SWIFT Customer Security Programme has been saved
SWIFT Customer Security Programme
In response to recent cyber-attacks, SWIFT issued baseline security requirements through its Customer Security Controls Framework. While the SWIFT network itself was not compromised in the attacks, in some cases, hackers successfully breached the local operating environment established by SWIFT users.
To reduce the opportunities hackers have to exploit weaknesses in SWIFT users' local environments in the future, SWIFT created the Customer Security Programme (CSP). The CSP is a framework designed to help users set-up cyber security controls that users can implement in their local environments.
After the original release of the SWIFT CSP, users had to perform their first self-assessment by 31 December 2017, while complete compliance with mandatory controls was expected for the second self-assessment deadline of 31 December 2018. Since then, SWIFT has been updating the CSP on an annual basis to improve its coverage and to take into account the evolution of the cyber threat landscape. Compliance assessment declarations are expected at the end of each year.
SWIFT encourages its users to implement and monitor these customer security controls as part of a broader cyber security risk management programme, which should be regularly evaluated and adjusted based on leading industry practices and changes to the individual users' security position and infrastructure.
The framework can be applied to four types of SWIFT user architectures, titled A1, A2, A3, and B. SWIFT users must first identify which architecture applies to them before identifying and implementing the applicable controls.
More information on the CSP CSCF is available here.
The introduction of a new assessment methodology
In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the CSP v2020. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external third party organization.
Auditing the CSP
How different will your declaration be on 31.12.2020?
While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design, the implementation, and the operating effectiveness of the controls.
An update of the control framework
The CSP v2020 also introduces some changes to the controls to adapt the framework to the evolution of the cyber threat landscape and to progressively improve the overall growth of the control environment.
Two advisory controls, introduced in CSP v2019, are being promoted to mandatory:
- 1.3 – Virtualization platform protection: The objective is to secure the virtualization platform and virtual machines hosting the SWIFT-related components to the same level as physical systems
- 2.10 – Application hardening: The objective is to reduce the attack surface of SWIFT-related components by performing interfaces and application hardening
Two new advisory controls are introduced:
- 1.4A – Restrict Internet access: This control has been extracted from control 1.1 and centralize the guidance related to internet access
- 2.11A – RMS business control: This control has been extracted from control 2.9A to split the transactions and RMA business controls
Finally one control is being extended:
- 2.4A – Back-office data flow security: The middleware components are now included in the scope
The SWIFT CSP controls
How confident are you in the effectiveness of your last self-declaration?
We propose that you begin the v2020 journey in 2019 by performing a gap assessment to fully understand your current situation towards v2020 requirements. This could help you to better identify and plan your projects to ensure you’ll be compliant by the given date. Doing a gap assessment evaluating the design, implementation, and operating effectiveness of your control environment would also help to prevent your first independent assessment revealing unexpected non-compliant controls.
Deloitte’s cyber risk practice is widely acknowledged as a leading security consulting practice, and is eminently qualified to help your organization be secure, vigilant, and resilient in the face of evolving cyber threats.
Gartner, the world's leading information technology research and advisory company, has positioned Deloitte first globally, based on revenue, in security consulting services for the sixth consecutive year in its report, Market Share: Security Consulting Services, Worldwide, 2017.
- Deloitte’s leadership in the field of information security assures you of our ability to assign qualified, knowledgeable, and industry-respected personnel who have performed similar consulting assignments
- Our experience in delivering similar mandates for local organizations brings industry specific experience. Our local industry resources and high experience of security technologies, constitute an invaluable set of resources for SWIFT CSP-related engagements. This enables us to use proven tools and methods to carry out comprehensive engagements
- We are technology and solution agnostic and we only recommend a solution that makes sense for the business and provides value
We offer holistic services that can support your organization as you address your SWIFT dependencies:
- CSP readiness: Deloitte will perform a SWIFT CSP gap analysis, identify the gaps (from a design, implementation, and operating effectiveness perspective), define actionable and pragmatic recommendations, and propose a remediation strategy and a roadmap to prioritize the implementation of such recommendations. This can be done on the full scope or a limited one (e.g. focusing on new controls becoming mandatory once a new version of the CSP is released)
- Compliance assessment: Deloitte will independently assess the compliance of your organization with the SWIFT CSP requirements. This service can also be co-sourced with your internal audit team
- Security control design: Deloitte will assist the design of security controls in line with SWIFT CSP requirements, including security architecture, identity And access management, incident response, etc.
* While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not represent or speak for SWIFT; and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.
We help clients establish controls and processes around their most sensitive assets, balancing the need to reduce risk, while also helping to enable productivity, business growth, and cost optimization objectives.
Learn more about our cyber risk services.