Certified Third Party Security Manager


Brit Certifications and Assessments (BCAA) is a leading UK based certification body. This CB is formed to address the gap in the industry in IT and IT Security sector. The certification body leads in IT security and IT certifications, and in particular doing it with highly pragmatic way.


BCAA UK works in hub and spoke model across the world.



R A C E Framework


The Read - Act - Certify - Engage framework from Brit Certifications and Assessments is a comprehensive approach designed to guarantee optimal studying, preparation, examination, and post-exam activities. By adhering to this structured process, individuals can be assured of mastering the subject matter effectively.



Commencing with the "Read" phase, learners are encouraged to extensively peruse course materials and gain a thorough understanding of the content at hand. This initial step sets the foundation for success by equipping candidates with essential knowledge and insights related to their chosen field.


Moving on to the "Act" stage, students actively apply their newfound expertise through practical exercises and real-world scenarios. This hands-on experience allows them to develop crucial problem-solving skills while reinforcing theoretical concepts.


“Certify” stage is where you will take your examination and get certified to establish yourself in the industry. Now “Engage” is the stage in which BCAA partner, will engage you in Webinars, Mock audits, and Group Discussions. This will enable you to keep abreast of your knowledge and build your competence.


Third Party Security Management


Third-Party Security Management, also known as Third-Party Risk Management (TPRM), is a crucial process that involves identifying, analyzing, and minimizing risks associated with outsourcing to third-party vendors or service providers. It focuses on protecting organizations from security threats originating from third parties like vendors, partners, contractors, consultants, and applications. The goal of Third-Party Security Management is to ensure that every external party that an organization interfaces with maintains an acceptable level of cybersecurity to prevent potential cyber risks and attacks.

Third-Party Security Management encompasses a set of best practices, services, and tools that help organizations safeguard themselves from risks associated with third parties. It involves practices like continuous monitoring of vendor security postures, categorizing cyber risks, and implementing security controls to mitigate risks effectively. Organizations need to pay close attention to the cybersecurity posture of their third parties due to the expanding attack surface that comes with each external party they engage with.

In summary, Third-Party Security Management is a critical component of any organization's information security strategy, aiming to proactively manage and mitigate cybersecurity risks originating from third-party relationships to protect the organization from potential data breaches, cyber attacks, and other security threats.




The benefits of Third-Party Security Risk Management include:

Risk Mitigation: Implementing a third-party risk management program helps lower the risks associated with working with external organizations.

Regulatory Compliance: Helps organizations comply with industry regulations by identifying and assessing potential risks, conducting due diligence, and mitigating risks effectively.

Improved Business Continuity: Enhances business continuity by managing vendors effectively and ensuring that third parties align with information security requirements.

Cost Savings: Can save money in the long term by preventing costly data breaches involving third parties, which on average cost $4.55 million.

Increased Visibility: Provides organizations with increased visibility into their third-party relationships, allowing for better risk assessment and management.

Enhanced Reputation: Maintaining a good reputation is crucial, and effective third-party security management can help organizations protect their reputation by mitigating risks associated with external parties.

Better Decision-Making: Enables organizations to make informed decisions based on a thorough understanding of the risks posed by third parties, leading to more effective risk management strategies.

Security Improvement: Enhances security measures by identifying vulnerabilities in the supply chain and continuously monitoring third-party security postures to address potential security threats promptly.

Time Savings: By automating processes like compliance checks, risk assessments, and monitoring, organizations can save time in managing third-party risks effectively.

Trust Building: Establishes trust with customers and stakeholders by demonstrating a commitment to safeguarding sensitive data and ensuring that third parties meet security standards.




Day 1:


• Cybersecurity Third-Party Risk
• What Is the Risk?
• The SolarWinds Supply-Chain Attack
• The VGCA Supply-Chain Attack
• The Zyxel Backdoor Attack
• Other Supply-Chain Attacks
• Problem Scope
• Compliance Does Not Equal Security
• Third-Party Breach Examples
• Third-Party Risk Management
• Cybersecurity and Third-Party Risk
• Cybersecurity Third-Party Risk as a Force
• Multiplier


Cybersecurity Basics


• Cybersecurity Basics for Third-Party Risk
• Cybersecurity Frameworks
• Due Care and Due Diligence
• Cybercrime and Cybersecurity
• Types of Cyberattacks
• Analysis of a Breach
• The Third-Party Breach Timeline: Target
• Inside Look: Home Depot Breach


What the COVID- Pandemic Did to


• Cybersecurity and Third-Party Risk
• The Pandemic Shutdown
• Timeline of the Pandemic Impact on Cybersecurity
• Post-Pandemic Changes and Trends
• Regulated Industries
• An Inside Look: P&N Bank
• SolarWinds Attack Update


Third-Party Risk Management


• Third-Party Risk Management Frameworks
• NIST - Revision
• NISTIR Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks
• The Cybersecurity and Third-Party Risk Program Management
• Kristina Conglomerate (KC) Enterprises
• KC Enterprises’ Cyber Third-Party Risk Program


Day 2:


Onboarding Due Diligence

• Intake
• Data Privacy
• Cybersecurity
• Amount of Data
• Country Risk and Locations
• Connectivity
• Data Transfer
• Data Location
• Service-Level Agreement or Recovery
• Time Objective
• Fourth Parties
• Software Security
• KC Enterprises Intake/Inherent Risk
• Cybersecurity Questionnaire
• Cybersecurity in Request for Proposals
• Data Location
• Development
• Identity and Access Management
• Encryption
• Intrusion Detection/Prevention System
• Antivirus and Malware
• Data Segregation
• Data Loss Prevention
• Notification
• Security Audits
• Cybersecurity Third-Party Intake
• Data Security Intake Due Diligence
• Next Steps
• Ways to Become More Efficient
• Systems and Organization Controls Reports
• Chargebacks
• Go-Live Production Reviews
• Connectivity Cyber Reviews
• Inside Look: Ticketmaster and Fourth Parties
• Ongoing Due Diligence
• Low-Risk Vendor Ongoing Due Diligence
• Moderate-Risk Vendor Ongoing Due Diligence
• High-Risk Vendor Ongoing Due Diligence
• “Too Big to Care”
• A Note on Phishing
• Intake and Ongoing Cybersecurity Personnel
• Ransomware: A History and Future
• Asset Management
• Vulnerability and Patch Management
• Network Access Control (NAC)
• Inside Look: GE Breach


On-site Due Diligence


• On-site Security Assessment
• Scheduling Phase
• Investigation Phase
• Assessment Phase
• On-site Questionnaire
• Reporting Phase
• Remediation Phase
• Virtual On-site Assessments
• On-site Cybersecurity Personnel
• On-site Due Diligence and the Intake Process
• Vendors Are Partners
• Consortiums and Due Diligence


Continuous Monitoring


• What Is Continuous Monitoring?
• Vendor Security-Rating Tools
• Inside Look: Health Share of Oregon’s Breach
• Enhanced Continuous Monitoring xii Contents
• Software Vulnerabilities/Patching Cadence
• Fourth-Party Risk
• Data Location
• Connectivity Security
• Production Deployment
• Continuous Monitoring Cybersecurity
• Personnel
• Third-Party Breaches and the Incident Process
• Third-Party Incident Management
• Inside Look: Uber’s Delayed Data Breach
• Reporting
• Inside Look: Nuance Breach


Day 3:




• Access to Systems, Data, and Facilities
• Physical Access
• Return of Equipment
• Contract Deliverables and Ongoing Security
• Update the Vendor Profile
• Log Retention
• Inside Look: Morgan Stanley
• Decommissioning Process Misses
• Inside Look: Data Sanitization


Securing the Cloud


• Why Is the Cloud So Risky?
• Introduction to NIST Service Models
• Vendor Cloud Security Reviews
• The Shared Responsibility Model
• Inside Look: Cloud Controls Matrix by
• the Cloud Security Alliance Contents xiii
• Security Advisor Reports as Patterns
• Inside Look: The Capital One Breach


Cybersecurity and Legal Protections


• Legal Terms and Protections
• Cybersecurity Terms and Conditions
• Offshore Terms and Conditions
• Hosted/Cloud Terms and Conditions
• Privacy Terms and Conditions
• Inside Look: Heritage Valley Health vs.
• Nuance


Software Due Diligence


• The Secure Software Development Lifecycle
• Lessons from SolarWinds and Critical
• Software
• Inside Look: Juniper
• On-Premises Software
• Cloud Software
• Open Web Application Security Project
• Explained
• OWASP Web Security Testing Guide
• Open Source Software
• Software Composition Analysis
• Inside Look: Heartbleed
• Mobile Software
• Testing Mobile Applications
• Code Storage


Day 4:


Network Due Diligence


• Third-Party Connections
• Personnel Physical Security xiv Contents
• Hardware Security
• Software Security
• Out-of-Band Security
• Cloud Connections
• Vendor Connectivity Lifecycle Management
• Zero Trust for Third Parties
• Internet of Things and Third Parties
• Trusted Platform Module and Secure Boot
• Inside Look: The Target Breach


Offshore Third-Party Cybersecurity Risk


• Onboarding Offshore Vendors
• Ongoing Due Diligence for Offshore
• Vendors
• Physical Security
• Offboarding Due Diligence for Offshore
• Vendors
• Inside Look: A Reminder on Country Risk
• Country Risk
• KC’s Country Risk


Transform to Predictive


• The Data
• Vendor Records
• Due Diligence Records
• Contract Language
• Risk Acceptances
• Continuous Monitoring
• Enhanced Continuous Monitoring
• How Data Is Stored
• Level Set
• A Mature to Predictive Approach Contents xv
• The Predictive Approach at KC Enterprises
• Use Case #: Early Intervention
• Use Case #: Red Vendors
• Use Case #: Reporting
• Advanced Persistent Threats Are the
• New Danger
• Cybersecurity Third-Party Risk




The Training is followed by Objective exam for three hours.




128 City Road, London, EC1V 2NX,
United Kingdom enquiry@bcaa.uk
+44 203 476 4509

To Enroll classes, please contact us via enquiry@bcaa.uk