What is SWIFT?
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a Belgian cooperative society which provides a global messaging system that financial organisations use to transmit information and instructions securely.
What is the SWIFT Customer Security Programme (CSP)?
Given the sensitive nature of financial communications, SWIFT places significant emphasis on security standards for participants. In 2016, the organisation introduced its CSP to help SWIFT users implement practices to protect against, as well as detect and share information about, financial services cybercrime. As part of the Programme, users are required to submit their attestation of compliance with the SWIFT Customer Security Controls Framework (CSCF) and share these with counterparts.
What is the Swift CSCF?
The latest version of CSCF (i.e., v 2022) contains 32 controls (23 mandatory and 9 advisory) which are mapped against recognised international standards, i.e., NIST, PCI DSS and ISO 27002). These 32 controls are based on 3 objectives and are underpinned by 8 principles:
- Secure your Environment (mainly IT and physical security)
- Ensure network segregation
- Reduce attack surface
- Maintain physical security
- Restrict Internet access
- Know and Limit Access (mainly people security)
- Manage identities
- Prevent compromise of credentials
- Detect and Respond
- Detect anomalous activity
- Plan for incident response and information sharing.
Need for Independent Assessment
Prior to 2021, self-assessment in readiness for attestation of compliance with CSCF was allowed, but with the CSCF v2021 came the requirement for members of the SWIFT community to utilise independent assessors as part of their attestation process. The assessment of the independent assessor needs to come to the same conclusion as the user’s self-attestation status for all controls. There are 2 attestation formats: assessment or audit, and either format is acceptable so long as a risk-based approach is adopted which addresses the user’s risk drivers, in-scope components and meets the stated control objectives.
Why Choose URM as Your Independent Assessor
URM is ideally placed to be your independent assessor due to its
- Risk management expertise. Since 2002, URM has been developing and refining its risk assessment methodologies and processes to address the requirements of international standards and has developed a suite of purpose-designed risk assessment software products (Abriska®).
- Experience, not only assisting organisations comply with the SWIFT CSCF, but also with PCI DSS, ISO 27001/ISO 27002 and NIST SP 800-53, the main standards against which the CSCF controls are mapped. URM has been involved in assisting in excess of 300 organisations comply with these standards and will ensure you fully leverage any artefacts gained in complying with these standards as part of your CSCF attestation.
- Competence in production, disaster recovery and backup environments - the three scope environments that house all the in-scope SWIFT components.
- Qualified assessors. URM’s assessors have attained the required industry relevant professional certifications, e.g., PCI QSA, ISO 27001 lead auditors, CISA.
- Company accreditations. In addition to its 20 years’ experience of delivering practical solutions in the governance, risk and compliance (GRC) space, URM provides reassurance through its own certification to ISO 27001, ISO 22301 and Cyber Essentials Plus, as well as being a CREST-accredited penetration testing organisation.
What Other SWIFT Services Can URM Provide?
In addition to acting as your independent assessor, URM can also conduct a gap analysis to determine your current conformity levels with the CSCF’s mandatory controls and identify any areas that need to be addressed. Following the gap analysis, URM can also assist you with any remediation work involved in ensuring your organisation meets all of the requirements of the CSCF.