SWIFT Customer Security Controls Framework v2019

SWIFT has published the new Customer Security Controls Framework (CSCF) v2019, which provides additional guidance
and clarification on the implementation guidelines and includes changes to the existing controls - these include promoting
three to mandatory and two new advisory controls.
The CSCF v2019 should be consulted to help you plan and budget any action required on your part. The CSCF v2019 will
not become effective in the KYC-SA, the online repository for customer attestations until July 2019. Attesting compliance
against the CSCF v2019 will be mandatory by the end of 2019.

Mandatory Control Objective

Security
Controls

1. Restrict Internet Access and Protect Critical Systems from General IT Environment

1.1 SWIFT Ensure the protection of the user's local SWIFT infrastructure from potentially
Environment compromised elements of the general IT environment and external environment.
Protection

1.2 Operating System Restrict and control the allocation and usage of administrator-level operating system
Privileged Account accounts.
Control

2. Reduce Attack Surface and Vulnerabilities

2.1 Internal Data

Ensure the confidentiality, integrity, and authenticity of data flows between local SWIFT-
Flow Security
related applications and their link to the operator PC.

2.2 Security Updates Minimize the occurrence of known technical vulnerabilities within the local SWIFT
infrastructure by ensuring vendor support, applying mandatory software updates, and
applying timely security updates aligned to the assessed risk.

2.3 System Hardening Reduce the cyber attack surface of SWIFT-related components by performing system
hardening.

2.6 Operator Session Protect the confidentiality and integrity of interactive operator sessions connecting to the
Confidentiality and local SWIFT infrastructure.
Integrity*

2.7 Vulnerability Identify known vulnerabilities within the local SWIFT environment by implementing a
Scanning* regular vulnerability scanning process and act upon results.

3. Physically Secure the Environment

3.1 Physical Security Prevent unauthorised physical access to sensitive equipment, workplace environments,
hosting sites, and storage.

4. Prevent Compromise of Credentials

4.1 Password Policy Ensure passwords are sufficiently resistant against common password attacks by
implementing and enforcing an effective password policy.

4.2 Multi-factor Prevent that a compromise of a single authentication factor allows access into SWIFT
Authentication systems, by implementing multi-factor authentication.

5. Manage Identities and Segregate Privileges

5.1 Logical Access Enforce the security principles of need-to-know access, least privilege, and segregation of
Control duties for operator accounts.

5.2 Token Ensure the proper management, tracking, and use of connected hardware authentication
Management tokens (if tokens are used).
5.4 Physical and Protect physically and logically recorded passwords.
Logical Password
storage*

6. Detect Anomalous Activity to Systems or Transaction Records

6.1 Malware Ensure that local SWIFT infrastructure is protected against malware.
Protection

6.2 Software Integrity Ensure the software integrity of the SWIFT-related applications.

Ensure the integrity of the database records for the SWIFT messaging interface.
6.3 Database Integrity

6.4 Logging and Record security events and detect anomalous actions and operations within the local
Monitoring SWIFT environment.

7. Plan for Incident Response and Information Sharing

7.1 Cyber Incident Ensure a consistent and effective approach for the management of cyber incidents.
Response Planning

7.2 Security Training Ensure all staff are aware of and fulfil their security responsibilities by performing regular
and Awareness security training and awareness activities.

* new advisory controls

Advisory Control objective

Security
Controls

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

1.3A Virtualisation Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT related
Platform Protection* components to the same level as physical systems.

2. Reduce Attack Surface and Vulnerabilities

2.4A Back Office Ensure the confidentiality, integrity, and mutual authenticity of data flows between back
Data Flow Security office (or middleware) applications and connecting SWIFT infrastructure components.

Protect the confidentiality of SWIFT-related data transmitted and residing outside of the
2.5A External
secure zone.
Transmission Data
Protection

2.8A Critical Activity

Ensure protection of the local SWIFT infrastructure from risks exposed by the outsourcing
Outsourcing
of critical activities.

2.9A Transaction
Restrict transaction activity to validated and approved counterparties and within the
Business Controls
expected bounds of normal business.

2.10A Application Reduce the attack surface of SWIFT-related components by performing application
Hardening* hardening on the SWIFT-certified messaging and communication interfaces and related
applications.

5. Manage Identities and Segregate Privileges

5.3A Personnel
Ensure the trustworthiness of staff operating the local SWIFT environment by performing
Vetting Process
personnel vetting.

6. Detect Anomalous Activity to Systems or Transaction Records

6.5A Intrusion Detect and prevent anomalous network activity into and within the local SWIFT
Detection environment.

7. Plan for Incident Response and Information Sharing

7.3A Penetration Validate the operational security configuration and identify security gaps by performing
Testing penetration testing.

7.4A Scenario Risk Evaluate the risk and readiness of the organization based on plausible cyber attack
Assessment scenarios.

* new advisory controls

Change Management: The Change Management process to evolve the controls framework is designed to ensure that the
SWIFT community has sufficient time (up to 18 months) to understand and implement any future changes to the controls
requirements. Any changes to the controls will be announced mid-year, with attestation and compliance against the
mandatory controls of any new version required between July and December of the following year, dependent on the expiry
date of the attestation. In exceptional circumstances an emergency release may be required, but we expect this to be a rare
occurrence.
Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently
known new and arising threats in order to pragmatically raise the security bar. Consultation and input gathering from
stakeholders will occur throughout the year to capture change requests from the various sources. All new mandatory
controls will be first introduced as Advisory, thereby giving all users at least two cycles to plan, budget and implement.