Skip links

Understanding CBEST: A Comprehensive Overview

Jump To Section

Intro and Overview

CBEST stands for Critical National Infrastructure Banking Supervision and Evaluation Testing.

CBEST provides a robust and rigorous framework designed explicitly for assessing and elevating cybersecurity defenses in the financial sector. CBEST is part of the Bank of England’s Prudential Regulation Authority (PRA) supervisory toolkit for assessing cyber resilience of organizations and businesses.

This blog covers the essential elements, purpose, and significance of the CBEST framework, exploring how it functions as a pivotal tool in combating cyber threats within the financial landscape. The reader should get a high-level overview of the CBEST process from the initial phase until closure and should walk away with a fundamental understanding of CBEST.

Why CBEST?

Firms operating within the financial sector should strongly consider integrating CBEST into their security measures due to its robust and specialized nature. CBEST provides a tailored and strategic approach to assessing the cyber resilience of crucial business services. By engaging in this comprehensive evaluation, firms gain a clear understanding of potential vulnerabilities and weaknesses within their systems. This knowledge empowers proactive remediation efforts, enabling the enhancement of cyber defenses and overall resilience. Additionally, the endorsement and utilization of CBEST align with regulatory compliance requirements, ensuring adherence to industry standards and enhancing credibility within the financial landscape. Overall, embracing CBEST not only fortifies a firm’s cyber resilience but also instills confidence in stakeholders regarding the security and reliability of their operations.

Stakeholders Involved

The following are stakeholders involved in the CBEST process. 

  • Control Group: The Control Group or CG is responsible for the management of the CBEST assessment, and its main responsibilities include compliance with CBEST minimum requirements, creating and maintaining project plans, risk management, maintaining assessment scope and confidentiality of the CBEST assessment.
  • Control Group Coordinator: The Control Group Coordinator or CGC is responsible for coordinating all the test activities for the firm/FMI.
  • Regulator: The overseeing authority, which could be either the PRA, the Financial Market Infrastructure Directorate (FMID) of the Bank of England, or the FCA, offers guidance and supervision throughout the assessment process, ensuring alignment with the CBEST framework.
  • Threat Intelligence Service Provider: The independent Threat Intelligence service provider (TISP) is contracted by the firm/FMI to strategize and carry out a comprehensive threat intelligence analysis of its organization. The chosen TISP must hold CBEST accreditation and will conduct the TI analysis following the best practices outlined in the CBEST Cyber Threat Modelling guideline.
  • Penetration Testing Service Provider: The Penetration Test service provider (PTSP) is an external entity contracted by the firm/FMI to strategize and conduct penetration testing based on the identified threat scenarios from the TI phase.
  • National Cyber Security Centre NCSC: The UK National Cyber Security Centre (NCSC) is a government entity in the UK offering counsel and assistance to both public and private sectors on mitigating cyber threats. In the Threat Intelligence Validation phase, the NCSC will provide feedback on the threat scenarios and various components outlined in the Threat Intelligence Report and Targeting Report.

Accreditations Required

To perform an assessment with the CBEST framework, service providers must be accredited to perform threat intelligence and penetration testing services. Accredited service providers must be members of CREST.

The following are certifications required which are accredited by CREST (UK)

  1. Threat Intelligence Service Providers must have the CREST Certified Threat Intelligence Manager (CCTIM) certification.
  2. For Penetration Testing Service Providers, they must have the CREST Certified Simulated Attack Manager (CCSAS)

Project Team Structure and Key Points

All teams must collaborate for the assessment to be successful. The following are key points to follow during the assessment.

  • Upon approval by the CG during the TI phase, the TISP must share its deliverables with the PTSP for informational purposes.
  • The PTSP needs to conduct early reviews of the draft TI deliverables to ensure all necessary information is available for a seamless handover.
  • Throughout the PT phase, the TISP should remain accessible to provide any additional support if required.
  • The CG, TISP, and PTSP are expected to facilitate free information exchange with the regulator upon request.

CBEST Assessment Process

The CBEST Assessment process can be divided into 4 phases:

  • Phase 1: Initiation Phase
  • Phase 2: Threat Intelligence Phase (TI)
  • Phase 3: Penetration Testing Phase (PT)
  • Phase 4: Closure/Remediation Phase

Phase 1: Initiation Phase

This initial phase involves preparations by the firm or financial institution undergoing the CBEST assessment. The following steps are conducted: 

Launch: The regulator contacts the organization and ensures all relevant authorities and stakeholders are informed and on-boarded.

Assembling the Control Group (CG): The CG comprises senior management representatives and subject matter experts from various domains within the organization. They oversee and facilitate the assessment process, ensuring that objectives align with business goals and that assessment activities don’t disrupt critical operations.

Engagement: A comprehensive project plan is formulated during this phase. It outlines the assessment’s scope, objectives, methodologies, timelines, roles, responsibilities, and communication protocols. It also includes a risk management strategy to identify, assess, and mitigate risks associated with CBEST activities.

Scoping: This stage relates to scoping the assessment, defining the boundaries, objectives, and systems to be assessed. It involves identifying the critical systems, services, and functionalities within the firm or financial institution that are crucial to the UK financial system’s stability.

Procurement: The organization engages with independent third-party service providers, including the Threat Intelligence Service Provider (TISP) and the Penetration Test Service Provider (PTSP). These providers should have CBEST accreditation and play pivotal roles in conducting the assessment.

Phase 2: Threat Intelligence Phase (TI)

The TI phase involves the Threat Intelligence Service Provider (TISP) conducting intelligence-gathering activities, such as reconnaissance and scenario development based on current and potential threats. This phase aims to identify potential threats and develop realistic scenarios for testing. The TI Phase is divided into 4 parts which are outlined in the following:

Direction: This initial phase involves setting the direction and objectives for the Threat Intelligence gathering process. During this phase, the objectives of the intelligence gathering exercise are defined, and the scope of the assessment is outlined. The Control Group (CG) and stakeholders work together to articulate specific intelligence requirements, including the critical systems and services to be assessed, the potential threat actors, and the expected outcomes of the intelligence phase.

Intelligence: This phase focuses on collecting and analyzing threat intelligence data. Various sources such as open-source intelligence, closed-source intelligence, dark web monitoring, threat feeds, and internal organizational data are gathered and meticulously analyzed by the Threat Intelligence Service Provider (TISP). The aim is to understand potential threat actors, their tactics, techniques, and procedures (TTPs), and emerging threats that might target the organization’s critical assets and systems.

Validation: After gathering intelligence, the Validation phase aims to assess the credibility, relevance, and accuracy of the collected threat intelligence. This step involves a review and validation process conducted by the Control Group and relevant stakeholders. The aim is to ensure that the gathered intelligence aligns with the defined objectives and accurately reflects the threat landscape that the organization might face.

Assessment: This stage involves synthesizing the validated threat intelligence into realistic threat scenarios. The TISP uses validated intelligence to create scenarios that simulate potential cyber-attacks on the organization’s critical systems and services. These scenarios are then used in the subsequent Penetration Testing Phase to assess the organization’s cybersecurity resilience and readiness against such threats.

Phase 3: Penetration Testing Phase (PT)

In this phase, the Penetration Test Service Provider (PTSP) performs penetration tests based on the threat scenarios identified during the TI phase. The goal is to simulate real-world attacks and assess the security controls’ effectiveness. This phase is also divided into 4 parts:

Planning: This initial stage involves comprehensive planning for the penetration testing activities. The Penetration Test Service Provider (PTSP) collaborates with the Control Group (CG) and stakeholders to define the scope, objectives, and methodologies for the assessment. The PTSP creates a detailed test plan outlining the specific techniques, tools, and procedures to be used during the assessment.

Execution: In this stage, the actual penetration testing activities are carried out according to the predefined test plan. The PTSP simulates cyber-attacks based on the validated threat scenarios identified in the Threat Intelligence Phase. The PTSP conducts a series of controlled tests and attempts to exploit vulnerabilities within the organization’s critical systems and services to assess the effectiveness of existing security controls.

Assessment: Following the execution of the penetration tests, the Assessment involves analyzing the results and findings obtained during the testing. The PTSP evaluates the effectiveness of the organization’s cybersecurity controls, identifies vulnerabilities, and reports on successful exploit attempts. The results are compiled into a comprehensive assessment report that includes details of vulnerabilities discovered, their potential impact, and recommendations for remediation.

Review: The final stage involves reviewing the findings and assessment report. The CG and relevant stakeholders examine the assessment report provided by the PTSP, validate the identified vulnerabilities, and assess the overall cybersecurity posture of the organization. This phase may also involve discussions on remediation strategies, lessons learned, and actions to enhance the organization’s security posture based on the assessment results.

Phase 4: Closure/Remediation Phase

After completing the assessment activities, the providers deliver reports detailing findings, vulnerabilities, and recommendations for enhancing cyber resilience. The results are shared with the regulator, typically the Bank of England or other relevant financial regulatory body, to demonstrate compliance and address any regulatory concerns. Following the assessment, the firm undertakes remediation efforts, addressing identified vulnerabilities and enhancing its cyber resilience based on the findings and recommendations.

Remediation: After the assessment and identification of vulnerabilities in the Penetration Testing Phase, the organization initiates the remediation process. This phase involves addressing and fixing the identified vulnerabilities and weaknesses in the systems and processes. The organization’s security team, in collaboration with relevant stakeholders, prioritizes the remediation of vulnerabilities based on their severity and potential impact on critical systems.

Debrief: This involves conducting detailed discussions and knowledge-sharing sessions among the Control Group (CG), Threat Intelligence Service Provider (TISP), Penetration Test Service Provider (PTSP), and other stakeholders. This phase focuses on sharing insights, observations, and lessons learned from the assessment. It includes reviewing the assessment report, discussing findings, identifying root causes of vulnerabilities, and strategizing for improvements in the cybersecurity posture.

Supervision: During this stage, there is ongoing oversight and monitoring to ensure the effective implementation of remediation measures. The CG oversees and supervises the progress of the organization’s remediation efforts. It involves tracking the status of vulnerability remediation, ensuring that corrective actions are properly implemented, and verifying that the identified vulnerabilities are adequately addressed.

Analysis: In the final phase, a comprehensive analysis of the overall CBEST assessment is conducted. The organization evaluates the effectiveness of the entire CBEST process, including the Threat Intelligence and Penetration Testing Phases, and the subsequent remediation efforts. The analysis aims to assess the impact of the assessment on improving the organization’s cybersecurity resilience, identifying areas for further enhancement, and refining future assessment strategies.

Conclusion

Adopting CBEST as part of an organization’s security assessment strategy offers a framework for evaluating and improving its security posture. Through a collaborative approach involving various stakeholders, CBEST meticulously analyzes an organization’s systems, processes, and defenses, pinpointing potential vulnerabilities for targeted remediation. By leveraging the expertise of both internal and external teams and adhering to a structured assessment methodology, CBEST facilitates the identification of weaknesses, providing a comprehensive view of security risks. This comprehensive evaluation not only aids in the immediate mitigation of vulnerabilities but also acts as a catalyst for continuous improvement, increasing the overall cybersecurity resilience of the organization.

Picture of Matthew Manalac

Matthew Manalac

Latest Reads

Subscribe

Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?

Vikas Krishan

Chief Digital Business Officer and Head of the EMEA region

Vikas (Vik) Krishan serves as the Chief Digital Business Officer and Head of the EMEA region for Altimetrik. He is responsible for leading and growing the company’s presence across new and existing client relationships within the region.

Vik is a seasoned executive and brings over 25 years of global experience in Financial Services, Digital, Management Consulting, Pre- and Post-deal services and large/ strategic transformational programmes, gained in a variety of senior global leadership roles at firms such as Globant, HCL, Wipro, Logica and EDS and started his career within Investment Banking. He has developed significant cross industry experience across a wide variety of verticals, with a particular focus on working with and advising the C-Suite of Financial Institutions, Private Equity firms and FinTech’s on strategy and growth, operational excellence, performance improvement and digital adoption.

He has served as the engagement lead on multiple global transactions to enable the orchestration of business, technology, and operational change to drive growth and client retention.

Vik, who is based in London, serves as a trustee for the Burma Star Memorial Fund, is a keen photographer and an avid sportsman.

Megan Farrell Herrmanns

Chief Digital Officer, US Central

Megan is a senior business executive with a passion for empowering customers to reach their highest potential. She has depth and breadth of experience working across large enterprise and commercial customers, and across technical and industry domains. With a track record of driving measurable results, she develops trusted relationships with client executives to drive organizational growth, unlock business value, and internalize the use of digital business as a differentiator.

At Altimetrik, Megan is responsible for expanding client relationships and developing new business opportunities in the US Central region. Her focus is on digital business and utilizing her experience to create high growth opportunities for clients. Moreover, she leads the company’s efforts in cultivating and enhancing our partnership with Salesforce, strategically positioning our business to capitalize on new business opportunities.

Prior to Altimetrik, Megan spent 10 years leading Customer Success at Salesforce, helping customers maximize the value of their investments across their technology stack. Prior to Salesforce, Megan spent over 15 years with Accenture, leading large transformational projects for enterprise customers.

Megan earned a Bachelor of Science in Mechanical Engineering from Marquette University. Beyond work, Megan enjoys playing sand volleyball, traveling, watching her kids soccer games, and is actively involved in a philanthropy (Advisory Council for Cradles to Crayons).

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes