Purpose and Outcome

This specialized course provides practical guidance on achieving security risk management in compliance with AAMI/ANSI SW96 and TIR57/97. It also explores how to integrate or align these frameworks with other risk management systems, such as ISO 14971, and - if relevant to participants - AI security considerations.

Participants will learn how to identify the product and its intended market, analyze foreseeable security hazards and threats within the system, and how to use this threat landscape to conduct a structured security risk analysis, offering a systematic framework for identifying, controlling, and mitigating risks in medical devices / health software.

Upon completion of the course, you will be able to: 

1. Understand the key concept of building a risk-based threat model
2. Construct a structured analytic approach to cyber security risk management
3. Become familiar with the content of the SW96 and TIR57 standards, and develop a toolbox for implementing them effectively
4. Strengthen and expand the cybersecurity framework component of risk management in your organization

Content

The course covers the following key topics:

• Build a preliminary landscape from market threat intelligence and product context security
• Use threat modelling and tactical threat intelligence to provide an input for risks
• Analytically discover threat sources, assess their likelihood, and compose their risks
• Structure and discover threat management, enumerate their associated threats and risks
• A structured way of looking at known vulnerabilities, documenting their threats and mitigations in your products
• How to document threat vectors, actors, and their motivations
• How to document cyber security risks analysis for the organization and provide deliverable in respects to regulatory requirements

The course is based on a fictional case study or, preferably, real-world examples provided by participants. The trainer encourages dynamic, participant-driven discussions and examples. The training combines classroom presentations with interactive discussions, allowing participants to explore specific topics in greater depth based on their interests and needs.

The technical nature of threat modelling will be determined by the wanted technical expertise of the participants, but this is not a course solely focusing on threat modelling.

Who should attend

This training is designed for organizations that are either new to cybersecurity risk management or already engaged in cybersecurity activities but seeking new inspiration. The course is suitable for participants with beginner to intermediate knowledge of cybersecurity. It primarily focuses on cybersecurity processes with some coverage of technical activities.

The course is relevant for:

• Cybersecurity Quality Assurance / Quality Assurance Engineering
• Cybersecurity Regulatory Affairs
• Cybersecurity Product Responsible
• Cybersecurity System Engineer
• Cybersecurity Product Owner
• Cybersecurity Program Manager
• Security Champions in Development Department
• Cybersecurity Software Engineers
• Cybersecurity Test and Verification

Trainer

Jens Schønberg, CEO, Founder and Principal Cybersecurity Specialist
JBS Consultancy
 
Notably, Jens Schønberg is also an editor of the upcoming ISO-led standard that aims to incorporate ANSI/AAMI SW96 into the ISO framework.