The SWIFT Customer Security Programme EXPLAINED! 3

Anybody that uses SWIFT will have heard about the SWIFT Customer Security Programme, and in this post i will cover the main things you need to know. Right now, the SWIFT Customer Security Programme (CSP) is being validated and SWIFT are inviting the SWIFT community to give their feedback on the programme with a view to the first pilots happening next year and the enforcement of controls to begin from 1st January, 2018.

a.) First Things, First:

The first thing SWIFT speak about when it comes to the Customer Security Programme (CSP) is that as far as they know (!!) the SWIFT network itself has not been breached. But some customer environments that connect to the SWIFT network have been breached, and from those breached environments “users” have created and submitted fraudulent payments that have been submitted to the SWIFT network.

b.) So, why implement a SWIFT Customer Security Programme CSP)?

According to SWIFT, its because SWIFT have a key role to play in “reinforcing and safeguarding the security of the global banking ecosystem”. But its also because information security is a fundamental part of what SWIFT do – at the SWIFT website they constantly talk about:

  • SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services
  • The global provider of secure financial messaging services
  • SWIFT carries over five billion financial messages a year. Fast, reliable and secure support for businesses the world over
  • Failure is Not An Option

With that in mind, any breach related to the SWIFT network – even if the network itself has not been breached – has a huge negative reputational impact on the SWIFT brand, and erodes trust in the overall SWIFT and financial network. Check out what the SWIFT CEO said about the recent SWIFT related hacks!

c.) Customer Security Programme: 5 Key Initiatives

  1. Improved intelligence sharing within the community
  2. SWIFT and third party products to be enhanced with additional security features
  3. Guidance detailing security requirements and controls. and an assurance framework that will help enforce standards and ensure compliance
  4. Implementing transaction pattern detection tools – such as daily reports to indicate payment activity
  5. Increase security standards by promoting closer cooperation among SWIFT and third parties (vendors and SWIFT service bureaus) that connect to the SWIFT network

Ref: Customer Security Programme – Programme description

d.) Customer Security Programme: The Framework

Here SWIFT talk about:

  1. You
    1. Secure and protect yourself – for example by implementing 2FA
  2. Your Counterparts
    1. Prevent and detect – clean up any old or unused RMAs (Relationship Management Application)
  3. Your Community
    1. Share and prepare – share details of any breach with the SWIFT Customer Security Intelligence team

e.) Customer Security Programme: 3 Objectives

  1. Secure your environment
  2. Know and limit access
  3. Detect and respond

Ref: Customer Security Programme – Security Controls

f.) Customer Security Programme: 8 Principles & 27 Controls

  1. Restrict Internet Access
  2. Segregate Critical Systems from General IT Environment
    1. Segregate SWIFT environment into a secure zone (Mandatory)
    2. Operating system privileged account control (Mandatory)
  3. Reduce Attack Surface and Vulnerabilities
    1. Internal data flow security within the secure zone and its link to user PCs (Mandatory)
    2. Security updates are implemented promptly, and hardware and software within the secure zone are within support lifecycle of the vendor (Mandatory)
    3. System Hardening within the secure zone and user PCs (Mandatory)
    4. Back office data flow security (Advisory)
    5. External transmission data protection – encrypt data leaving the secure zone (Advisory)
    6. User session integrity within the secure zone (Advisory)
    7. Vulnerability scanning within the secure zone and user PCs (Advisory)
    8. Protection of critical outsourced activities (Advisory)
    9. Transaction business controls (Advisory)
  4. Physically Secure the Environment
    1. Physical Security to sensitive equipment (Mandatory)
  5. Prevent Compromise of Credentials
    1. Enforcing a password policy (Mandatory)
    2. Implementing two factor authentication to SWIFT related applications (Mandatory)
  6. Manage Identities and Segregate Privileges
    1. User account management ensuring controls such as segregation of duties and required access only (Mandatory)
    2. Token management so that they are appropriately issued, revoked, used and stored (Mandatory)
    3. Personal vetting process before employment for staff operating locally hosted SWIFT infrastructure (Advisory)
    4. Physical and logical password storage for privileged accounts (Advisory)
  7. Detect Anomalous Activity to Systems or Transaction Records
    1. Malware protection (Mandatory)
    2. Software integrity (Mandatory)
    3. Database integrity (Mandatory)
    4. Logging and monitoring (Mandatory)
    5. Intrusion detection (Advisory)
  8. Plan for Incident Response and Information Sharing
    1. Cyber Incident Response Planning (Mandatory)
    2. Security training and awareness for all staff (annual), and specific training for SWIFT users with privileged access (Mandatory)
    3. Penetration testing (Advisory)
    4. Scenario risk assessment to improve incident response (Advisory)

Ref: Customer Security Programme – Security Controls

Thanks for stopping by – Take a look around…!!

g.) Customer Security Programme: Assurance Framework

  1. Self Attest
    1. Here the customer confirms that it meets the stated security requirements
  2. Self Inspect
    1. Here customers internal audit teams confirms that they meet the stated security requirements
  3. Third Party Inspection
    1. Here an external party validates that the customer meets the stated security requirements

3 thoughts on “The SWIFT Customer Security Programme EXPLAINED!

  1. Pingback: 7 Cyber Security Points To Impress Your Boss With

  2. Pingback: Corporate Focus: Shadow Brokers, SWIFT And The NSA

  3. Pingback: Calm the Tech Down - Sibos Day 2

Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.