The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) Framework enables European and national authorities to work with financial infrastructures and institutions (hereafter referred to collectively as “entities”) to put in place a programme to test and improve their resilience against sophisticated cyber attacks. The ECB has published the TIBER-EU Framework (TIBER-EU Framework: How to Implement the European Framework for Threat Intelligence-based Ethical Red Teaming). The present Services Procurement Guidelines (“Guidelines”) are referred to in, and are an integral part of, the TIBER-EU Framework. They set out in detail the different elements of TIBER-EU procurement.
Supervisory or oversight tool
TIBER-EU is an instrument for red team (RT) testing, designed for use by core financial infrastructures, whether at national or at European level, which can also be used by any type or size of entity across the financial and other sectors. At the same time, TIBER-EU is designed to be adopted by the relevant authorities in any jurisdiction, on a voluntary basis and from a variety of perspectives, namely as a supervisory or oversight tool, for financial stability purposes, or as a catalyst. When an authority adopts TIBER-EU, tests will only be considered TIBER-EU tests when they are conducted in accordance with TIBER-EU including these Guidelines.
RT testing
TIBER-EU facilitates RT testing for entities which are active in more than one jurisdiction and fall within the regulatory remit of several authorities. TIBER-EU provides the elements allowing either collaborative cross-authority testing or mutual recognition by relevant authorities on the basis of different sets of requirements being met.
Due to the inherent risks associated with RT testing, also present in TIBER-EU tests, TIBER-EU includes as a key element for risk management the use of the most competent, qualified and skilled threat intelligence (TI) and RT providers with the necessary experience to conduct RT tests. Consequently, prior to engagement with potential TI and RT providers with a view to performing a TIBER-EU test, the relevant entity has to take into account the requirements of the Guidelines and in particular those regarding such providers. These requirements are deliberately stringent to mitigate risks including those related to RT tests being conducted by inexperienced personnel, which could have an adverse impact on the relevant entity.
You can read the full version of the Framework on the website of the European Central Bank
Source: https://www.ecb.europa.eu
Guidelines on hiring ethical hackers
09 August 2018
