Procedures

The core principles of the TIBER-FI procedures are:

• Taking part in TIBER-FI is voluntary for the financial entities. Enrolments in TIBER-FI activities take place for one test project at a time. No participation fee is collected.
• The Bank of Finland commissions the generic threat landscape report, which can be used by the participating entities for the purposes of TIBER-FI testing. The report is updated annually.
• Financial entities resource, scope, steer and report their testing activities. The Test Manager provides support for these activities. The Test Manager must be informed and consulted in the different phases of testing, as described in the procedures.
• The TIBER-FI Cyber Team provides to the TIBER-FI cooperation network summary and analysis of the tests conducted and the benefits for financial sector cyber security. This material is distributed to the participants in an appropriate form, for example in writing or as a seminar presentation. The purpose of this information sharing is to advance knowledge of financial sector cyber resilience and good testing practices.

The main phases of a TIBER-FI test project are:

• decision to participate
• preparations
• testing
• reporting and improvement.

Testing support and coordination

To promote good testing practices and ensure other TIBER-FI objectives are met, the TIBER-FI Test Manager supports the participating financial entities. The Test Manager is available for consultation in all matters related to application of TIBER-FI.

The Test Manager’s duties include making an assessment that testing is conducted according to the TIBER-FI guidelines. For this reason, the White Team must be in contact with the Test Manager in the following matters:

• participating in kick-off meeting
• delivery of test plan
• informing about progression of testing
• participating in walkthrough
• delivery of the final report.

The White Team may, at their discretion, contact the Test Manager in the following matters:

• consultation about applying TIBER-FI and enrolment
• consultation about the content and application of the generic threat landscape report
• consulting about procuring testing services
• consulting about creating a test plan
• consulting about risk management
• consulting about reporting and improvement.

Testing phases and procedures are elaborated further in this guideline, on the following pages:

• Decision to participate
• Preparations
• Testing
• Reporting and improvement.