Introduction

In today's hyper-connected global economy, procurement systems extend far beyond internal operations, relying heavily on a complex web of third-party suppliers. While these partnerships drive efficiency and innovation, they simultaneously introduce significant and often overlooked cybersecurity threats. A single vulnerability in a vendor's system can become a critical entry point for sophisticated cyber attackers, leading to devastating data breaches, supply chain disruptions, and profound reputational damage for the primary organization. The interconnected nature of modern supply chains means that an organization's cyber resilience is only as strong as its weakest link, making proactive vendor risk management an absolute imperative. This intensive training course focuses on equipping participants to understand and mitigate these critical third-party risks.

This comprehensive training course is meticulously designed to empower procurement professionals, supply chain managers, auditors, risk managers, and IT security personnel with the theoretical understanding and practical tools necessary to build and maintain secure procurement systems and robust vendor risk management programs. Participants will gain a deep understanding of the diverse cyber threats emanating from third-party suppliers, learn to conduct thorough vendor cybersecurity assessments, and explore methodologies for auditing vendor compliance with security standards and contractual obligations. The course will delve into topics such as supply chain attack vectors, vendor cybersecurity due diligence, secure contracting, continuous vendor monitoring, incident response with third parties, and the application of cybersecurity frameworks to vendor management. By mastering the principles and methodologies of Secure Procurement Systems and Vendor Risk Management, participants will be prepared to safeguard their organization's assets, ensure business continuity, and foster a more secure and resilient supply chain ecosystem.

Duration: 10 Days

Target Audience

• Procurement Managers and Directors
• Supply Chain Managers and Specialists
• Vendor Managers and Contract Administrators
• Internal and External Auditors
• Risk Management Professionals
• Compliance Officers
• IT Security and Cybersecurity Professionals
• Legal Professionals advising on vendor contracts
• Business Analysts involved in procurement system implementation
• Anyone responsible for managing third-party relationships that involve data or system access

Course Objectives

• Understand the range of cybersecurity threats posed by third-party suppliers.
• Learn to identify and classify vendor cybersecurity risks based on data access and criticality.
• Acquire practical skills in conducting comprehensive vendor cybersecurity assessments and due diligence.
• Comprehend the importance of incorporating robust cybersecurity clauses into vendor contracts.
• Develop strategies for implementing and maintaining secure e-procurement systems.
• Explore methodologies for auditing vendor compliance with security policies and regulations.
• Understand the role of continuous monitoring in managing ongoing vendor cyber risk.
• Learn to develop and implement an effective incident response plan involving third parties.
• Identify best practices for managing access and data sharing with external vendors.
• Examine global best practices and successful case studies in secure procurement and vendor risk management.
• Enhance negotiation and communication skills for engaging vendors on cybersecurity requirements.
• Develop a risk-based approach to third-party vendor management.
• Improve collaboration between procurement, IT security, legal, and audit teams.
• Understand the legal, regulatory, and financial implications of third-party breaches.
• Prepare for regulatory audits and compliance reporting related to third-party risk.

Course Content

Module 1: Understanding the Third-Party Cyber Threat Landscape

• The interconnectedness of modern supply chains and increased attack surface.
• Common cyber threats from third-party suppliers: data breaches, malware injection, ransomware.
• Famous supply chain attacks and their impact (e.g., SolarWinds, NotPetya).
• The concept of "fourth-party risk" and beyond (vendor's vendors).
• Why traditional procurement processes are insufficient for managing cyber risk.

Module 2: Foundations of Vendor Risk Management (VRM) for Cybersecurity

• Defining Vendor Risk Management (VRM) and its core components.
• Integrating cybersecurity into the broader VRM framework.
• Key principles: identifying critical vendors, risk tiering, continuous monitoring.
• Understanding the shared responsibility model with third parties.
• Establishing a dedicated VRM program and team.

Module 3: Identifying and Classifying Vendor Cyber Risks

• Developing a comprehensive vendor inventory and data flow mapping.
• Assessing the criticality of vendors based on services, data access, and system integration.
• Identifying types of data exchanged with vendors (e.g., PII, financial, intellectual property).
• Conducting inherent risk assessments for vendor relationships.
• Tools and frameworks for categorizing vendor risk levels.

Module 4: Vendor Cybersecurity Due Diligence and Assessment

• Designing effective vendor security questionnaires (e.g., SIG, CAIQ).
• Reviewing vendor security certifications (e.g., ISO 27001, SOC 2 reports).
• Conducting on-site audits and virtual assessments of vendor security controls.
• Utilizing third-party security ratings and continuous monitoring services.
• Evaluating vendor incident response capabilities and disaster recovery plans.

Module 5: Secure E-Procurement Systems Implementation

• Best practices for configuring and hardening e-procurement platforms.
• Implementing robust user authentication (MFA) and access controls within procurement systems.
• Segregation of duties and role-based access for procurement personnel.
• Secure integration of e-procurement with ERP and financial systems.
• Regular vulnerability assessments and penetration testing of procurement systems.

Module 6: Cybersecurity Clauses in Vendor Contracts

• Essential cybersecurity provisions: data protection, incident notification, audit rights.
• Service Level Agreements (SLAs) with specific cybersecurity performance metrics.
• Indemnification and liability clauses related to cyber incidents.
• Requirements for data residency, encryption, and access management.
• Negotiating and enforcing cybersecurity terms with vendors.

Module 7: Data Protection and Privacy with Third Parties

• Understanding data privacy regulations (GDPR, CCPA) as they apply to vendor data processing.
• Developing Data Processing Agreements (DPAs) with vendors.
• Ensuring compliance with cross-border data transfer requirements.
• Managing data minimization and data retention policies for vendor data.
• Addressing privacy by design in vendor solutions.

Module 8: Access Management and Identity Governance for Vendors

• Implementing granular access controls for vendor access to internal systems.
• Managing vendor identities and credentials securely.
• Best practices for provisioning and de-provisioning vendor access.
• Regular review and auditing of vendor access privileges.
• Technologies for secure remote access (e.g., VPNs, zero trust networks).

Module 9: Auditing Vendor Cybersecurity Compliance

• Developing an audit plan for assessing vendor security compliance.
• Key areas for auditing: security policies, technical controls, incident management.
• Reviewing audit logs, penetration test reports, and vulnerability scans provided by vendors.
• Identifying non-compliance and gaps in vendor security posture.
• Reporting audit findings and recommendations to stakeholders.

Module 10: Continuous Vendor Monitoring and Performance Measurement

• Establishing a continuous monitoring program for vendor security performance.
• Utilizing security ratings, threat intelligence feeds, and automated tools for alerts.
• Defining Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for vendor security.
• Regular check-ins and performance reviews with critical vendors.
• Adapting monitoring strategies based on vendor risk profiles.

Module 11: Incident Response and Crisis Management with Third Parties

• Developing an integrated incident response plan that includes third parties.
• Defining roles and responsibilities for communication and coordination during a vendor-related breach.
• Legal and regulatory notification requirements for supply chain incidents.
• Steps for containment, eradication, and recovery from third-party cyber incidents.
• Conducting post-incident reviews and implementing lessons learned.

Module 12: Preventing Insider Threats and Fraud in Procurement

• Understanding insider threats (malicious and unintentional) in procurement.
• Best practices for employee vetting and background checks for procurement roles.
• Implementing security awareness training tailored to procurement risks.
• Controls to prevent fraud schemes like ghost vendors and invoice manipulation.
• Whistleblower protection and reporting mechanisms.

Module 13: Supply Chain Software and Application Security

• Risks associated with third-party software and open-source components.
• Software Supply Chain Attacks (e.g., malicious code injection, compromised updates).
• Best practices for secure software development life cycle (SSDLC) in vendor solutions.
• Software Bill of Materials (SBOM) and vulnerability scanning of third-party software.
• Ensuring patch management and vulnerability remediation in vendor applications.

Module 14: Legal, Regulatory, and Insurance Aspects of Third-Party Risk

• Understanding legal liabilities associated with third-party breaches.
• Regulatory expectations for vendor risk management across industries.
• The role of cyber insurance in mitigating financial losses from vendor incidents.
• Data residency and sovereignty considerations in international vendor engagements.
• Compliance with specific industry standards (e.g., CMMC for defense supply chain).

Module 15: Building a Resilient Third-Party Ecosystem

• Fostering strong, transparent relationships with vendors based on trust and shared security goals.
• Developing a vendor security awareness program for external partners.
• Leveraging technology for automated VRM processes and threat intelligence sharing.
• Strategic partnerships for collective defense against supply chain attacks.
• Developing a long-term roadmap for continuous improvement in secure procurement and VRM.

Training Approach

This course will be delivered by our skilled trainers who have vast knowledge and experience as expert professionals in the fields. The course is taught in English and through a mix of theory, practical activities, group discussion and case studies. Course manuals and additional training materials will be provided to the participants upon completion of the training.

Tailor-Made Course

This course can also be tailor-made to meet organization requirement. For further inquiries, please contact us on: Email: info@skillsforafrica.org, training@skillsforafrica.org  Tel: +254 702 249 449

Training Venue

The training will be held at our Skills for Africa Training Institute Training Centre. We also offer training for a group at requested location all over the world. The course fee covers the course tuition, training materials, two break refreshments, and buffet lunch.

Visa application, travel expenses, airport transfers, dinners, accommodation, insurance, and other personal expenses are catered by the participant

Certification

Participants will be issued with Skills for Africa Training Institute certificate upon completion of this course.

Airport Pickup and Accommodation

Airport pickup and accommodation is arranged upon request. For booking contact our Training Coordinator through Email: info@skillsforafrica.org, training@skillsforafrica.org  Tel: +254 702 249 449

Terms of Payment: Unless otherwise agreed between the two parties’ payment of the course fee should be done 7 working days before commencement of the training