Solutions
TIBER-RO Framework
Requiring entities in the Romanian financial ecosystem to perform cyber resilience tests
The European Central Bank (ECB) and the other central banks in the European Union (EU) have drawn up the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) Framework. On the 3rd of May 2022, the National Bank of Romania issued the Regulation no. 6/2022 regarding TIBER-RO, the framework for conducting cyber resilience tests, which was also published in the Official Gazette no. 432/03.05.2022.
What banks can do now
Boards and executives with responsibilities for cyber and IT in banks will need to plan this type of exercises in order to improve the cyber-resistance. Therefore, it is crucial for them to discuss their emerging concerns and better understand how their bank’s cyber risk management practices can strike an equilibrium between commercial priorities and a supervisory view of good practice.
Important documents
- Regulation no. 6 from May 3, 2022
- TIBER-RO Guide
Learn how the TIBER Framework is applied in Romania. - TIBER-EU Services Procurement Guidelines.
These guidelines describe how financial institutions select and purchase the services of cybersecurity companies. The guidelines also apply to Romanian tests. - TIBER-EU Framework
Templates and guidelines for all the different phases of a test
- TIBER-EU White Team Guidance
The TIBER-EU White Team Guidance describes details on the roles and responsibilities of a White Team for a TIBER test, which manages the test from the inside of the tested entity. - TIBER-EU Scoping Specification Template
The TIBER-EU Scoping Specification Template can be used during any TIBER-DE test by the tested entity to present the detailed scope of its respective test. - TIBER-EU Guidance for Target Threat Intelligence (TTI) Report
The TIBER-EU Guidance for Target Threat Intelligence Report aims to provide the Threat Intelligence Provider with a standardized approach to develop the TTI Report for the tested entity. - TIBER-EU Guidance for the Red Team Test Plan
The TIBER-EU Guidance for the Red Team Test Plan aims to provide the Red Team Provider with a standardized approach and structure for producing the Red Team Test Plan, focusing on how to: organize the testing phase; plan the organization and management of the test; and develop the attack scenarios, which build on the threat scenarios from the TTI Report. - TIBER-EU Guidance for the Red Team Test Report
The TIBER-EU Guidance for the Red Team Test Report aims to provide the Red Team Provider with a standardized approach and structure for producing the Red Team Test Report, focusing on: setting out the summary of the test with accompanying evidence; detailing the findings and root cause analyses; determining the key discussion points for the replay with all the relevant stakeholders; and finalizing the remediation plan. - TIBER-EU Guidance for the Test Summary Report
The Guidance for the TIBER-EU Test Summary Report aims to provide entities undertaking a TIBER-DE test with a standardized approach and structure for producing the Test Summary Report.
