December 2020
The G-7 Fundamental Elements for Cyber Exercise Programmes are intended as non-binding, high-level building blocks that can serve as tools to guide the establishment of cyber exercise programmes with internal and external stakeholders. They may also serve as guide for establishing cyber exercise programmes across jurisdictions and sectors.
The financial sector's reliance on information technology services and their interdependencies to deliver most financial services, means that a disruption to those services can significantly impact organisations' ability to deliver critical services.
Accordingly, the G-7 developed a set of fundamental elements for effective cyber exercise programmes to help organisations better understand their dependencies as well as to help organisations test their ability to respond to and recover from incidents.
These exercises allow different possible cyber scenarios to be rehearsed by organisations on an individual or collective basis, using a range of methodologies, to help prepare them to effectively respond to and recover from cyber incidents.
Part A outlines the fundamental elements for developing a multi-year exercise programme that comprises multiple exercise types and formats that build upon each other to increase the organisation’s incident response and recovery posture and capabilities.
Effective exercise programme management typically includes the following elements:
Part B outlines the fundamental elements for building, conducting, and assessing individual exercises within a cyber exercise programme.
For effective exercises, the following elements are commonly advised:
Exercises can take many forms depending on the objectives of the specific exercise. However, exercises can generally be divided into two categories: (1) Discussion-based exercises and (2) Operations-based exercises.
These types of exercises familiarise players with existing (or develop new) plans, policies, procedures, and agreements. Discussion-based exercises focus on strategic, policy-oriented issues, and facilitators or presenters lead the discussion, keeping participants moving towards meeting the exercise objectives.
Training and Awareness (Seminar/Workshop): An exercise that orients participants to or provides an overview of authorities, strategies, plans, policies, procedures, protocols, resources, concepts, and ideas.
Tabletop Exercise: An exercise where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency. A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants on roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.
Game: An exercise that is a structured form of interactive play designed for individuals or teams in a competitive or non-competitive environment. It is an event players take part in and are guided by clear rules, data, and procedures for its execution. Games are designed to depict an actual or hypothetical situation to ensure that the participants make decisions and take actions that would be plausible.
These exercises validate plans, policies, procedures, and agreements; clarify roles and responsibilities; and identify resource gaps. Operations-based exercises include a real-time response such as initiating communications or mobilizing personnel and resources.
Functional Exercise: An exercise that allow personnel to validate their operational readiness for emergencies in a simulated operational environment. Functional exercises are designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects (e.g. communications, emergency notifications, IT equipment setup). Functional exercises vary in complexity and scope, from validating specific aspects of a plan to full-scale exercises that address all plan elements including timely recovery of systems and operations. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency, but in a simulated manner.
Communication and Logistics exercise: An exercise that ranges in scope from simple examinations of the available communication technology to the assembly of the crisis team in the crisis team meeting room. In this exercise, the responsibilities and telephone numbers contained in the plans as well as the procedures, escalation strategy, ability to reach the corresponding people, and rules for substitutes are exercised. The exercise also checks if the plans available are up to date, understandable, and manageable; if the procedures are practical; and if the technologies to be used (e.g. alarm system, emergency telephone, Internet, radio or satellite communication device) are effective, appropriate, and ready for operation.
Full-Scale Exercise (FSE): An exercise, based on a realistic situation that integrates all levels of the hierarchy, from management down to the individual employees, into the exercise. The time and expense required for preparation, execution, and assessment should not be underestimated. Despite this, full-scale exercises should be conducted if the organization places high requirements on business continuity management. Full-scale exercises should be performed regularly but with longer intervals between each business continuity exercise.
