In essence, a cybersecurity framework is a standard operating procedure for how to do cybersecurity when developing medical devices. It is a requirement by FDA (mentioned as SPDF, Secure Product Development Framework), but in general it is a principle for addressing Cybersecurity by applying a central organizational framework instead of pursuing each regulatory requirements or cybersecurity standard individually.  From the framework, a homogenous central security product governance can be applied to create particular security deliverables for different regulatory/certification schemes.

The framework is meant to document how security by design is applied end-to-end, from organizational awareness to a common thread through documentation (activity roadmaps and security development), showing how; threat modelling, risk management, post-market vigilance and security architecture is performed.

In this three-day course, you will learn how to build a framework that covers:

• Risk management planning and report management
• Principles of threat modelling and secure design
• Post-market activities to maintain the applied security level long-term

We will focus on the FDA, EU with MDCG and ISO 81001 series as examples of frameworks, the course aims to provide a plan for how to build a cybersecurity framework holistically, with an objective to demonstrate that many requirements are based on a shared common security best practice concept, which means that a strong framework allows a one-to-many adaptation of cybersecurity requirements.

Outcome
After completing the course, you will:
 

1. Understand the key concepts behind using a centralized framework to provide one-to-many requirements coverage
2. Become familiar with some of the official standards and requirements for cybersecurity frameworks
3. Have a plan for how to implement the plan in your organization

Content

• Introducing cybersecurity frameworks and planning activities
• Introducing key activities such as data-flow analysis and threat modelling
• Introducing risk management for cybersecurity and utilization of threat analysis
• Overview of regulatory and cybersecurity standards
• Documenting a cybersecurity framework for:
  • Internal analysis and structured security review
  • Presenting the body of work to an external reviewer/auditor/organization

The course comprises classroom presentation and work exercises on a fictitious use-case study.

Target group
The course is targeted towards organization starting up a cybersecurity framework process, or organizations already in early stages of managing cybersecurity, but are looking for inspiration. The course is suitable for newcomers or people with intermediate knowledge in cybersecurity, the course focuses on process and less on technical cybersecurity.
 
The course is relevant for: 

• Cybersecurity Quality Assurance / Quality Assurance Engineering
• Cybersecurity Regulatory Affairs
• Cybersecurity Product Responsible
• Cybersecurity System Engineer
• Cybersecurity Product Owner
• Cybersecurity Program Manager
• Security Champions in Development Department
• Cybersecurity/Software Engineers
• Cybersecurity Test and Verification

Trainer
Jens Schønberg
CEO, Founder and Principal Cybersecurity Specialist, JBS Consultancy