Course Description
Businesses and government operations live and die by their software. Regardless of the size of your organization, lethal IT supply chain risks can come at you from all directions and can severely impact your business continuity, get you in court, and possibly even put you out of business. The compromise of SolarWinds software reported in late 2020 and Colonial Pipeline computing in 2021 has put IT and software supply chain security in the spotlight. The US Federal Government has been directed by President Biden’s Executive Order 14028 to step up the nation’s CyberSecurity, including supply chain security. Auditors must be prepared to assist management to aggressively identify and reduce serious IT and software supply chain risks. In this timely and practical seminar, we will explore IT technical supply administrative and technical CyberSecurity targets and will cover best practices for securing and auditing an organization’s software supply chain.
Learning Objectives
- Identify IT and software supply chain control points/attack surfaces and attack methods
- Gain familiarity with industry best practices for IT and software supply chain security and secure software design and testing
- Evaluate different methods of CyberSecruity testing of software throughout different types of software development lifecycles (SDLCs)
- Develop comprehensive plans to perform end-to-end audits of IT and software supply chains
Course Outline
- Supply chain definitions
- Identifying your IT supply chain
- Notable software supply chain attacks
- Software supply chain risk management and countermeasures
- Application software development lifecycles (SDLCs)
- Software configuration management (SCM), version management, and change control
- Common software flaws and exploits
- Open source software (OSS) risks and safeguards
- Commercial off-the-shelf software (COTS) rewards and risks
- End-user computing and Shadow IT risks and controls
- Software assurance and testing throughout the SDLC
- End-to-end software supply chain security and audit checklist
- Sources of information, checklists, and tools
Additional Information
Who Should Attend
- IT Auditors
- Information Security Managers, Analysts, and Architects
- IT Management, IT Architects
- Web Site Administrators, System Administrators
- Application Architects, Developers and Analysts
- Consultants
Learning Level
Intermediate
Delivery
Group-Live and Group-Internet
Field
Auditing
Recommended Prerequisites
Auditing IT Application Systems or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 1 day
CPE Credits: 8