In 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) established a customer security program (CSP) introducing the Customer Security Controls Framework (CSCF). The program started with 16 mandatory controls and 11 advisory (optional) security controls. The current v2019 CSCF has 3 overarching objectives, 8 Principles, and 29 controls. By the end of 2020, the v2020 CSCF will promote 2 mandatory controls and include 2 NEW advisory controls and 1 control is being extended. To improve transparency and increase the level of assurance currently proved by the self-attestation, SWIFT has developed an independent assessment framework (IAF). By the end of 2020, SWIFT customers are requiring to provide an independent assessment from the CSP v2020 to accompany their v2020 self-attestations. Independent assessments may be performed by independent inhouse experts (e.g. risk management, internal audit, etc) or by an external third-party provider.
How will the CSP V2020 Attestation be Different?
To adapt to the ever-evolving and complex cyber threat landscape faced by financial services, two advisory controls from CSCF v2020 are promoted to mandatory:
- 1.3 – Virtualization platform protection: to secure virtualization platform and virtual machines hosting SWIFT related components to the same level as physical systems.
- 2.10 – Application hardening: to reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications.
The two NEW advisory controls in the CSCF v2020:
- 1.4A – Restrict internet access: removed from control 1.1 and consolidates internet access guidance
- 2.11A – RMS business control: removed from control 2.9A to separate the transactions from the RMA business controls
The extended control in the CSCF v2020:
- 2.4A – Back-office data flow security: middleware components are now included in the scope
How We Can Help
Elevate has deep expertise in CyberSecurity, Privacy, and IT Compliance. With over a decade of providing IT audits and compliance for our banking and financial clients, we understand the unique and very evolving challenges and threats financial service firms are under. Our team of security, privacy, and IT auditors specialize in providing our clients independent and valued control design, implementation, and operating effectiveness over your compliance framework. We work with you every step to ensure a successful attestation for CSP v2020.
- Scope Assessment
Your attestation readiness starts with proper planning. First, we meet with your team to understand your architectural type and the applicability of each control type to your operating environment. Our comprehensive review of your security posture is mapped directly to the CSCF v2020 requirements. Your compliance plan is based on your operating environment needs and is designed to achieve and maintain CSCF v20020 compliance.
- Current State Assessment
We begin by reviewing all current SWIFT CSP documentation and ensuring your current state is aligned to your business risk appetite and compliance objectives. During our review, we discuss both your current and future security requirements based on your operating environment. Using our cybersecurity tools and deep privacy expertise, we evaluate your current security threats and risks and develop a pragmatic and achievable remediation plan.
- Remediation Plan
Working with your key business and security stakeholders, we review the remediation plan to ensure all gaps and recommendations are aligned to your operating environment and meet your compliance objectives. Elevate will provide an independent assessment that is aligned to your self-attestation report.
- Ongoing Support
As your partner, we provide continued support to see you through your remediation plan, on-time, and that the CSCF v2020 requirements are met. We offer our clients ongoing training and SWIFT updates and industry thought leadership to ensure your team remains informed as SWIFT continues to evolve their program.
SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory, and SWIFT customers are not required to use providers listed in the directory.