Skip to content

White Team composition

This chapter describes the types of staff profile that can make up the White Team. The size of the White Team will depend on the size of the entity, its organisational structure and its business model (e.g. use of third-party providers). Therefore there is no one-size-fits-all model for a White Team and its composition is likely to vary from entity to entity.

General considerations

The guiding principle should be that the White Team is as small as possible, but consists of the right people necessary to manage the test from inside the entity. This implies that the team’s members need to strike a balance between: (i) the requisite skills (as detailed in Chapter 5) to manage an end-to-end test; (ii) sufficient business and operational knowledge of the entity and its critical functions, systems and processes; and (iii) the right level of authority to make critical decisions during the test, if required.

The White Team may therefore be composed of personnel belonging to the entity itself, to other group entities or to third-party providers.

The various compositions that a White Team may take must not, however, alter its responsibilities as per Section 3.2.

In any case, the authorities as stated in 4.7 must signal that they ha ve no objection to the suggested composition.

Third-party provider(s)

If the entity being tested outsources part of its critical functions or other parts of the potential scope of the test to one or multiple third-party providers, the third-party provider(s) should be included in the scope of the test. The White Team Lead is advised to arrange a discussion with a trusted contact from the third-party provider(s) at an early stage, following a discussion with the TCT at the pre-launch meeting, to indicate the entity’s intention to conduct a TIBER-EU test. The discussion wi th the third-party provider should be confidential. This is to ensure the integrity of the test, given that personnel from the third-party provider(s) will be part of the Blue Team. The same confidentiality conditions apply to both the third-party provider(s) and the entity itself.

A small number of staff from the third-party provider(s) can join the White Team, depending on the scope of the test. These staff should have detailed knowledge about the systems that the entity uses at the third-party provider(s).

One staff member from the third-party provider(s) should be the primary point of contact for the White Team Lead. This primary point of contact can join the relevant meetings as long as the scope of the test includes functions and systems of the third-party provider(s).

The entity being tested remains responsible and accountable for the overall test.

Multiple jurisdictions

When a group entity or pan-European entity with a presence in multiple jurisdictions is tested under TIBER-EU, the White Team should be established by looking at: (i) the scope of the test, (ii) where operations are run, and (iii) where relevant people and processes are active. Based on these considerations, the White Team Lead from the entity should determine the most appropriate composition of the White Team, making sure it has the most relevant people to ensure a safe and controlled test is conducted. Overall accountability lies with the White Team Lead from the jurisdiction where the lead authority is located. For information on the leading authority see the TIBER-EU Framework document.

White Team members

The following functions or types of personnel should be part of the White Team:

  • a White Team Lead;
  • subject matter experts;
  • COO (or other C-level members with responsibilities in this area, like the CIO or CTO);
  • CISO (or equivalent)1 ;
  • third-party provider(s) where applicable.

To protect the confidentiality of the test, the White Team should consist of no more than the five functions or types of personnel mentioned above. In smaller organisations it is possible for the White Team to consist of fewer functions. Each function is detailed below.

White Team Lead

The White Team Lead is the person who establishes the White Team, has the overall responsibility for the test and is the primary point of contact for the TCT.

Due to the importance of this role, it is important that at least one other member of the White Team is kept well informed about the test details so as to deputise for the White Team Lead if and when needed.

In some circumstances it can be beneficial or necessary to recruit an external White Team Lead. As entities differ in size and complexity and have different organisational struc tures and set-ups, the entity may opt to outsource the function of the White Team Lead to an external specialist with the right profi le. For example, some entities may not have the right internal profile for a White Team Lead or if such a profile exists, the staff member may not be available for the entire lifecycle of the test due to other responsibilities.

Subject matter experts

Subject matter experts should have a broad range of specific knowledge, expertise and experience pertaining to the entity and its operations. This will enable them to provide the requisite information and insight during the test, which will allow the White Team Lead to make the appropriate risk-based decisions. The number of subject matter experts that make up the White Team will vary from entity to entity, depending on the entity’s size and complexity. Subject matter experts with the broadest range of skills and knowledge should be chosen so as to limit the number of them involved in the White Team.

C-level member

The COO (or other C-level member with responsibilities in this area such as the CIO or CTO) and/or the CISO (or equivalent) are the most senior individuals in the White Team, and act as the escalation point during the test. During the test, there may be moments when key decisions need to be made on how to progress from a risk perspective, and such decisions can only be taken by entity staff members with sufficient seniority. Although the C-level member is unlikely to be the White Team Lead or have an active and resource-intensive role during the test, their presence in the White Team will allow the White Team Lead to escalate matters to the decision-makers in full confi dentiality. Furthermore, the C-level member who is member of the entity’s board will be responsible for agreeing the scope and signing the attestation on behalf of the entity.

In any multi-jurisdictional test of group entities, the C-level member should come from the overarching group where the entity is located or headquartered. In the case of a test which involves a third-party provider, there should be C-level membership in the White Team from both the entity and the third-party provider, and the scope of the test should be signed off at board level on both sides.

Other needed expertise

During different phases of the test, specific subject matter expertise may be needed (such as procurement or legal expertise). While these subject matter experts will not be day-to-day members of the White Team, they should be informed about the high-level aspects of the TIBER-EU test process and the need for secrecy. Experts used on an ad hoc basis during the test may also sign non-disclosure agreements (NDAs) to ensure the confidentiality of the test is maintained.

Discussion with the TIBER Cyber Team on the composition of the White Team

The TCT is not part of the White Team but works closely with the White Team during the test.

At the start of the process, the entity selects a White Team Lead based on the criteria set out in Section 5.1. It is then up to the White Team Lead to select subject matter experts for the White Team. The composition of the White Team is in principle up to the entity, but this has to be discussed with the TCT and the TCT m ust signal that it has no objection or further changes to the final composition of the White Team. If there are concerns that the criteria have not been met, the TCT has the authority to prevent the suggested composition of the White Team and/or invalidate a test for TIBER-EU recognition.

Within the EU, entities may operate their business across borders, with a presence in multiple jurisdictions. In such cases, the lead authority has to ensure that the composition of the White Team is in accordance with the criteria in Section 5.1 and that expertise from the different jurisdictions is properly reflected in the White Team composition. In cases of tests where multiple authorities are involved, the lead authority should reach out to the other relevant authorities to discuss the proposed composition of the White Team, giving them the opportunity to signal any objections.

  1. Neither the COO nor the CISO will be involved in the day-to-day operations of the test.