Professional Documents
Culture Documents
The assessment templates directly correlate to the CSCF and highlight which CSCF controls are applicable to the user’s architecture type. For each applicable control, the relevant template sets out the control objective, any underpinning key
principle(s) and SWIFT’s guidance with respect to their implementation. By use of the template, the assessor can then confirm whether those that are applicable to the user are complied with, either via SWIFT’s implementation guidance or, for typically
large or complex institutions, via an alternative implementation method.
6
Finally, some CSCF controls although relevant for the user’s SWIFT architecture type may, in rare cases, not be applicable depending upon the user’s specific local infrastructure. In such cases, they should be assessed as 'Not Applicable'. An
example of this would be Control 6.2 (Anti-Virus) which, whilst likely to be applicable in most environments would is not likely to be applicable in a Linux environment. - please refer to the KYC-SA baseline for the identification of such controls.
Support the above-mentioned finding by populating the corresponding cell(s) marked "<Observations & response justification - address all subordinate implementation details as documented in the CSCF>" for each guidance As noted, assessors
7
should address
For each Implementation guidance in the "Assessments Results" section, indicate whether or not the user has fulfilled the guidance statement using the appropriate drop-down list(s) available at the right side of the worksheet. Note that the only
8
available responses are “yes”, “no”, and “N/A” (in a limited number of cases). Responses marked “N/A” are not detrimental to the overall disposition of any control.
Support the above-mentioned finding by populating the corresponding cell(s) marked "<Observations & response justification - address all subordinate implementation details as documented in the CSCF>" for each guidance As noted, assessors
9
should address all subordinate details documented for each Implementation guidance as provided in the CSCF.
For each guidance in the "Assessments Results" section, indicate whether or not the user has used an alternative implementation means to fill the control requirement(s) of said guidance Use the he appropriate drop-down list(s) available at the right
10
side of the worksheet. Note that the use of alternative implementation means is not detrimental to the overall disposition of any control.
For any and all guidance where alternative implementation means were used to fill the control requirement(s), provide a full explanation of the alternative means utilized in the corresponding cells marked "<Alternative guidance implementation
11 approach and details>". Note that the worksheet will grey out these cells for any guidance that have been addressed using the standard implementation method. Responses provided should be comprehensive and detail how all applicable risks are
addressed by the user's custom implementation.
When the above steps have been completed, the worksheet will automatically mark the control as either "In Place" or "Not in Place" depending on the input provided by the assessor in the "Assessments Results" section. Do not attempt to manually
12
alter any fields that are automatically populated (non-modifiable cells are password protected).
The information herein is confidential and will not disclosed to third parties without written permission Template Copyright © S.W.I.F.T. SCRL, 2019
564241396.xlsx - User Data Tab Template Version: 2019
The information herein is confidential and will not disclosed to third parties without written permission Template Copyright © S.W.I.F.T. SCRL, 2019
<end date>
I, <lead assessor> at <firm> confirm that we were engaged by <customer> to assess their level of
compliance against the Customer Security Controls Framework (2019 version). I can confirm that as of
<end date>, this assessment is complete and the results of the assessment have been provided to
<customer>.
Sincerely,
<lead assessor>
<title>, <firm>
564241396.xlsx - Summary Tab Template Version: 2019
The information herein is confidential and will not disclosed to third parties without written permission Template Copyright © S.W.I.F.T. SCRL, 2019
1.3A
CONTROL INFORMAT
CONTROL OBJECTI
Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT rela
IN-SCOPE COMPONENTS
• Virtualisation platform (also referred as the hypervisor) and VM's used to host any of the below SWIFT related
components:
- Messaging interface
- Communication interface
- GUI
- SWIFTNet Link
- Connector
Jump Server
- Dedicated and general purpose operator PCs
- Firewalls
CONTROL STATEME
Secure virtualisation platform, virtualised machines and supporting virtual infrastru
CONTROL CONTEX
Providing appropriate controls have been implemented, SWIFT does not limit the use of virtual technology for any compon
firewalls).
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT related components to th
IN-SCOPE COMPONENTS
ation platform (also referred as the hypervisor) and VM's used to host any of the below SWIFT related
nts:
saging interface
munication interface
FTNet Link
nector
rver
cated and general purpose operator PCs
walls
CONTROL STATEMENT
Secure virtualisation platform, virtualised machines and supporting virtual infrastructure (e.g. firewalls)
CONTROL CONTEXT
viding appropriate controls have been implemented, SWIFT does not limit the use of virtual technology for any component of the local SWIF
firewalls).
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user adequately secured virtualisation platforms and virtual machines (VM’s) hosting SWIFT related components to the
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
VIRTUALISATION PLATFORM PROTECTION
NTROL INFORMATION
ONTROL OBJECTIVE
M’s) hosting SWIFT related components to the same level as physical systems.
RISK DRIVERS
• Unauthorised access to the hypervisor and its configuration modules
• Uncontrolled proliferation of VM's leading to unmanageable, unpatched and unaccounted-for machines
• Uncontrolled proliferation of VM's leading to unauthorised access to data
• Lack of visibility into network segregation and control over virtual networks when not using network security
protection (such as physical firewalls or intrusion detection systems)
ONTROL STATEMENT
pporting virtual infrastructure (e.g. firewalls) to the same level as physical systems.
ONTROL CONTEXT
nology for any component of the local SWIFT infrastructure or the associated supporting infrastructure (for example, virtual
firewalls).
SESSMENT RESULTS
entation Guideline-Level Detail
s) hosting SWIFT related components to the same level as physical systems?
tails as documented in the CSCF>
Summary
Recommendations
ORM PROTECTION
counted-for machines
IN-SCOPE COMPONENTS
• Data exchange layer: flows of financial transactions
CONTROL STATEME
Confidentiality, integrity, and mutual or message level based authentication mechanisms are implemented to protect data flow
CONTROL CONTEX
Protection of data flows between the back office (or middleware) first hop, as seen from the secure zone, and the connecting S
access while in transit
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Ensure the confidentiality, integrity, and mutual authenticity of data flows between back office (or middleware) applicati
IN-SCOPE COMPONENTS
change layer: flows of financial transactions
CONTROL STATEMENT
entiality, integrity, and mutual or message level based authentication mechanisms are implemented to protect data flows between back offic
CONTROL CONTEXT
n of data flows between the back office (or middleware) first hop, as seen from the secure zone, and the connecting SWIFT infrastructure s
access while in transit.
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user adequately ensured the confidentiality, integrity, and mutual authenticity of data flows between back office (or mid
components?
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
BACK-OFFICE DATA FLOW SECURITY
NTROL INFORMATION
ONTROL OBJECTIVE
etween back office (or middleware) applications and connecting SWIFT infrastructure components.
RISK DRIVERS
• Loss of sensitive data confidentiality
• Loss of sensitive data integrity
• Unauthenticated system traffic
ONTROL STATEMENT
nted to protect data flows between back office (or middleware) applications and connecting SWIFT infrastructure components.
ONTROL CONTEXT
, and the connecting SWIFT infrastructure safeguards against man-in-the-middle, unintended disclosure, modification, and data
access while in transit.
SESSMENT RESULTS
entation Guideline-Level Detail
ty of data flows between back office (or middleware) applications and connecting SWIFT infrastructure
Summary
Recommendations
A FLOW SECURITY
nts.
FT infrastructure components.
TBD
2.5A
CONTROL INFORMAT
CONTROL OBJECTI
Protect the confidentiality of SWIFT-related data transmitted a
IN-SCOPE COMPONENTS
• SWIFT-related secure zone data
CONTROL STATEME
Sensitive SWIFT-related data leaving the secure zone as a result of backups, data re
CONTROL CONTEX
Encryption of sensitive data leaving the secure zone protects against unintended disclosure
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Protect the confidentiality of SWIFT-related data transmitted and residing outside o
IN-SCOPE COMPONENTS
related secure zone data
CONTROL STATEMENT
Sensitive SWIFT-related data leaving the secure zone as a result of backups, data replication for recovery
CONTROL CONTEXT
Encryption of sensitive data leaving the secure zone protects against unintended disclosure of the data when it is
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user adequately protected the confidentiality of SWIFT-related data transmitted and residing outside of the secure zone
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
EXTERNAL TRANSMISSION DATA PROTECTION
NTROL INFORMATION
ONTROL OBJECTIVE
ated data transmitted and residing outside of the secure zone.
RISK DRIVERS
• Compromise of trusted backup data
• Loss of sensitive data confidentiality
ONTROL STATEMENT
ult of backups, data replication for recovery or further off-line processing is encrypted.
ONTROL CONTEXT
unintended disclosure of the data when it is extracted from its normal operating environment.
SESSMENT RESULTS
entation Guideline-Level Detail
itted and residing outside of the secure zone?
tails as documented in the CSCF>
Summary
Recommendations
DATA PROTECTION
TBD
2.8A
CONTROL INFORMAT
CONTROL OBJECTI
Ensure protection of the local SWIFT infrastructure from risks exp
IN-SCOPE COMPONENTS
• Organisational control
CONTROL STATEME
Critical outsourced activities are protected, at a minimum, to the same standard
CONTROL CONTEX
When critical activities, such as network and system maintenance, are outsourced to a third party (for example, external IT prov
to adherence to this security control framework) to ensure that no new
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Ensure protection of the local SWIFT infrastructure from risks exposed by the outsourc
IN-SCOPE COMPONENTS
ational control
CONTROL STATEMENT
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operate
CONTROL CONTEXT
tical activities, such as network and system maintenance, are outsourced to a third party (for example, external IT provider), it is essential th
to adherence to this security control framework) to ensure that no new weaknesses or vuln
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user adequately ensured the protection of local SWIFT infrastructure from risks exposed by the outsourcing of critical a
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
CRITICAL ACTIVITY OUTSOURCING
NTROL INFORMATION
ONTROL OBJECTIVE
tructure from risks exposed by the outsourcing of critical activities.
RISK DRIVERS
• Exposure to sub-standard security practices
ONTROL STATEMENT
m, to the same standard of care as if operated within the originating organisation.
ONTROL CONTEXT
ample, external IT provider), it is essential that at a minimum, the original standard of care for security is maintained (in addition
k) to ensure that no new weaknesses or vulnerabilities are introduced.
SESSMENT RESULTS
entation Guideline-Level Detail
risks exposed by the outsourcing of critical activities?
tails as documented in the CSCF>
Summary
Recommendations
TY OUTSOURCING
TBD
2.9A
CONTROL INFORMAT
CONTROL OBJECTI
Restrict transaction activity to validated and approved counterparties an
IN-SCOPE COMPONENTS
• GUI
• Secure zone: messaging interface
• Secure zone: communication interface
• Secure zone: connector
CONTROL STATEME
Implement RMA controls and transaction detection, prevention and validation controls to restri
CONTROL CONTEX
Implementing business controls that restrict SWIFT transactions to the fullest extent possible reduces the opportunity for both
analysis of normal business activity. Parameters can then be set to restrict bus
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Restrict transaction activity to validated and approved counterparties and within the expected
IN-SCOPE COMPONENTS
CONTROL STATEMENT
Implement RMA controls and transaction detection, prevention and validation controls to restrict transaction activity
CONTROL CONTEXT
enting business controls that restrict SWIFT transactions to the fullest extent possible reduces the opportunity for both the sending and rece
analysis of normal business activity. Parameters can then be set to restrict business to acceptable th
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user restricted transaction activity to validated and approved counterparties and within the expected bounds of normal
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
TRANSACTION BUSINESS CONTROLS
NTROL INFORMATION
ONTROL OBJECTIVE
oved counterparties and within the expected bounds of normal business.
RISK DRIVERS
• Business conducted with an unauthorised counterparty
• Undetected anomalies or suspicious activity
ONTROL STATEMENT
dation controls to restrict transaction activity to within the expected bounds or normal business.
ONTROL CONTEXT
he opportunity for both the sending and receiving of fraudulent transactions. These restrictions are best determined through an
n be set to restrict business to acceptable thresholds based on 'normal' activity.
SESSMENT RESULTS
entation Guideline-Level Detail
s and within the expected bounds of normal business?
tails as documented in the CSCF>
Summary
Recommendations
SINESS CONTROLS
TBD
2.10A
CONTROL INFORMAT
CONTROL OBJECTI
Reduce the attack surface of SWIFT-related components by performing application hardening on the S
IN-SCOPE COMPONENTS
• Messaging interface
• Communication interface
• GUI
• SWIFTNet Link
• Connector
• Additional applications installed on the above components and handling SWIFT-related data
CONTROL STATEME
All messaging interfaces (for example, Alliance Access, Alliance Messaging Hub and equivalent) and communication interface
Security hardening is conducted and maintained o
CONTROL CONTEX
Application hardening applies the security concept of “least privilege” to an application by disabling features and services that
protocols that a malicious person may use during an attack. It also ensu
In addition, SWIFT runs an Interface Certification Programme to ensure interfaces are aligned with current practices and to
capabilities. Upon successful validation of the test results by the SWIFT Test Authority, certification is published in the Certifica
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messa
IN-SCOPE COMPONENTS
ing interface
nication interface
Net Link
tor
nal applications installed on the above components and handling SWIFT-related data
CONTROL STATEMENT
saging interfaces (for example, Alliance Access, Alliance Messaging Hub and equivalent) and communication interfaces (for example, Allian
Security hardening is conducted and maintained on all in-scope compo
CONTROL CONTEXT
tion hardening applies the security concept of “least privilege” to an application by disabling features and services that are not required for n
protocols that a malicious person may use during an attack. It also ensures that potential defa
dition, SWIFT runs an Interface Certification Programme to ensure interfaces are aligned with current practices and to give the customer ad
es. Upon successful validation of the test results by the SWIFT Test Authority, certification is published in the Certification Register. As per
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user adequately reduced the attack surface of SWIFT-related components by performing application hardening on the
related applications?
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
APPLICATION HARDENING
NTROL INFORMATION
ONTROL OBJECTIVE
on hardening on the SWIFT-certified messaging and communication interfaces and related applications.
RISK DRIVERS
• Excess attack surface
• Exploitation of insecure application configuration
ONTROL STATEMENT
ommunication interfaces (for example, Alliance Gateway and equivalent) products within the secure zone are SWIFT-certified.
ucted and maintained on all in-scope components.
ONTROL CONTEXT
tures and services that are not required for normal operations. This process reduces the application capabilities, features, and
an attack. It also ensures that potential default credentials are changed.
urrent practices and to give the customer additional assurance, guarantees, and better visibility regarding individual product
blished in the Certification Register. As per the SWIFT General Terms and Conditions, customers must use a certified interface.
SESSMENT RESULTS
entation Guideline-Level Detail
by performing application hardening on the SWIFT-certified messaging and communication interfaces and
Recommendations
ATION HARDENING
lications.
IN-SCOPE COMPONENTS
• All employees, contractors, and staff with access to SWIFT-related systems
CONTROL STATEME
Staff operating the local SWIFT infrastructure are vetted prior to initial e
CONTROL CONTEX
A personnel vetting process, internal or external clearance, provides additional assurance that end users or administ
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Ensure the trustworthiness of staff operating the local SWIFT environment by perform
IN-SCOPE COMPONENTS
oyees, contractors, and staff with access to SWIFT-related systems
CONTROL STATEMENT
Staff operating the local SWIFT infrastructure are vetted prior to initial employment in that rol
CONTROL CONTEXT
A personnel vetting process, internal or external clearance, provides additional assurance that end users or administrators of the local SW
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user ensured the trustworthiness of staff operating the local SWIFT environment by performing personnel vetting?
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
PERSONNEL VETTING PROCESS
NTROL INFORMATION
ONTROL OBJECTIVE
ng the local SWIFT environment by performing personnel vetting.
RISK DRIVERS
• Untrustworthy staff or system operators
ONTROL STATEMENT
e vetted prior to initial employment in that role and periodically thereafter.
ONTROL CONTEXT
t end users or administrators of the local SWIFT infrastructure are trustworthy, and reduces the risk of insider threats.
SESSMENT RESULTS
entation Guideline-Level Detail
nment by performing personnel vetting?
tails as documented in the CSCF>
Summary
Recommendations
VETTING PROCESS
TBD
6.5A
CONTROL INFORMAT
CONTROL OBJECTI
Detect and prevent anomalous network activity into and w
IN-SCOPE COMPONENTS
• Network (data exchange layer and inside the secure zone)
CONTROL STATEME
Intrusion detection is implemented to detect unauthorised ne
CONTROL CONTEX
Intrusion detection systems are most commonly implemented on a network – establishing a baseline for normal operations a
becomes more complex (for example, systems communicating to many destinations, Internet access), so will the intrusion de
helpful enabler for more straightforward and effective intrusion detection solutions. Intrusion detection systems often combin
detected intrusion (for example, terminati
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Detect and prevent anomalous network activity into and within the local SWIFT
IN-SCOPE COMPONENTS
k (data exchange layer and inside the secure zone)
CONTROL STATEMENT
Intrusion detection is implemented to detect unauthorised network access and an
CONTROL CONTEXT
on detection systems are most commonly implemented on a network – establishing a baseline for normal operations and sending notificatio
es more complex (for example, systems communicating to many destinations, Internet access), so will the intrusion detection capability nee
l enabler for more straightforward and effective intrusion detection solutions. Intrusion detection systems often combine signature- and ano
detected intrusion (for example, terminating the connection).
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Does the user detect and prevent anomalous network activity into and within the local SWIFT environment?
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
INTRUSION DETECTION
NTROL INFORMATION
ONTROL OBJECTIVE
work activity into and within the local SWIFT environment.
RISK DRIVERS
• Undetected anomalies or suspicious activity
ONTROL STATEMENT
detect unauthorised network access and anomalous activity.
ONTROL CONTEXT
or normal operations and sending notifications when abnormal activity on the network is detected. As an operational network
so will the intrusion detection capability needed to perform adequate detection. Therefore, simplifying network behaviour is a
systems often combine signature- and anomaly-based detection methods. Some systems have the ability to respond to any
(for example, terminating the connection).
SESSMENT RESULTS
entation Guideline-Level Detail
cal SWIFT environment?
tails as documented in the CSCF>
Summary
Recommendations
USION DETECTION
TBD
7.3A
CONTROL INFORMAT
CONTROL OBJECTI
Validate the operational security configuration and identify secur
IN-SCOPE COMPONENTS
• Operator PC (or jump server): all hardware, software, and network
• Data exchange layer
• Secure zone: all hardware, software, and network components (exclusive of SWIFT-specific applications and
SWIFT-central services such as SWIFTNet InterAct, FileAct FIN, SWIFTNet Instant or WebAccess)
CONTROL STATEME
Application, host, and network penetration testing is conducted into a
CONTROL CONTEX
Penetration testing is based on simulated attacks that use similar technologies to those deployed in real attacks. It is used to
access the targeted environment. Conducting these simulations is an effective tool for identifying weaknesse
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Validate the operational security configuration and identify security gaps by performin
IN-SCOPE COMPONENTS
or PC (or jump server): all hardware, software, and network
change layer
zone: all hardware, software, and network components (exclusive of SWIFT-specific applications and
entral services such as SWIFTNet InterAct, FileAct FIN, SWIFTNet Instant or WebAccess)
CONTROL STATEMENT
Application, host, and network penetration testing is conducted into and within the secure z
CONTROL CONTEXT
ation testing is based on simulated attacks that use similar technologies to those deployed in real attacks. It is used to determine the pathw
access the targeted environment. Conducting these simulations is an effective tool for identifying weaknesses in the environment
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user validated the operational security configuration and identify security gaps by performing penetration testing?
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
PENETRATION TESTING
NTROL INFORMATION
ONTROL OBJECTIVE
ation and identify security gaps by performing penetration testing.
RISK DRIVERS
• Unknown security vulnerabilities or security misconfigurations
ONTROL STATEMENT
ng is conducted into and within the secure zone and on operator PCs.
ONTROL CONTEXT
al attacks. It is used to determine the pathways that attackers might use, and the depth to which the attackers may be able to
identifying weaknesses in the environment which may require correction, improvement, or additional controls.
SESSMENT RESULTS
entation Guideline-Level Detail
aps by performing penetration testing?
tails as documented in the CSCF>
Summary
Recommendations
TRATION TESTING
TBD
7.4A
CONTROL INFORMAT
CONTROL OBJECTI
Evaluate the risk and readiness of the organization based
IN-SCOPE COMPONENTS
• Organizational control (people, processes and infrastructure)
CONTROL STATEME
Scenario-driven risk assessments are conducted regularly to improve incident response prepared
CONTROL CONTEX
Scenario-based risk assessments test various attacks performed by all types of unau
Consider the following non-exhaustive threats: end-user impersonation, message tampering, message eavesdropping, third-p
availability. Results of the assessment and existing mitigations help to identify areas of risks that may re
Identified actions, mitigations, or updates have to be reported and followed up for closure according to
Several ISRM frameworks exist and can be consulted (for example, on NIST, ENISA, COBRA or ISO sites or from a local or
ISRM and resources (such as CIS-Critical Security Controls). These frameworks can be used to start implementin
ASSESSMENT RESU
Implementation Guideline-Le
Guideline
Summary
Overall Control Disposition
Recommendations
<Recommendations for security enhancements / improvements>
CONTROL INFORMATION
CONTROL OBJECTIVE
Evaluate the risk and readiness of the organization based on plausible cyber at
IN-SCOPE COMPONENTS
ational control (people, processes and infrastructure)
CONTROL STATEMENT
Scenario-driven risk assessments are conducted regularly to improve incident response preparedness and to increase
CONTROL CONTEXT
Scenario-based risk assessments test various attacks performed by all types of unauthorised individuals o
er the following non-exhaustive threats: end-user impersonation, message tampering, message eavesdropping, third-party software weakn
availability. Results of the assessment and existing mitigations help to identify areas of risks that may require future actions, r
Identified actions, mitigations, or updates have to be reported and followed up for closure according to their criticality as per
l ISRM frameworks exist and can be consulted (for example, on NIST, ENISA, COBRA or ISO sites or from a local or regulator's standard o
ISRM and resources (such as CIS-Critical Security Controls). These frameworks can be used to start implementing a basic risk manag
ASSESSMENT RESULTS
Implementation Guideline-Level Detail
Has the user evaluated the risk and readiness of the organization based on plausible cyber attack scenarios?
<Observations & response justification - address all subordinate implementation details as documented in the CSCF>
Summary
Control Disposition
Recommendations
mendations for security enhancements / improvements>
SCENARIO RISK ASSESSMENT
NTROL INFORMATION
ONTROL OBJECTIVE
he organization based on plausible cyber attack scenarios.
RISK DRIVERS
• Excess harm from deficient cyber readiness
• Unidentified sensitivity to cyber exposure
ONTROL STATEMENT
ent response preparedness and to increase the maturity of the organization's security programme.
ONTROL CONTEXT
ed by all types of unauthorised individuals on the hosted SWIFT-related infrastructure.
eavesdropping, third-party software weaknesses, compromising systems or Denial of Service (DoS) attacks affecting service
as of risks that may require future actions, risk mitigations or update of the cyber incident response plan.
r closure according to their criticality as per the Information Security Risk Management (ISRM) process.
sites or from a local or regulator's standard or controls set of the same rigour as the industry guidance) to define user's proper
ed to start implementing a basic risk management process to be further enhanced to address user's specific risks.
SESSMENT RESULTS
entation Guideline-Level Detail
le cyber attack scenarios?
tails as documented in the CSCF>
Summary
Recommendations
RISK ASSESSMENT
me.
process.