Skip to content

Roles and Responsibilities of the White Team

This chapter describes the roles and responsibilities of the White Team and how these interact with the other involved parties. For more clarity on the roles and responsibilities of the different stakeholders involved in the overall process of a TIBER-EU test, a Responsibility Assignment (RACI) Matrix is included in Annex I.

Roles of the White Team

The end-to-end conduct of a TIBER-EU test is the responsibility of the entity being tested.

For each TIBER-EU test, there should be a White Team belonging to the entity, with a dedicated White Team Lead who is responsible for coordinating all TIBER-EU test-related activities including:

  • the overall planning;
  • engagement with threat intelligence/red team1 (TI/RT) providers;
  • management of the separate phases of the test:
    • the preparation phase (which includes scoping and procurement);
    • the testing phase;
    • the closure phase;
  • coordination with other stakeholders, including meetings with the TCT and authorities.

Responsibilities of the White Team

The White Team will be responsible for the end-to-end conduct of a TIBER-EU test and for managing the separate TIBER phases, to ensure the TIBER-EU test is conducted in a safe and controlled manner. The White Team is responsible for leading the preparation phase, overseeing the testing phase (whi ch includes gathering threat intelligence and red teaming) in close collaboration with the TI and RT providers, and leading the closure phase. The White Team fulfils its duties in close collaboration with the TCT and its responsible TIBER Test Manager (TTM), who are not part of the entity’s White Team. The TTM is a representative of the authority and should be in direct contact with the White Team throughout the entire test.

The main responsibilities of the White Team are set out below.

  • Ensure that all the risk management controls are in place and effective, to ensure that the test is conducted in a controlled manner, and that any business impact from the test is within the risk appetite of the entity.
  • Involve all relevant stakeholders during the preparation phase and ensure that the critical functions are included within the scope to facilitate a realistic simulation of an actual advanced targeted attack.
  • Procure the TI/RT providers in accordance with the TIBER-EU Services Procurement Guidelines.
  • Liaise closely with the procured TI/RT providers and the TCT throughout the lifecycle of the TIBER-EU test.
  • Ensure that all correct information flows and protocols are in place, so that the White Team is informed of all actions taken by the RT provider and is able to actively manage any risks.
  • Ensure that the test is executed in a timely manner and within the defined scope, and provide guidance if the RT provider is deviating from the agreed scope.
  • Manage all possible escalations arising because of the test, for example if an event arises as part of the actions of the RT provider. For this the White Team has to ensure that sufficient arrangements in place for it to be informed of actions taken by the Blue Team, by the target entity’s security or by the response capability, especially as White Team members are not formally part of the Blue Team.
  • Make appropriate decisions if unforeseen circumstances arise during the test.
  • Maximise the Blue Team’s learning experience.
  • Consult with the entity’s board, to ensure that the scope and attestation are signed off in relation to the TIBER-EU test.

  1. TI providers deliver a detailed view of the specific entity’s attack surface and help to produce actionable and realistic testing scenarios. The RT provider plans and executes a TIBER-E U t es t of the target systems and services, which are agreed in the scope.