Scottish Cyber Coordination Centre - organisational cyber testing and exercising regime: guidance

Strategic Level

Suggested Frequency: Annually

Focus Areas:

1. Executive Tabletop Exercises: Engage senior leadership in simulations of high-impact cyber incidents that could affect the entire organisation. Discuss strategic decision-making and resource allocation.

2. Policy and Procedure Review: Assess the effectiveness of current cybersecurity policies, governance frameworks, and compliance with regulations.

3. Risk Management: Evaluate the organisation’s risk appetite, threat landscape, and the effectiveness of the risk management strategies.

4. Supply Chain Security: Testing the security of the organisation’s supply chain and third-party relationships to ensure they meet cybersecurity standards.

5. Purple Team Test: Offensive security team (Red) working with Cyber Security Operations Centre (Blue) to enhance capabilities by working together and providing feedback.

6. Red Team Pen Test: External testing of organisational environment. Red teaming is a tool used to test how an organisation would respond to a genuine cyber attack.

Objectives:

• Ensure senior leadership understands and can effectively manage cyber risks.
• Understand roles, responsibilities, reporting and escalation.
• Validate and improve the organisation’s strategic cybersecurity policies and governance frameworks.
• Ensure that the organisation is compliant with regulatory requirements and industry best practices.
• Evaluate and enhance the security of the supply chain and third-party interactions.
• Actioning Lessons Identified to become Lessons Learned