The core principles of the TIBER-FI procedures are:
- TIBER-FI activities are organized in calendar periods. Each period is approximately one year, and it is referred to as a TIBER-FI season.
- Taking part in TIBER-FI is voluntary for the financial entities. Enrolments in TIBER-FI activities take place for each season at a time. No participation fee is collected.
- Nordic Financial CERT compiles and delivers the generic threat landscape report, which can be used by the participating entities for the purposes of TIBER-FI testing. The report is updated for each TIBER-FI season.
- Financial entities resource, scope, steer and report their testing activities. The Test Manager provides support for these activities. The Test Manager must be informed and consulted in the different phases of testing, as later described in the procedures.
- At the end of the TIBER-FI season, the TIBER-FI Cyber Team compiles a summary and analysis of the tests conducted and the benefits for financial sector cyber security. This material is distributed to the participants in an appropriate form, for example in writing or as a seminar presentation. The purpose of this information sharing is to advance knowledge of financial sector cyber resilience and good testing practices.
The main phases of a TIBER-FI season are:
Testing support and coordination
To promote good testing practices and ensure other TIBER-FI objectives are met, the TIBER-FI Test Manager supports the participating financial entities. The Test Manager is available for consultation in all matters related to application of TIBER-FI.
The Test Manager’s duties include making an assessment that testing is conducted according to the TIBER-FI guidelines. For this reason, the White Team must be in contact with the Test Manager in the following matters:
- participating in kick-off meeting
- delivery of test plan
- informing about progression of testing
- participating in walkthrough
- delivery of the final report.
The White Team may, at their discretion, contact the Test Manager in the following matters:
- consultation about applying TIBER-FI and enrolment
- consultation about the content and application of the generic threat landscape report
- consulting about procuring testing services
- consulting about creating a test plan
- consulting about risk management
- consulting about reporting and improvement.
Testing phases and procedures are elaborated further in this guideline, on the following pages: