This program is designed to equip security, procurement, and risk professionals with the strategic and practical knowledge to manage cyber risk introduced by vendors, suppliers, and third parties:

• Vendor Risk Management Specialists.
• Procurement and Sourcing Managers.
• Compliance and GRC Professionals.
• Security Architects and Engineers.
• Internal Auditors and Assurance Providers.
• CISO and Security Directors.
• Legal Counsel involved in vendor contracts.

• Group activities developing a tiered vendor classification model for a fictional company.
• Case studies on major supply chain attacks and lessons learned.
• Discussions on best practices for negotiating security contract clauses with vendors.
• Individual exercises reviewing a mock SOC 2 report for critical findings.
• Role-playing a security risk discussion with a vendor whose service is essential but insecure.

Unit 1: TPCRM Program Foundation and Strategy

• Understanding major third-party breaches (e.g., SolarWinds, cloud provider outages).
• Defining third-party, fourth-party, and supply chain risk.
• Mapping vendor risk to business processes and critical assets.
• Establishing the scope and charter of the TPCRM program.

• Developing a risk-based vendor classification methodology (e.g., Tier 1-3).
• Criteria for classifying vendors (access to data, system criticality, services provided).
• Defining the minimum security requirements for each vendor tier.
• The importance of identifying concentration risk with single providers.

Unit 2: Due Diligence and Assessment

• Developing standardized security questionnaires (e.g., SIG, CAIQ) based on risk tier.
• Reviewing vendor-provided evidence (e.g., SOC 2 reports, ISO certifications).
• Conducting remote or on-site security audits for high-risk vendors.
• Integrating due diligence into the procurement and sourcing workflow.

• Key security clauses for Data Processing Agreements (DPAs) and contracts.
• Defining breach notification and incident response requirements.
• Establishing audit rights, liability limits, and cyber insurance requirements.
• Negotiating Service Level Agreements (SLAs) for security performance.

Unit 3: Monitoring and Risk Mitigation

• Implementing continuous vendor monitoring using security rating services.
• Techniques for monitoring fourth-party risk and sub-processors.
• Tracking, scoring, and prioritizing vendor-reported vulnerabilities.
• Periodic re-assessment and re-classification of existing vendors.

• Developing a Vendor Risk Register and tracking remediation plans.
• Strategies for mitigating high-risk findings (e.g., alternative controls, risk acceptance).
• Managing and reporting on exceptions to vendor security requirements.
• Working collaboratively with vendors to drive security improvements.

Unit 4: Specialized Third-Party Risks

• Assessing the security of public cloud providers (AWS, Azure, GCP).
• Managing risk under the Cloud Shared Responsibility Model.
• Reviewing Cloud Access Security Broker (CASB) reports for SaaS usage.
• Data residency and sovereignty requirements for cloud vendors.

• Managing risk from software supply chain attacks (e.g., embedded malware, code integrity).
• Reviewing Software Bill of Materials (SBOM) from critical suppliers.
• Securing the hardware supply chain (e.g., embedded devices, network gear).
• Developing an integrated supply chain incident response plan.

Unit 5: Governance and Program Maturity

• Defining Key Risk Indicators (KRIs) for third-party risk exposure.
• Reporting on the overall third-party risk posture to executive leadership.
• Integrating TPCRM with the broader Enterprise Risk Management (ERM).
• Managing the off-boarding and data destruction process upon contract termination.

• Developing a multi-year roadmap for TPCRM maturity.
• Leveraging GRC platforms to automate assessments and monitoring.
• Training and awareness for business unit owners on vendor risk.
• The future of third-party risk with AI and machine learning analysis.