Professional Documents
Culture Documents
Swift PSCF Sa 2022 SB
Swift PSCF Sa 2022 SB
PSCFv2022
Provider BIC/PIC
1
Contact Person for Self-Attestation
E-mail address
Last Name
Job Title
E-mail address
Senior management contact can be contacted by SWIFT in case there is a risk of escalation.
First name
Last Name
Job Title
E-mail address
E-mail address
Control Objective Control Principle Control number Control title Control objective Compliance?
Secure your Restrict Internet Access 1.1 SWIFT Environment Ensure the protection of the Provider's local SWIFT
environment and Protect Critical Protection infrastructure from potentially compromised elements of the N/A
No
Partial
Full
Systems from General IT general IT environment and external environment.
environment
1.2 Operating System Restrict and control the allocation and usage of
Privileged Account administrator-level operating system accounts. N/A
No
Partial
Full
1.3 Virtualisation Secure the virtualisation platform and virtual machines (VMs)
Platform Protection that host SWIFT-related components to the same level as N/A
No
Partial
Full
physical systems.
1.4 Restriction of Control internet access from operator PCs and systems
Internet Access within the SWIFT secure zone or the Provider Protected N/A
No
Partial
Full
zone.
Reduce attack surface and 2.1 Internal Data Flow Ensure the confidentiality, integrity, and authenticity of
N/A
No
Partial
Full
vulnerabilities Security application data flows between local SWIFT-related
components.
3
Control Objective Control Principle Control number Control title Control objective Compliance?
2.4 Back-office Data Ensure the confidentiality, integrity, and mutual authenticity
N/A
No
Partial
Full
Flow Security of data flows between local or remote SWIFT infrastructure
components and the back-office first hops they connect to.
2.5.1 Customers Data Protect the confidentiality, integrity, and authenticity of data
N/A
No
Partial
Full
Flow Security flows between a SWIFT customer and the Provider.
2.6 Operator Session Protect the confidentiality and integrity of interactive operator
Confidentiality and sessions that connect to the local or remote (operated by a N/A
No
Partial
Full
Integrity third party) SWIFT-related infrastructure or applications.
2.8 Critical Activity Ensure the protection of the local SWIFT infrastructure from
N/A
No
Partial
Full
Outsourcing risks exposed by the outsourcing of critical activities.
2.8.5 2.8.5 Messaging Ensure a consistent and effective approach for the
N/A
No
Partial
Full
Monitoring on Behalf customers’ messaging monitoring.
of Customer
2.8.7 Limit Access Protect the confidentiality of the customers’ messaging data.
N/A
No
Partial
Full
to Customers'
Messaging Data
4
Control Objective Control Principle Control number Control title Control objective Compliance?
Physically secure the 3.1 Physical security Prevent unauthorised physical access to sensitive
environment equipment, workplace environments, hosting sites, and N/A
No
Partial
Full
storage.
Know and limit Prevent compromise of 4.1 Password Policy Ensure passwords are sufficiently resistant against common
access credentials password attacks by implementing and enforcing an N/A
No
Partial
Full
effective password policy.
Manage identities and 5.1 Logical Access Enforce the security principles of need-to-know access,
N/A
No
Partial
Full
segregate duties Control least privilege, and segregation of duties for operator
accounts.
5.2 Token Management Ensure the proper management, tracking, and use of
N/A
No
Partial
Full
authentication or personal tokens (when tokens are used).
5.3 Personnel Vetting To the extent permitted and practicable, ensure the
Process trustworthiness of staff operating the local SWIFT- related N/A
No
Partial
Full
infrastructure by performing regular staff screening.
5
Control Objective Control Principle Control number Control title Control objective Compliance?
5.4 Physical and Logical Protect physically and logically the repository of recorded
N/A
No
Partial
Full
Password Storage passwords.
Detect & Respond Detect Anomalous Activity 6.1 Malware Protection Ensure that the local SWIFT infrastructure is protected
N/A
No
Partial
Full
to Systems or Transaction against malware and act upon results.
Records
6.3 Database Integrity Ensure the integrity of the database records for the SWIFT
messaging interface or the solution and act upon results. N/A
No
Partial
Full
6.4 Logging and Record security events and detect anomalous actions and
Monitoring operations within the local SWIFT-related infrastructure. N/A
No
Partial
Full
6.5 Intrusion Detection Detect and prevent anomalous network activity into and
N/A
No
Partial
Full
within the local or remote SWIFT-related infrastructure.
Plan for Incident Response 7.1 Cyber Incident Ensure a consistent and effective approach for the
N/A
No
Partial
Full
and Information Sharing Response Planning management of cyber incidents.
7.2 Security Training Ensure that all staff are aware of and fulfil their security
N/A
No
Partial
Full
and Awareness responsibilities by performing regular security training and
awareness activities, and maintain security knowledge of
staff with privileged access.
7.3 Penetration Testing Validate the operational security configuration and identify
security gaps by performing penetration testing. N/A
No
Partial
Full
6
Control Objective Control Principle Control number Control title Control objective Compliance?
7.4 Scenario Risk Evaluate the risk and readiness of the organisation based on
N/A
No
Partial
Full
Assessment plausible cyber attack scenarios.
Maintain SWIFT Set and Monitor 8.1 Define SLA Ensure availability by formally setting and monitoring the
N/A
No
Partial
Full
Services Performance objectives to be achieved
Availability
8.5 Early Availability Ensure early availability of SWIFTNet releases and of the FIN
of SWIFTNet standards for proper testing by the customer before going N/A
No
Partial
Full
Releases and of FIN live.
Standards
Ensure Availability through 9.1 Local Resilience Providers must ensure that the service remains available for
resilience customers in the event of a local disturbance or malfunction. N/A
No
Partial
Full
9.2 Site and Systems Providers must ensure that the service remains available for
N/A
No
Partial
Full
Resilience customers in the event of a site disaster.
9.3 Physical Service bureaux must ensure that the service remains
N/A
No
Partial
Full
Environmental available for their customers in the event of a disturbance, a
Controls hazard, or an incident.
Be Ready in Case of Major 10.1 Business Continuity Business continuity is ensured through a documented plan
Disaster Plan communicated to the potentially affected parties (service N/A
No
Partial
Full
bureau and customers).
7
Control Objective Control Principle Control number Control title Control objective Compliance?
Limit Customer Monitor and escalate 11.1 Events Monitoring Ensure a consistent and effective approach for the event
N/A
No
Partial
Full
Business Operational malfunctions monitoring and escalation.
disruption
11.2 Escalation Plan Ensure a consistent and effective approach for the
N/A
No
Partial
Full
management of incidents (Problem Management).
11.5 Customer Support Effective support is offered to customers in case they face
Facility problems during their business hours. N/A
No
Partial
Full
Ensure Knowledge is 12.1 Maintain Expertise Ensure quality of service to customers through SWIFT
available certified employees. N/A
No
Partial
Full