SWIFT Customer Security Program Overview
What is Swift CSP?
- While all customers are responsible for protecting their environments, SWIFT has established the Customer Security Program (CSP) to support customers in the fight against cyber-attacks.
- The CSP is articulated around three mutually reinforcing areas. Customers will first need to protect and secure their local environment; it is then about preventing and detecting fraud in commercial relationships and continuously sharing information and preparing to defend against future cyber threats.
- The SWIFT Customer Security Controls Framework describes a set of mandatory and advisory security controls for SWIFT customers.
SWIFT has developed and published a Security Controls Framework, comprising a set of baseline security controls – 21 of which are mandatory – that financial institutions must apply to their SWIFT-related infrastructure.
All SWIFT users must self-attest their level of compliance with the mandatory controls at least every 12 months after that. Participants failing to reach compliance with CSP may be subject to specific actions taken by SWIFT and the local regulator.
SWIFT Independent Assessment Framework (IAF) Overview
From July 2020, all users will be obligated to perform ‘Community Standard Assessments’.
To further enhance the integrity, consistency, and accuracy of attestations, SWIFT mandates that, starting with new attestations submitted in 2020 under CSCF v2020, all attestations will need to be independently assessed. These can be done through either:
- External assessment carried out by an independent external organization with cyber security assessment experience and individual assessors who have relevant security industry certification.
From July 2020, a user’s self-attestation will not be able to be submitted into the Know Your Customer – Security Attestation (KYC-SA) application without necessary details from the independent assessment being submitted. While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design, the implementation, and the operating effectiveness of the controls.
ScanWave SWIFT Expert Team Qualification
ScanWave expert team meets SWIFT assessment qualification covering conducting similar assessments (within twelve months) and relevant experience to execute a cyber security-oriented operational assessment to an industry-standard such as PCI DSS, ISO 27001, NIST SP 800-53, and the NIST Cyber security Framework. ScanWave expert team meets SWIFT requirements.
ScanWave expert team has the following qualification/certification to meet SWIFT auditing requirements:
- BSI ISO 27001 Lead Implementer
- BSI ISO 27001 Lead Auditors
- BSI ISO Certified Lead Auditor
- COBIT Lead Assessors by ISACA
- PCI DSS Qualified Security Assessor
SWIFT Independent Assessment Framework (IAF) Assessment Methods
ScanWave SWIFT Expert Team uses a mix of assessments methods appropriate to the individual circumstances:
Conducting interviews with relevant personnel can provide insights into awareness of controls and the organization's actual processes and procedures, which can contribute to overall levels of assurance.
Assurance gathered through the inspection of documents and records. Among the most basic methods of assessing security control implementation is a review of applicable user documents such as policies, standards, processes, procedures, etc.…
Assurance gathered through the direct observation of the existence of specific controls.
Hands-on system re-performance and sample evidence collection can provide further levels of assurance. This method is best employed in the case of technical controls where direct insight into system settings and configurations is beneficial.
SWIFT IAF/CSP Cyber Security Compliance Program
- ScanWave cyber security compliance program for SWIFT’s customer security program (CSP) aims to help banks in MENA and GCC region to comply with SWIFT´s CSP.
- The ScanWave advanced program will identify all critical and high-risk security vulnerabilities and provide a detailed action plan to implement an effective response to those threats on time.
- ScanWave can help financial institutions comply with CSP while armed with an expert cyber security team to ensure maximum protection for the banks' critical SWIFT systems, revenues, and reputations in the regions.
SWIFT CSP Scope of Consultancy Services
ScanWave SWIFT IAF/CSP Services consists of the following:
- SWIFT CSP Gap Assessment
- SWIFT CSP Guidance & Remediation
- SWIFT CSP Benchmarking and Configuration Review
- Advanced security Penetration Testing
- SWIFT CSP Independent Assessment Framework (IFA)
- SWIFT CSP Continues Audits & Improvements