Safeguarding the
banking community

SWIFT CSCF Assessment

With the increasing threat from sophisticated threat actors, financial organizations need to remain vigilant and proactive. SWIFT Customer Security Programme has been introduced to support financial organizations in the ongoing battle against cyber fraud. Sentor can assist with annual SWIFT CSCF Assessments and technical security testing to strengthen your resilience.

SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services. All users of SWIFT interbank messaging network must comply with its cybersecurity standards.

SWIFT Customer Security Programme (CSP)

SWIFT created the Customer Security Programme (CSP) to promote cybersecurity within the SWIFT user community and to drive industry-wide collaboration in the battle against cyber threats. Users are responsible for the security of their infrastructure, and to support this, CSP has been designed to help combat endpoint security threats and cyber fraud. At the heart of the CSP is the Customer Security Controls Framework (CSCF), a common set of security controls revised annually, which help users secure their local environments and, in turn, the SWIFT community at large.

SWIFT Customer Security Controls Framework (CSCF)

The CSCF consists of both mandatory and advisory security controls, which should be implemented by all users on their local SWIFT infrastructure.

Mandatory security controls establish a general security baseline for the SWIFT community and must be implemented in line with their architecture type by all users, including those that use a service bureau or a Business Application provider.

Advisory controls are based on best security practice and SWIFT recommends that users adopt these controls where applicable. The list of mandatory and advisory controls is regularly reviewed against the evolving threat landscape.

SWIFT CSCF Mandatory Annual Assessment

From mid-2020, all users are obligated to perform ‘Community Standard Assessments’.
To further enhance the integrity, consistency and accuracy of attestations, SWIFT mandates that all attestations submitted in 2020 under CSCF v2020 must be independently assessed. This must be achieved through either:

External assessment, by an independent external organisation which has existing cybersecurity assessment experience, and individual assessors who have relevant IT security industry certification(s), or:

Internal assessment, by a user’s second or third line of defence function (such as compliance, risk management or internal audit) or its functional equivalent [as appropriate], which is independent from the first line of defence function that submitted the attestation (such as the CISO office) or its functional equivalent [as appropriate]. As per external assessors, those undertaking the assessment work should possess recent and relevant experience in the assessment of cyber-related security controls.

The solution

Sentor can provide your annual SWIFT CSCF assessment including all related pentest and vulnerability assessments depending on your SWIFT CSCF architecture. A SWIFT CSCF assessment can be delivered according to our established phased model, but every organization has different needs, so the assessment will be tailored to meet the needs of your organization.

During a typical SWIFT CSCF assessment we perform the following key activities:

  • Preparations: the assessor prepares initial assessment project plan
  • Kick-off meeting: meeting with Client’s primary contact and definition of the SWIFT CSCF assessment scope based on the implemented SWIFT architecture (A1, A2, A3, or B), applicable controls and tasks are reviewed and scheduled
  • Documents review: the assessor reviews documentation and assess compliance with applicable SWIFT CSCF controls
  • Onsite/remote processes and procedures interview with SWIFT client: the assessor meets with Client’s primary contact and evaluate applicable processes and procedures SWIFT CSCF compliance
  • Technical testing: applicable pentest and vulnerability assessments based on applicable CSCF controls
  • Writing SWIFT CSCF report: the assessor prepares the documented evidence for Client’s CSCF compliance and assists the Client with SWIFT Portal KYC Registry Security Attestation (KYC-SA) reporting required by SWIFT
  • Report delivery meeting: the assessor presents the outcome of the assessment to the Client
Key benefits of Sentor SWIFT CSCF assessment service

  • Sentor has been assisting its customers with SWIFT CSCF since 2017
  • Sentor has the required information- and technical expertise to perform SWIFT CSCF assessments and meets SWIFT assessor qualifications
  • Sentor has also pentesting and vulnerability assessment expertise to complete and perform the more technical security testing on Client’s SWIFT footprint

What shall be considered when selecting an assessor

When selecting an assessor, users must verify and ensure that:

A. The firm/internal department conducting the assessment has recent (within twelve months) and relevant experience to execute a cybersecurity-oriented operational assessment to an industry standard such as PCI DSS, ISO 27001, NIST SP 800-53, the NIST Cybersecurity Framework or simply CSP/CSCF.

B. All individuals tasked with carrying out the assessment should hold at least one industry- relevant professional certification, e.g.:

  • PCI Qualified Security Assessor (QSA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • ISO 27001 Lead Auditor
  • System Administration, Networking, OSCP/CEH, and Security Institute (SANS)

Although SWIFT does not endorse or accredit any particular external assessors, and users remain ultimately responsible for selecting an assessor suitable to their needs and purposes, a list of companies that may be capable to assist in performing independent CSCF assessments is established on the swift.com website4 in the directory of CSP Assessment Providers. When selecting an assessor, it is strongly recommended that the users challenge their CSP/CSCF knowledge or curriculum.

Separately, the PCI Security Standards Council maintains a list of QSAs that can be found here. These lists are provided for reference only.

For Community-Standard and SWIFT-Mandated assessments, users should provide the name and optionally the contact details of their assessor directly within the KYC-SA application at the time they submit their KYC-SA attestation.

Want more information? Write your e-mail address and we will get back to you!

Video: BBC visited Sentor

Sentor's technical security consultant demonstrates how easy it is to exploit a security hole in an application and get access to critical information. He even takes control of the microphone and webcam on the journalist’s computer.

Read more!

Want to get in touch?