Skip to content

Risk management for TIBER-EU tests

Risk management

The TIBER-EU test harbours elements of risk for all parties owing to the criticality of the target systems, the people and the processes involved in the tests. The possibility of causing a denial-of-service incident, an unexpected system crash, damage to critical live production systems, or the loss, modification or disclosure of data highlights the need for active and robust risk management.

The entity is responsible for implementing appropriate controls, processes and procedures to ensure that the test is carried out with sufficient assurances for all stakeholders that risks will be identified, analysed and mitigated according to best practices in risk management.

Risk assessment

The entity should conduct a risk assessment prior to the test. Throughout the conduct of the TIBER-EU test, the entity should ensure that it gives due consideration to the risks associated with the test. It should take the right risk management precautions throughout, in line with its existing risk management framework. To reduce the risks associated with testing, sufficient planning and coordination must take place before and during the test.

Minimum requirements for providers

A key means of managing the risks associated with the TIBER-EU test is to use the most competent, qualified and skilled TI and RT providers with the requisite experience to conduct such tests. Consequently, prior to engagement the entity must ensure that the TI and RT providers meet the minimum requirements, which are set out in the TIBER-EU Services Procurement Guidelines. Where feasible, entities should ensure that the procured providers are accredited and certified by a recognised body as being able to conduct a TIBER-EU test.

Contracts

The entity should make sure when hiring TI and RT providers that there is mutual agreement on at least the following aspects: the scope of the test; boundaries; timing and availability of the providers; contracts; actions to be taken; and liability (including insurance where applicable).

The contracts with the TI and RT providers should include:

  • a requirement for the providers to meet security and confidentiality requirements at least as stringent as those followed by the underlying entity for confidentiality requirements;
  • the protection of those involved (e.g. indemnifications);
  • a clause related to data destruction requirements and breach notification provisions;
  • activities that are not allowed during the test, such as: destruction of equipment; uncontrolled modification of data/programs; jeopardising continuity of critical services; blackmail; threatening or bribing employees; and disclosure of results.

The TIBER-EU Services Procurement Guidelines set out in greater detail agreement checklists for the entity and TI/RT providers to consider and apply when formalising their contractual terms.

Confidentiality and escalation procedures

Protecting the confidentiality of the test is crucial to its effectiveness. To that end, the entity should limit awareness of the test to a small trusted group whose members have the appropriate levels of seniority to make risk-based decisions regarding the test.

The entity should clearly define which measures are to be taken to ensure that only the WT is informed about the test (e.g. WT members may sign a non-disclosure agreement (NDA) to ensure their confidentiality throughout the test). The WT should also define escalation procedures to avoid the triggering of actions that would be mandatory in the case of a real event. Such actions include communicating with an external party (e.g. declaring an incident to a computer security incident response team, sharing information on a platform, etc.) or calling the police.

Advance readiness check

Entities should conduct thorough due diligence of in-scope systems prior to any testing to ensure that backup and restoration capabilities are in place.

Management of risks during the test

Crucially, the entity is responsible for the red team test and should therefore remain in control of the process. The TTM should be closely involved in each TIBER-EU test to ensure that the test proceeds according to the scope, scenario, planning and process agreed and described in the framework documents developed collaboratively.

The WT may at any time order a temporary or complete halt if concerns are raised over damage (or potential damage) to a system. Trusted contacts within the WT positioned at the top of the security incident escalation chain should help to avoid miscommunication and prevent knowledge about the TIBER-EU test from being leaked.

During the process of the test, if the TTM suspects that the BT is aware of the test taking place, and subsequently takes steps to manipulate the integrity of it, the lead authority should invalidate the test and not recognise it as a legitimate TIBER-EU test. Knowledge of any compromise of the test will be apparent through the continuous engagement between the TTM and RT provider.

Use of code names

Given the sensitive nature of the tests, and the potentially detailed findings on the weaknesses and vulnerabilities of specific entities, all stakeholders must use code names for the entities being tested, rather than explicitly naming the entity. All documentation and multilateral communication should refer to the entity by the commonly agreed code name to protect its identity.