SWIFT Customer Security Controls Framework

The SWIFT Customer Security Controls Framework describes a set of mandatory and advisory security controls for SWIFT customers.

The mandatory security controls establish a security baseline for the entire community, and must be implemented by all users on their local SWIFT infrastructure. SWIFT has chosen to prioritise these mandatory controls to set a realistic goal for near-term, tangible security gain and risk reduction. Advisory controls are based on good practice that SWIFT recommends users to implement. Over time, mandatory controls may change due to the evolving threat landscape, and some advisory controls may become mandatory.

All controls are articulated around three overarching objectives: 'Secure your Environment', 'Know and Limit Access', and 'Detect and Respond'. The controls have been developed based on SWIFT's analysis of cyber threat intelligence and in conjunction with industry experts and user feedback. The control definitions are also intended to be in line with existing information security industry standards.

All users need to confirm full compliance with the mandatory security controls V1 by re-attesting before their current attestation expires on 31 December 2018.

SWIFT has published the new Customer Security Controls Framework (CSCF) v2019, which provides additional guidance and clarification on the implementation guidelines and includes changes to the existing controls - these include promoting three to mandatory and two new advisory controls. The CSCF v2019 should be consulted to help you plan and budget any action required on your part. The CSCF v2019 will not become effective in the KYC-SA, the online repository for customer attestations until July 2019. Attesting compliance against the CSCF v2019 will be mandatory by the end of 2019.

The SWIFT Customer Security Controls Framework Detailed Description is available on e-paying.info. Customers must log in to mySWIFT with their e-paying.info credentials to access the document. (e-paying.info > Ordering & Support > User Handbook home > A-Z > Customer Security Programme).

To ensure adoption, and to complement the SWIFT Customer Security Controls Framework, SWIFT has published further details of the related attestation policy and process in the SWIFT Customer Security Controls Policy document

The document contains further information on:

  • the requirement to self-attest against SWIFT’s mandatory security controls.
  • the process and timelines for submitting self- attestation data to The KYC Security Attestation application.
  • the process for viewing counterparties’ attestation data via the KYC Security Attestation application
  • follow-up actions in cases of non-compliance according to the reporting timelines.

SWIFT’s KYC Security Attestation application (KYC-SA) is the central  application for the submission of self-attestation data. The KYC-SA application also enables the transparent exchange of security status information with counterparties to support cyber risk management and business due diligence.

All SWIFT users received a Welcome Mail in July 2017 (sent to e-paying.info administrators of the parent entities) that provided the KYC-SA login details and set out the practical steps to complete attestations.

The Security Attestation support page on mySWIFT provides guidance on how to get started, understand the security controls, assess the impact for your institution, and use the KYC-SA. The page provides easy access to the relevant information, how-to videos, training, documentation, and frequently asked questions. We recommend to check if your e-paying.info password is still valid to continue using the KYC-SA.

Customers are encouraged to explore the new suite of training modules, which includes an overview of the SWIFT Customer Security Controls Framework and an introduction to the mandatory security controls.

 

CSP security controls

 

Mandatory Security Controls Control Objective

1. Restrict Internet Access and Protect Critical Systems from General IT Environment

1.1 SWIFT Environment Protection Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

1.2 Operating System Privileged Account Control

Restrict and control the allocation and usage of administrator-level operating system accounts.

2. Reduce Attack Surface and Vulnerabilities
2.1 Internal Data Flow Security

Ensure the confidentiality, integrity, and authenticity of data flows between local SWIFT-related applications and their link to the operator PC.

2.2 Security Updates Minimize the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.
2.3 System Hardening Reduce the cyber attack surface of SWIFT-related components by performing system hardening.
2.6 Operator Session Confidentiality and Integrity Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
2.7 Vulnerability Scanning Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.
3. Physically Secure the Environment
3.1 Physical Security Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage.
4. Prevent Compromise of Credentials
4.1 Password Policy Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.
4.2 Multi-factor Authentication Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication.
5. Manage Identities and Segregate Privileges
5.1 Logical Access Control Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts.
5.2 Token Management Ensure the proper management, tracking, and use of connected hardware authentication tokens (if tokens are used).
5.4 Physical and Logical Password storage Protect physically and logically recorded passwords.
6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Ensure that local SWIFT infrastructure is protected against malware.
6.2 Software Integrity Ensure the software integrity of the SWIFT-related applications.

6.3 Database Integrity

Ensure the integrity of the database records for the SWIFT messaging interface.
6.4 Logging and Monitoring Record security events and detect anomalous actions and operations within the local SWIFT environment.
7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning Ensure a consistent and effective approach for the management of cyber incidents.
7.2 Security Training and Awareness Ensure all staff are aware of and fulfil their security responsibilities by performing regular security training and awareness activities.
Mandatory Security Controls Control Objective

1. Restrict Internet Access and Protect Critical Systems from General IT Environment

1.1 SWIFT Environment Protection Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

1.2 Operating System Privileged Account Control

Restrict and control the allocation and usage of administrator-level operating system accounts.

2. Reduce Attack Surface and Vulnerabilities
2.1 Internal Data Flow Security

Ensure the confidentiality, integrity, and authenticity of data flows between local SWIFT-related applications and their link to the operator PC.

2.2 Security Updates Minimize the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.
2.3 System Hardening Reduce the cyber attack surface of SWIFT-related components by performing system hardening.
2.6 Operator Session Confidentiality and Integrity Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
2.7 Vulnerability Scanning Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.
3. Physically Secure the Environment
3.1 Physical Security Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage.
4. Prevent Compromise of Credentials
4.1 Password Policy Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.
4.2 Multi-factor Authentication Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication.
5. Manage Identities and Segregate Privileges
5.1 Logical Access Control Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts.
5.2 Token Management Ensure the proper management, tracking, and use of connected hardware authentication tokens (if tokens are used).
5.4 Physical and Logical Password storage Protect physically and logically recorded passwords.
6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Ensure that local SWIFT infrastructure is protected against malware.
6.2 Software Integrity Ensure the software integrity of the SWIFT-related applications.

6.3 Database Integrity

Ensure the integrity of the database records for the SWIFT messaging interface.
6.4 Logging and Monitoring Record security events and detect anomalous actions and operations within the local SWIFT environment.
7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning Ensure a consistent and effective approach for the management of cyber incidents.
7.2 Security Training and Awareness Ensure all staff are aware of and fulfil their security responsibilities by performing regular security training and awareness activities.

 

Advisory Security Controls Control objective
1. Restrict Internet Access & Protect Critical Systems from General IT Environment
1.3A Virtualisation Platform Protection Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT related components to the same level as physical systems.
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security Ensure the confidentiality, integrity, and mutual authenticity of data flows between back office (or middleware) applications and connecting SWIFT infrastructure components.

2.5A External Transmission Data Protection

Protect the confidentiality of SWIFT-related data transmitted and residing outside of the secure zone.

2.6A Operator Session Confidentiality and Integrity

Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
2.7A Vulnerability Scanning

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process.

2.8A Critical Activity Outsourcing

Ensure protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities.

2.9A Transaction Business Controls

Restrict transaction activity to validated and approved counterparties and within the expected bounds of normal business.

2.10A Application Hardening Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications.

5. Manage Identities and Segregate Privileges

5.3A Personnel Vetting Process

Ensure the trustworthiness of staff operating the local SWIFT environment by performing personnel vetting.

5.4A Physical and Logical Password Storage

Protect physically and logically recorded passwords.

6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection

Detect and prevent anomalous network activity into and within the local SWIFT environment.

7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing

Validate the operational security configuration and identify security gaps by performing penetration testing.

7.4A Scenario Risk Assessment

Evaluate the risk and readiness of the organization based on plausible cyber attack scenarios.

Advisory Security Controls Control objective
1. Restrict Internet Access & Protect Critical Systems from General IT Environment
1.3A Virtualisation Platform Protection Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT related components to the same level as physical systems.
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security Ensure the confidentiality, integrity, and mutual authenticity of data flows between back office (or middleware) applications and connecting SWIFT infrastructure components.

2.5A External Transmission Data Protection

Protect the confidentiality of SWIFT-related data transmitted and residing outside of the secure zone.

2.6A Operator Session Confidentiality and Integrity

Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
2.7A Vulnerability Scanning

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process.

2.8A Critical Activity Outsourcing

Ensure protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities.

2.9A Transaction Business Controls

Restrict transaction activity to validated and approved counterparties and within the expected bounds of normal business.

2.10A Application Hardening Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications.

5. Manage Identities and Segregate Privileges

5.3A Personnel Vetting Process

Ensure the trustworthiness of staff operating the local SWIFT environment by performing personnel vetting.

5.4A Physical and Logical Password Storage

Protect physically and logically recorded passwords.

6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection

Detect and prevent anomalous network activity into and within the local SWIFT environment.

7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing

Validate the operational security configuration and identify security gaps by performing penetration testing.

7.4A Scenario Risk Assessment

Evaluate the risk and readiness of the organization based on plausible cyber attack scenarios.

Change Management: The Change Management process to evolve the controls framework is designed to ensure that the SWIFT community has sufficient time (up to 18 months) to understand and implement any future changes to the controls requirements. Any changes to the controls will be announced mid-year, with attestation and compliance against the mandatory controls of any new version required between July and December of the following year, dependent on the expiry date of the attestation. In exceptional circumstances an emergency release may be required, but we expect this to be a rare occurrence.

CSP - Change Management

Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently known new and arising threats in order to pragmatically raise the security bar. Consultation and input gathering from stakeholders will occur throughout the year to capture change requests from the various sources. All new mandatory controls will be first introduced as Advisory, thereby giving all users at least two cycles to plan, budget and implement.

Training

SWIFTSmart training

SWIFTSmart training modules related to the Customer Security Controls Framework are available.

Product

KYC Security Attestation application

The tool for all SWIFT users to submit their attestation data. Release 3.0 now available

CSP

Customer Security Programme Framework v2019

SWIFT has published the new Customer Security Controls Framework (CSCF) v2019, which provides additional guidance and clarification on the implementation guidelines and includes changes to the existing controls - these include promoting three to mandatory and two new advisory controls.