SWIFT Independent Assessment Services

SWIFT has published an Independent Assessment Framework (IAF) to support its users and their independent assessors in carrying out their responsibilities as part of the Customer Security Programme (CSP).

Book you r SWIFT Independent Assessment TODAY with Fox Red Risk

The IAF defines how users need to verify that their self-attestation correspond with their actual level of security control implementation.

The introduction of independent assessments is a significant milestone for the CSP, which launched in 2016 and sets benchmark security practices critical to defending against, detecting and recovering from cybercrime. The assessments, introduced at the request of the entire SWIFT community through its Board and Overseers, further reinforce the security of the global banking system.

From July 2020, all SWIFT users will be obligated to carry out an independent assessment when self-attesting.

Fox Red Risk provides an External SWIFT Independent Assessment Service. We will carry out an independent assessment of your SWIFT environment. The assessment will be carried out by assessors with the relevant SWIFT cybersecurity assessment experience and who hold relevant security industry certification (e.g. CISSP).

Fox Red Risk can also provide an Internal Assessment as part of our awesome Virtual CISO service.

Book you r SWIFT Independent Assessment TODAY with Fox Red Risk

SWIFT Independent Assessment -Background

The SWIFT independent Assessments are an assessment of the latest Customer Security Controls Framework (CSCF). The current controls (at time of publishing) are:

SWIFT Independent Assessment – Mandatory Controls

1. Restrict Internet Access and Protect Critical Systems from General IT Environment
1.1 SWIFT Environment Protection	Ensure the protection of the user’s local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.
1.2 Operating System Privileged Account Control	Restrict and control the allocation and usage of administrator-level operating system accounts.
2. Reduce Attack Surface and Vulnerabilities
2.1 Internal Data Flow Security	Ensure the confidentiality, integrity, and authenticity of data flows between local SWIFT-related applications and their link to the operator PC.
2.2 Security Updates	Minimize the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.
2.3 System Hardening	Reduce the cyber attack surface of SWIFT-related components by performing system hardening.
2.6 Operator Session Confidentiality and Integrity	Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
2.7 Vulnerability Scanning	Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.
3. Physically Secure the Environment
3.1 Physical Security	Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage.
4. Prevent Compromise of Credentials
4.1 Password Policy	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.
4.2 Multi-factor Authentication	Prevent that a compromise of a single authentication factor allows access into SWIFT systems, by implementing multi-factor authentication.
5. Manage Identities and Segregate Privileges
5.1 Logical Access Control	Enforce the security principles of need-to-know access, least privilege, and segregation of duties for operator accounts.
5.2 Token Management	Ensure the proper management, tracking, and use of connected hardware authentication tokens (if tokens are used).
5.4 Physical and Logical Password storage	Protect physically and logically recorded passwords.
6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection	Ensure that local SWIFT infrastructure is protected against malware.
6.2 Software Integrity	Ensure the software integrity of the SWIFT-related applications.
6.3 Database Integrity	Ensure the integrity of the database records for the SWIFT messaging interface.
6.4 Logging and Monitoring	Record security events and detect anomalous actions and operations within the local SWIFT environment.
7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning	Ensure a consistent and effective approach for the management of cyber incidents.
7.2 Security Training and Awareness	Ensure all staff are aware of and fulfil their security responsibilities by performing regular security training and awareness activities.

Book you SWIFT Independent Assessment TODAY with Fox Red Risk

SWIFT Independent Assessment – Advisory Controls

SWIFT Members may also wish to commission Fox Red Risk to conduct a supplementary assessment of the SWIFT Advisory Controls. The current advisory controls are listed below:

1. Restrict Internet Access & Protect Critical Systems from General IT Environment
1.3A Virtualisation Platform Protection	Secure virtualisation platform and virtual machines (VM’s) hosting SWIFT related components to the same level as physical systems.
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security	Ensure the confidentiality, integrity, and mutual authenticity of data flows between back office (or middleware) applications and connecting SWIFT infrastructure components.
2.5A External Transmission Data Protection	Protect the confidentiality of SWIFT-related data transmitted and residing outside of the secure zone.
2.6A Operator Session Confidentiality and Integrity	Protect the confidentiality and integrity of interactive operator sessions connecting to the local SWIFT infrastructure.
2.7A Vulnerability Scanning	Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process.
2.8A Critical Activity Outsourcing	Ensure protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities.
2.9A Transaction Business Controls	Restrict transaction activity to validated and approved counterparties and within the expected bounds of normal business.
2.10A Application Hardening	Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications.
5. Manage Identities and Segregate Privileges
5.3A Personnel Vetting Process	Ensure the trustworthiness of staff operating the local SWIFT environment by performing personnel vetting.
5.4A Physical and Logical Password Storage	Protect physically and logically recorded passwords.
6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection	Detect and prevent anomalous network activity into and within the local SWIFT environment.
7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing	Validate the operational security configuration and identify security gaps by performing penetration testing.
7.4A Scenario Risk Assessment	Evaluate the risk and readiness of the organization based on plausible cyber attack scenarios.

Click here confirm Fox Red Risk record in the SWIFT Directory of Cyber Security Provider

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

ICO News

News, Blogs and Speeches from the Information Commissioners Office (ICO)

Winner of the ICO’s Practitioner Award for Excellence in Data Protection 2020 announced
Recognising the increasingly vital role played by data protection professionals, the third ICO Practitioner Award for Excellence in Data Protection is awarded ton Barry Moult, Information Governance […]
Grwpiau cymunedol a COVID-19
Wrth i COVID-19 barhau i ysgubo ar draws y Deyrnas Unedig, mae mwy a mwy o bobl yn cael eu sbarduno i helpu'r rhai sy’n fwyaf agored i niwed yn ein cymunedau. Mae grwpiau eglwysig, cymdeithasau […]
Statement in response to the use of mobile phone tracking data to help during the coronavirus crisis
Statement in response to the use of mobile phone tracking data to help during the coronavirus crisis
Community groups and COVID-19: what you need to know about data protection
As COVID-19 continues to sweep across the UK, more and more people are driven to help the most vulnerable in our communities.
Council employee fined £400 for illegally deleted audio file
A council employee has been fined £400 for an offence under the Freedom of Information (FOI) regulations.