The Society for Worldwide Interbank Financial Telecommunications (SWIFT) has put forth a security framework under its Customer Security Program i.e. SWIFT CSP for all of its users to address the growing needs of security and transparency as a community to combat the increase in cyber fraud.
The SWIFT CSP program aims at detection and prevention of fraudulent activity by means of a set of mandatory security controls defined under SWIFT Customer Service Control Framework (CSCF) and community wide information sharing initiative. The framework defines a set Objectives, Principles and Controls, revised and reviewed annually. Any organization that makes use of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) interbank messaging network needs to comply with the new cybersecurity standards - as well as a related "assurance framework”. The organization that requires to be SWIFT qualified needs to undergo the following steps:
- - Self-assessment as per the SWIFT Customer Security Controls Framework (CSCF): Annual assessment of the local environment against 23 mandatory and 9 advisory controls as per best practices.
- - Self-attestation as per the SWIFT Customer Security Controls Policy: Each user is required to submit a self-attestation of their compliance against the controls defined based on the assessment results before the annual deadline.
- - CSCF v2022 to CSCF v2023.
Furthermore, to enhance the overall integrity of attestations across all customers, all submitted attestations for CSCF v2023 must be supported by an Independent assessment – either internally, by a second or third line of defence (e.g. risk,compliance or internal audit), or externally, by a third-party.
All SWIFT Customers are required to perform an “Independent Assessment” as per the requirement of their annual self-attestation. As an approved SWIFT Assessment Provider, QRC will help you validate successful alignment of controls with the SWIFT CSP guidelines and work alongside your internal audit function. Our extensive SWIFT CSP expertise will ensure that all your requirements are met ahead of SWIFT’s required independent assessment.
Audit Approach: We follow a well-documented approach to work alongside our clients aiding them in attaining their compliance goals. This require a Well-documented execution plan along with defined milestones.
- Business Understanding: Evaluating business process and environment to understand the in-scope elements.
- Assessment Scope Finalization: Detailed questionnaire is shared with your teams to aid in the scope definition, planning and preparation of the audit and objectives.
- Initial/Readiness Assessment: As per the SWIFT CSCF framework, we will conduct an initial assessment to identify and analyze the risks in the information security posture.
- Validate SWIFT Architecture: Assist organizations to identify and validate SWIFT architecture, zones and the components as per the assessment requirement.
- Control Validation: Perform Mandatory & Advisory Control Validation to understand the control applicability as per the environment.
- Data Flow Assessment: Conducting thorough systems analysis to evaluate data flow and possible leakages.
- Documentation Support: Avail templates to ease out the documentation process during the assessment process.
- Remediation Support: Theo As per the assessment QRC will provide remediation support for complying with the SWIFT Cybersecurity framework.
- Scans and Testing: Identify critical vulnerabilities in your system with a robust testing approach.
- Evidence Review: Review of the evidence collected to assess their maturity, in line with the compliance.
- Concise Reporting: We document a comprehensive report detailing all findings covered in the assessment cycle as per the SWIFT template.
Frequently Asked Questions
What Is The SWIFT CSP?
SWIFT's customer security programme (CSP) aims to prevent and detect fraudulent activity through a set of mandatory security controls, community-wide information sharing initiatives and enhanced security features on their products.
When Is The Deadline For SWIFT CSP Compliance?
SWIFT CSP requires one to submit a self-attestation on an annual basis by 31 December. An independent assessment is required alongside a customers attestations from 31 December 2020 onwards.
What Form Does The SWIFT Required Independent Assessment Need To Take?
There are two forms in which a SWIFT customer can gain an independent assessment:
- An internal assessment: The internal audit needs to be carried out as per the internal audit function of the customer and independent from the function submitting the attestation.
- An external assessment: An external audit can be carried out by a audit firm, an assessment against the CSP controls.
What Are The SWIFT CSCF V2020 Controls?
SWIFT’s CSCF V2020 comprises 3 Objectives, 8 Principles & 31 Controls (21 Mandatory & 10 Optional). SWIFT mandatory controls focussed on securing your environment, knowing and limiting access.
What If You Attest Non-Compliance For SWIFT?
SWIFT reports all cases of non-compliance and where members have not verified to local regulators.
What If I Suspect My Organisation Has Been Targeted Or Breached?
In any circumstances, it is necessary to share all relevant information and let SWIFT know there is a problem as soon as possible, in order to protect other organisations in the network.
