SWIFT CSCF Assessment
With the increasing threat from sophisticated threat actors, financial organizations need to remain vigilant and proactive. SWIFT Customer Security Programme has been introduced to support financial organizations in the ongoing battle against cyber fraud. Sentor can assist with annual SWIFT CSCF Assessments and technical security testing to strengthen your resilience.
SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services. All users of SWIFT interbank messaging network must comply with its cybersecurity standards.
SWIFT Customer Security Programme (CSP)
SWIFT created the Customer Security Programme (CSP) to promote cybersecurity within the SWIFT user community and to drive industry-wide collaboration in the battle against cyber threats. Users are responsible for the security of their infrastructure, and to support this, CSP has been designed to help combat endpoint security threats and cyber fraud. At the heart of the CSP is the Customer Security Controls Framework (CSCF), a common set of security controls revised annually, which help users secure their local environments and, in turn, the SWIFT community at large.
SWIFT Customer Security Controls Framework (CSCF)
The CSCF consists of both mandatory and advisory security controls, which should be implemented by all users on their local SWIFT infrastructure.
Mandatory security controls establish a general security baseline for the SWIFT community and must be implemented in line with their architecture type by all users, including those that use a service bureau or a Business Application provider.
Advisory controls are based on best security practice and SWIFT recommends that users adopt these controls where applicable. The list of mandatory and advisory controls is regularly reviewed against the evolving threat landscape.
SWIFT CSCF Mandatory Annual Assessment
From mid-2020, all users are obligated to perform ‘Community Standard Assessments’.
To further enhance the integrity, consistency and accuracy of attestations, SWIFT mandates that all attestations submitted in 2020 under CSCF v2020 must be independently assessed. This must be achieved through either:
External assessment, by an independent external organisation which has existing cybersecurity assessment experience, and individual assessors who have relevant IT security industry certification(s), or:
Internal assessment, by a user’s second or third line of defence function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defence function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.
Sentor can provide your annual SWIFT CSCF assessment including all related pentest and vulnerability assessments depending on your SWIFT CSCF architecture. A SWIFT CSCF assessment can be delivered according to our established phased model, but every organization has different needs, so the assessment will be tailored to meet the needs of your organization.
During a typical SWIFT CSCF assessment we perform the following key activities:
- Preparations: the assessor prepares initial assessment project plan
- Kick-off meeting: meeting with Client’s primary contact and definition of the SWIFT CSCF assessment scope based on the implemented SWIFT architecture (A1, A2, A3, or B), applicable controls and tasks are reviewed and scheduled
- Documents review: the assessor reviews documentation and assess compliance with applicable SWIFT CSCF controls
- Onsite/remote processes and procedures interview with SWIFT client: the assessor meets with Client’s primary contact and evaluate applicable processes and procedures SWIFT CSCF compliance
- Technical testing: applicable pentest and vulnerability assessments based on applicable CSCF controls
- Writing SWIFT CSCF report: the assessor prepares the documented evidence for Client’s CSCF compliance and assists the Client with SWIFT Portal KYC Registry Security Attestation (KYC-SA) reporting required by SWIFT
- Report delivery meeting: the assessor presents the outcome of the assessment to the Client