Secure the SWIFT Network

In 2016, users of Society for Worldwide Interbank Financial Telecommunication (SWIFT), Bangladesh, Vietnam and Ecuador suffered cyber-attacks and had huge financial losses. Due to the exponential increase of cyber-attacks and frauds against financial institutions, the same year, SWIFT introduced its own Customer Security Programme (CSP). The main goal of this programme is to ensure and improve the security level of each SWIFT customer to bring more confidence in the SWIFT’s network. To follow this aim, SWIFT proposed three guidelines: Secure your environment, Know and Limit Access, Detect and Respond.

The SWIFT’s network security quality depends on its weakest link.

The Customer Security Controls Framework (CSCF) describes a set of mandatory and advisory security controls. To be compliance, all users need to be in line with all the mandatory security controls and suffer an annual assessment. Gottfried Leibbrandt, CEO of SWIFT said: “While each individual SWIFT customer is responsible for the security of its own environment, the security of the global community can only be ensured collectively. It requires a collaborative approach between SWIFT, its customers, overseers and third-party suppliers. […]”. The SWIFT’s network security quality depends on its weakest link.

To ensure the quality of the CSCF application SWIFT decided to change the assessment system. Since 2020, it also removed slowly the self-assessment to move towards an independent assessment. The assessor requirements are:

• Independence (freedom from any conflict of interest)
• Experience (recent and relevant experience to execute assessment to an industry-standard)
• Certification (certified at least one industry-relevant professional certification)

To find more information about this topic, an independent assessment framework (IAF) has been developed by SWIFT.

Other changes

It also made other changes between the 2019 version and the 2020 version. Two advisory security controls from the previous release are now mandatory, “1.3 Virtualization Platform Protection” and “2.10 Application Hardening”. Two new advisory security controls are added in “1.4A Restriction of Internet Access” and in “2.11A RMA Business Control”. Finally, it has also extended the scope to the middleware servers. This last change is only an advisory control for the moment.

The CSCF compliance brings to the organization the first level of information security. For the organizations already compliant with NIST framework, ISO 27002 or PCI DSS, SWIFT proposes a « Mapping to Industry Standards » (cf. CSCF v2020, Appendix E) to highlight the similarities between all these standards and CSCF. If the other standards scope includes the CSP scope, these organizations do not need significant resources to apply CSCF correctly.

 

How can Excellium help you?

Excellium, as an expert in information security, sets itself apart from the competition because of his ability to provide all cybersecurity services to its customers. Therefore, we can support you step by step to become SWIFT CSP compliant.

On the other hand, our Information Security Governance (ISG) department is specialized in risk management, compliance and resiliency assurance and it has several experiences in SWIFT CSP assessments for different kind of organizations. Moreover, we are now listed in the SWIFT register to practice assessment about the Customer Security Programme. Our approach is based on the Customer Security Controls Framework developed by SWIFT. And finally, our knowledge of other industry standards is a real advantage for our understanding of your needs.