Skip to content

Roles and responsibilities in the TIBER-EU test

Roles and responsibilities

A TIBER-EU test requires the involvement of a number of different stakeholders with clearly defined roles and responsibilities. All main stakeholders involved in a TIBER- EU test should be well informed about their respective roles and responsibilities to ensure that:

  • the test is conducted in a controlled manner;
  • there is a clear protocol for the flow of information across all relevant stakeholders throughout the test;
  • the information flow protocol is clear on how information will be stored and shared between stakeholders.

For more clarity on the roles and responsibilities of the different stakeholders involved in the overall process of a TIBER-EU test, a Responsibility Assignment (RACI) Matrix is included in Annex II.

Main stakeholders

The main stakeholders that may be involved in a TIBER-EU test are:

  • the TCT and Team Test Manager (TTM);
  • the WT and WTL;
  • the BT;
  • the TI provider;
  • the RT provider;
  • the relevant governmental intelligence agency or national cyber security centre.

Test management

The end-to-end conduct of a TIBER-EU test is the responsibility of the entity. The two key stakeholders involved in project managing the test are the TCT as the authority and the WT as the entity. Both the TCT and WT should have extensive knowledge of the entity’s business model, functions and services.

The WT and WTL

For each TIBER-EU test, there should be a WT, with a dedicated WTL from the entity. The WTL coordinates all test activity including engagement with the TI/RT providers and possible meetings with the authorities. More details on the roles, responsibilities and ideal composition of the WT can be found in the TIBER-EU White Team Guidance.

The TCT and TTM

For each TIBER-EU test, there should be a TTM from the TCT who has experience in the relevant sector, as well as cyber expertise and project management experience. The role of the TTM is to make sure that the entity undertakes the test in a uniform and controlled manner, and in accordance with the TIBER-EU framework. Given the importance of the TTM’s role, a backup TTM is strongly advised.

Responsibilities of the WTL and TTM

All parties involved in a TIBER-EU test should take a collaborative, transparent and flexible approach to the work. Close cooperation between the WTL and TTM is required during all phases of the test.

Responsibility for the overall planning and management of the test lies with the entity. The WTL is responsible for determining and finalising the scope, scenarios and risk management controls for the test, ensuring that they have been approved and attested by the board and validated by the TTM. In addition, the WTL should coordinate all test activity including engagement with the TI/RT providers. The WTL should ensure that the TI/RT providers’ project plans are factored into the entity’s overall project planning for the TIBER-EU test.

If there are significant deviations in the original planning, this should be discussed with the TTM. It is critical that all relevant stakeholders keep each other informed at all stages to ensure that the test runs smoothly and that any issues, resourcing constraints, etc. can be addressed in a timely fashion.

The TTM should agree on the scope and the scenarios, and ensure that the test is executed according to plan and that it conforms to TIBER-EU test standards and all relevant requirements (as set out in Annex I), which is important for possible recognition by other jurisdictions.

Although the WTL is the primary contact for the TI and RT providers, the TTM should also have direct access to the providers when required. Where there are crucial decisions to be made (e.g. deviations during the test from the agreed scope), or where differences of opinion arise, both the WTL and TTM should have a formal escalation line to their respective superiors. These formal lines may consist of:

  • the entity’s chief information security officer, chief operating officer, chief risk officer or any other appropriate senior personnel with sufficient decision-making authority;
  • the head of the TCT, the board member at the lead authority for TIBER-XX, or any other appropriate senior personnel with sufficient decision-making authority.

The TTM is independent from the WT and is not accountable for the WT’s actions, the running of the test, the outcomes or the remediation planning. It is the responsibility of the WT to ensure that a fit and proper test is conducted in line with the requirements of the TIBER-XX framework and that risks are managed throughout all phases.

The BT

For each TIBER-EU test, the BT comprises all staff at the entity who are not part of the WT. It is critical that the BT be completely excluded from the preparation and conduct of the TIBER-EU test. During the closure phase, when the BT is informed about the conduct of the test, only the relevant and most appropriate members of the BT should participate in the replay and follow-up.

Test implementation

For the end-to-end TIBER-EU test, there are two key stakeholders that have a role in its implementation. These are the TI and RT providers.

The TI provider

The TI provider should provide threat intelligence to the entity in the form of a TTI Report. TI providers should use multiple sources of intelligence to provide an assessment that is as accurate and up to date as possible. The TTI Report sets out the threat scenarios that can be used by the RT provider to develop attack scenarios for the red team test.

The TI provider must demonstrate willingness and the ability to share its deliverables (once approved by the entity) with its red team testing counterpart for review and comment and demonstrate a willingness to work with the RT provider during the remainder of the TIBER-EU test. This includes helping to develop the attack scenarios for the red team test, as well as any new intelligence requirements that occur as the red team test progresses. The TI provider is expected to provide input into the final report issued to the entity.

The RT provider

The RT provider plans and executes a TIBER-EU test of the target systems and services, which are agreed in the scope. This is followed by a review of the test and issues arising, culminating in a Red Team Test Report drafted by the RT provider.

The RT provider should expand on and execute the established threat scenarios identified by the TI provider and approved by the entity. The threat scenarios are developed from an attacker’s point of view. The RT provider should indicate various creative options in each of the attack phases based on the various TTPs used by advanced attackers. This is in order to anticipate changing circumstances or in case other attack methods do not succeed during the test. The scenario development is a creative process, and TTPs should not simply mimic scenarios seen in the past but should look to combine the TTPs of various relevant threat actors. The RT provider should aim to assess the cyber resilience posture of the entity in the light of the threat it faces.

The RT provider should follow a rigorous and ethical red team testing methodology, and should meet the minimum requirements defined under the TIBER-EU framework. The rules of engagement and specific testing requirements should be established by the RT provider and the entity.

The RT provider must demonstrate a willingness to work closely with the TI provider, which includes reviewing and commenting on the intelligence deliverables (once approved by the entity) as well as transforming threat scenarios into a cohesive and tractable Red Team Test Plan. Furthermore, the RT provider is expected to liaise and work with the TI provider throughout the testing in order to update the threat int elligence assessment and attack scenarios with relevant and up-to-date intelligence. Lastly, the RT provider is expected to work with the TI provider in order to design and deliver the final report issued to the entity.

The relevant governmental intelligence agency or national cyber security centre

In many jurisdictions, there may be a governmental intelligence agency or national cyber security centre, or equivalent. In such jurisdictions, the authorities may decide to engage with these bodies and include them in the TIBER-XX process. The intelligence agency or cyber security centre may provide insight on the threat intelligence process, and look to enrich the individual TTI Reports using their internal knowledge. It is left to the discretion of the national authorities to determine the role of the intelligence agency or cyber security centre, and to take the relevant steps to interact and engage with them.