliers have pushed back but as regulatory issues and compliance grow this will change as customer expect this to be possible. (Copyright 2014-2015 M.Goedeker)

  • Ways of mitigating supply chain risks and suppliers6:37

    This section looks at ways in which a company can limit or reduce risks and monitor suppliers adherence to compliance and regulatory requirements by implementing mechanisms, procedures, processes and agreements.

  • Attack vectors / factors in supply chain hacks and attacks11:34

    This lecture provides a short overview of some areas or vectors / factors of supply chain attacks from nation-states, competitors or attackers (cyber espionage, warfare, or crime). (Copyright 2014-2015 M.Goedeker)

Requirements

  • Be curious

Description

In today's Supply Chain, cyber threats, hackers, espionage, and warfare are increasing the amount of successful attacks on critical infrastructure and companies of all sizes. We have technologies that are somewhat successful at blocking and stopping "some" attacks. But what happens when we need supply chain security or risk management? The things we wear, eat, and need would no longer exist. Risk Management is not the sexier of areas in security, but since it is so invisible, it is just as important as secure coding or SOC.

Amidst these threat vectors, many people forget some of the most prominent targets, like the supply chain and the security of data, information, and IP, as it leaves the outsourcing company (acquirer) to the supplier. An example of this type of attack is what happened to one of the biggest SIM manufacturers in the world, Gemalto.

Supply chain risk management in its simplest form:

  1. Concentrates on identifying supply chain information security risks and the likelihood of those risks being exploited by missing governance, processes, and misunderstandings between acquirer and supplier

  2. What types of risks are likely to a company or possibly a nation if supply chain risks and suppliers are not managed correctly

  3. Help you identify which risks you have based on the type of supplier and, more importantly, which assets you need to protect

  4. Choose mechanisms, processes, and procedures that can mitigate and minimize some risks

Who this course is for:

  • Anyone involved in InfoSec, Risk Management, Supply Chain Management or Security