Self Attestation

PSCFv2022

This form should be used to submit your

self attestation of compliance towards the
controls of the Provider Security Controls
Framework for 2022 (PSCFv2022).

The PSCFv2022 becomes effective on

the 1st of January 2022, all providers are
expected to be at least partially compliant
to all applicable controls, and to be fully
compliant by the 31st of December 2022.

Providers may be published as v2022

compliant after having uploaded a self
attestation declaring full compliance to the
applicable controls.

Provider BIC/PIC

Provider type Service Bureaux (SB)

For provider type definition, please consult the PSCF.

1
Contact Person for Self-Attestation

First name or department name

Last Name (in case of a person)

Job Title (in case of a person)

Direct Work Phone

E-mail address

CISO or similar role

First name

Last Name

Job Title

Direct Work Phone

Phone number in case of emergencies

E-mail address

Senior management contact can be contacted by SWIFT in case there is a risk of escalation.
First name

Last Name

Job Title

Direct Work Phone

E-mail address

Contact Person of the 24x7 SOC

First name or department name

Last Name (in case of a person)

Job Title (in case of a person)

Direct Work Phone

Phone number in case of emergencies

E-mail address
Control Objective Control Principle Control number Control title Control objective Compliance?

Secure your Restrict Internet Access 1.1 SWIFT Environment Ensure the protection of the Provider's local SWIFT
environment and Protect Critical Protection infrastructure from potentially compromised elements of the N/A
No
Partial
Full
Systems from General IT general IT environment and external environment.
environment

1.2 Operating System Restrict and control the allocation and usage of
Privileged Account administrator-level operating system accounts. N/A
No
Partial
Full

1.3 Virtualisation Secure the virtualisation platform and virtual machines (VMs)
Platform Protection that host SWIFT-related components to the same level as N/A
No
Partial
Full
physical systems.

1.4 Restriction of Control internet access from operator PCs and systems
Internet Access within the SWIFT secure zone or the Provider Protected N/A
No
Partial
Full
zone.

1.5 Provider Ensure the protection of the Provider's SWIFT-related

N/A
No
Partial
Full
Environment components supporting the end users connections
Protection from potentially compromised elements of the general IT
environment and external environment.

Reduce attack surface and 2.1 Internal Data Flow Ensure the confidentiality, integrity, and authenticity of
N/A
No
Partial
Full
vulnerabilities Security application data flows between local SWIFT-related
components.

2.2 Security Updates Minimise the occurrence of known technical vulnerabilities

N/A
No
Partial
Full
on operator PCs and within the local SWIFT infrastructure
by ensuring vendor support, applying mandatory software
updates, and applying timely security updates aligned to the
assessed risk.
2.3 System Hardening Reduce the cyber-attack surface of SWIFT-related
components by performing system hardening. N/A
No
Partial
Full

3
Control Objective Control Principle Control number Control title Control objective Compliance?

2.4 Back-office Data Ensure the confidentiality, integrity, and mutual authenticity
N/A
No
Partial
Full
Flow Security of data flows between local or remote SWIFT infrastructure
components and the back-office first hops they connect to.

2.5 External Protect the confidentiality of SWIFT-related data transmitted

N/A
No
Partial
Full
Transmission Data or stored outside of the secure zone as part of operational
Protection processes.

2.5.1 Customers Data Protect the confidentiality, integrity, and authenticity of data
N/A
No
Partial
Full
Flow Security flows between a SWIFT customer and the Provider.

2.6 Operator Session Protect the confidentiality and integrity of interactive operator
Confidentiality and sessions that connect to the local or remote (operated by a N/A
No
Partial
Full
Integrity third party) SWIFT-related infrastructure or applications.

2.7 Vulnerability Identify known vulnerabilities within the local SWIFT-related

Scanning infrastructure by implementing a regular vulnerability N/A
No
Partial
Full
scanning process and act upon results.

2.8 Critical Activity Ensure the protection of the local SWIFT infrastructure from
N/A
No
Partial
Full
Outsourcing risks exposed by the outsourcing of critical activities.

2.8.5 2.8.5 Messaging Ensure a consistent and effective approach for the
N/A
No
Partial
Full
Monitoring on Behalf customers’ messaging monitoring.
of Customer

2.8.7 Limit Access Protect the confidentiality of the customers’ messaging data.
N/A
No
Partial
Full
to Customers'
Messaging Data

2.8.8 Critical Activities Ensure protection of the customer security-related

on Behalf of the operations from risks exposed by the outsourcing. N/A
No
Partial
Full
Customer

4
Control Objective Control Principle Control number Control title Control objective Compliance?

2.9 Transaction Restrict outbound transaction activity within the expected

N/A
No
Partial
Full
Business Controls bounds of normal business.

2.10 Application Reduce the attack surface of SWIFT-related components by

N/A
No
Partial
Full
Hardening performing application hardening on the SWIFT-compatible
messaging and communication interfaces, the SWIFT
connector, and related applications.

2.11 RMA Business Restrict transaction activity to validated and approved

N/A
No
Partial
Full
Controls business counterparties.

Physically secure the 3.1 Physical security Prevent unauthorised physical access to sensitive
environment equipment, workplace environments, hosting sites, and N/A
No
Partial
Full
storage.

Know and limit Prevent compromise of 4.1 Password Policy Ensure passwords are sufficiently resistant against common
access credentials password attacks by implementing and enforcing an N/A
No
Partial
Full
effective password policy.

4.2 Multi-Factor Prevent that a compromise of a single authentication factor

N/A
No
Partial
Full
Authentication allows access into SWIFT-related systems or applications,
by implementing multi-factor authentication.

Manage identities and 5.1 Logical Access Enforce the security principles of need-to-know access,
N/A
No
Partial
Full
segregate duties Control least privilege, and segregation of duties for operator
accounts.

5.2 Token Management Ensure the proper management, tracking, and use of
N/A
No
Partial
Full
authentication or personal tokens (when tokens are used).

5.3 Personnel Vetting To the extent permitted and practicable, ensure the
Process trustworthiness of staff operating the local SWIFT- related N/A
No
Partial
Full
infrastructure by performing regular staff screening.

5
Control Objective Control Principle Control number Control title Control objective Compliance?

5.4 Physical and Logical Protect physically and logically the repository of recorded
N/A
No
Partial
Full
Password Storage passwords.

Detect & Respond Detect Anomalous Activity 6.1 Malware Protection Ensure that the local SWIFT infrastructure is protected
N/A
No
Partial
Full
to Systems or Transaction against malware and act upon results.
Records

6.2 Software Integrity Ensure the software integrity of the SWIFT-related

N/A
No
Partial
Full
components and act upon results.

6.3 Database Integrity Ensure the integrity of the database records for the SWIFT
messaging interface or the solution and act upon results. N/A
No
Partial
Full

6.4 Logging and Record security events and detect anomalous actions and
Monitoring operations within the local SWIFT-related infrastructure. N/A
No
Partial
Full

6.5 Intrusion Detection Detect and prevent anomalous network activity into and
N/A
No
Partial
Full
within the local or remote SWIFT-related infrastructure.

Plan for Incident Response 7.1 Cyber Incident Ensure a consistent and effective approach for the
N/A
No
Partial
Full
and Information Sharing Response Planning management of cyber incidents.

7.2 Security Training Ensure that all staff are aware of and fulfil their security
N/A
No
Partial
Full
and Awareness responsibilities by performing regular security training and
awareness activities, and maintain security knowledge of
staff with privileged access.

7.3 Penetration Testing Validate the operational security configuration and identify
security gaps by performing penetration testing. N/A
No
Partial
Full

6
Control Objective Control Principle Control number Control title Control objective Compliance?

7.4 Scenario Risk Evaluate the risk and readiness of the organisation based on
N/A
No
Partial
Full
Assessment plausible cyber attack scenarios.

Maintain SWIFT Set and Monitor 8.1 Define SLA Ensure availability by formally setting and monitoring the
N/A
No
Partial
Full
Services Performance objectives to be achieved
Availability

8.4 Capacity Ensure availability, capacity, and quality of services to

N/A
No
Partial
Full
Management customers

8.5 Early Availability Ensure early availability of SWIFTNet releases and of the FIN
of SWIFTNet standards for proper testing by the customer before going N/A
No
Partial
Full
Releases and of FIN live.
Standards

Ensure Availability through 9.1 Local Resilience Providers must ensure that the service remains available for
resilience customers in the event of a local disturbance or malfunction. N/A
No
Partial
Full

9.2 Site and Systems Providers must ensure that the service remains available for
N/A
No
Partial
Full
Resilience customers in the event of a site disaster.

9.3 Physical Service bureaux must ensure that the service remains
N/A
No
Partial
Full
Environmental available for their customers in the event of a disturbance, a
Controls hazard, or an incident.

9.4 Connect Solidly to Providers' availability and quality of service is ensured

N/A
No
Partial
Full
the SWIFT Network through usage of the recommended SWIFT connectivity
packs and the appropriate line bandwidth

Be Ready in Case of Major 10.1 Business Continuity Business continuity is ensured through a documented plan
Disaster Plan communicated to the potentially affected parties (service N/A
No
Partial
Full
bureau and customers).

7
Control Objective Control Principle Control number Control title Control objective Compliance?

Limit Customer Monitor and escalate 11.1 Events Monitoring Ensure a consistent and effective approach for the event
N/A
No
Partial
Full
Business Operational malfunctions monitoring and escalation.
disruption

11.2 Escalation Plan Ensure a consistent and effective approach for the
N/A
No
Partial
Full
management of incidents (Problem Management).

11.4 Customer Incident Ensure an adequate escalation of operational malfunctions

N/A
No
Partial
Full
Notification in case of customer impact.

11.5 Customer Support Effective support is offered to customers in case they face
Facility problems during their business hours. N/A
No
Partial
Full

Ensure Knowledge is 12.1 Maintain Expertise Ensure quality of service to customers through SWIFT
available certified employees. N/A
No
Partial
Full