We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Cyber incident response exercise (CIRE)
Our cyber incident response exercises have been created to complement and build upon the National Cyber Security Centre (NCSC) exercise-in-a-box service.
About the exercises
The incident response scenarios aim to develop and test understanding of how incident response should be carried out in a health and social care setting and context.
The incident response exercise framework is structured to allow the continual development and release of new scenarios and to provide support materials that will keep you up-to-date with changes and updates to central health and social care cyber security best practice.
Cyber incident response and management is a complex subject. Each scenario is designed to focus on particular elements of incident response and will therefore be suited to different training audiences.
New scenarios will be added to continually expand and enrich the exercise packages. Future scenarios will be guided by your feedback, and the evolving cyber landscape in the health and social care setting.
If you have particular topic areas you would like to be covered, please submit a request or include as part of the end of exercise feedback slide.
Benefits
Tailored to the NHS, including scenarios likely to be experienced by your organisations, based on current threat intelligence
Improving the organisational resilience of your cyber incident response process
Helping to maintain compliance with the Data Security and Protection Toolkit (DSPT)
Access the materials
You can choose from one of the following 5 scenarios.
Scenario number | Focus | Learning objectives |
---|---|---|
1 | Incident reporting and escalation | The overall focus for this exercise is to test internal escalation processes and the communication strategies in place. |
2 | Incidence response (IR) planning and preparation |
This scenario is designed to test:
|
3 | Cyber Security Incident Response Team (CSIRT) actions and interactions | The overall focus for this exercise is how your Incident Response Team manages the incident as it develops, testing your escalation and reporting processes, and ensuring that you have a robust communication strategy. |
4 | An incident within a GP practice | This incident focuses on the insider threat but it designed specifically for GP practices. |
5 | Coordinating a cyber incident alongside another major incident | The overall focus for this exercise is to test how a CCG/ICB can continue operating as the coordinating authority for a major crisis whilst itself suffering from a cyber attack. It aims to test the resilience of business continuity plans and the effectiveness internal and external communications. |
A new scenario has now been developed to test an ICS response to a cyber incident. These exercises are currently being facilitated by NHS England’s Regional Security Leads. If your ICS is interested in running this exercise or want to find out more, please contact your regional lead for additional details.
Please complete the following form and press the 'Submit' button to be sent the scenario of your choice.
We found some errors in the details you provided. Please check below for details.
Thank you. Your scenario request has been successfully submitted. This will now be processed and will be sent to you once finalised. In the meantime, if you have any further questions, please contact the Exeter Help Desk at [email protected].
How this service aligns with the Cyber Assessment Framework
Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).
Objective A: Managing security risk
A1.b Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks
A2.a Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
A2.b You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
A4.a The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
Objective B: Defending systems against cyber attack
B1.a You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.
B1.b You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.
B3.a You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions.
B3.d You have protected data important to the operation of the essential function on mobile devices.
B4.a You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.
B5.a You are prepared to restore the operation of your essential function following adverse impact.
B6.a Cyber Security culture.
B6.b The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.
Objective C: Detecting cyber security events
C1.d You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
C1.e Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect.
Objective D: Minimising the impact of cyber security incidents
D1.a You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios.
D1.b You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions.
D1.c Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.
D2.b Your organisation uses lessons learned from incidents to improve your security measures.