SWIFT infrastructure audit

SWIFT infrastructure audit

audit-infrastructure-swift

Founded in 1973 in Belgium, SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative society whose purpose is to set standards for data exchange between financial institutions. SWIFT is owned by its members, which include some of the world's largest banks. Today, SWIFT provides a global interbank messaging network to more than 11,000 financial institutions in nearly 200 countries for use by banks, trading rooms and large corporations.

Since 2017, SWIFT has implemented the Customer Security Program designed to counter the growing risk of cyber threats that target data exchange operations between financial institutions. The CSP regularly introduces new requirements.

Starting 2021, self-assessment of compliance with the mandatory SWIFT CSP security controls is no longer sufficient. Members must submit an independent SWIFT compliance audit by December 31 of each year in addition to the self-assessment.

What is the SWIFT's CSP?

SWIFT implemented the CSP in 2017 with the aim of limiting the risks associated with cyber threats via mandatory security controls, but also through the sharing of information between network members. The CSP requires that the infrastructure of entities connecting to the SWIFT network comply with the points defined in the Customer Security Controls Framework. In 2021, new requirements have been introduced for compliance assessment, based on 8 security principles:

  • Restrict Internet access
  • Segregate criticial systems from general IT environment
  • Reduce attack surface and vulnerabilities
  • Physically secure the environment
  • Prevent compromise of credentials
  • Manage identities and segregate privileges
  • Detect anomalous activity to system or transaction records
  • Plan for incident response and information sharing

Version 2024 of the SWIFT Customer Security Controls Framework (CSCF) builds on the previous version (CSCF 2023) with a number of modifications related to the evolving security needs of the financial sector (scope adjustments, clarifications and enhancements). These adjustments reinforce the emphasis placed on protecting outsourced services and the cloud in particular.

Our SWIFT audit methodology

Here is how we organize our SWIFT audits.

  1. We start with a preparatory meeting with the CISO and/or the SWIFT infrastructure manager to analyze the context.
  2. We then identify the people with whom we need to talk and plan the interviews.
  3. We conduct the interviews with the technical teams and the key actors of your company.
  4. We perform a technical test of your SWIFT infrastructure to see if it is correctly isolated from your IT network and the Internet.
  5. We compile the results of the interviews and our analysis in an audit report, and we establish your level of compliance.
  6. Finally, we provide you with the report and present the results to you during a feedback session with your teams.

Why do a SWIFT CSP audit?

The various SWIFT CSP control points need to be upgraded by the customer. It should be noted that it is the responsibility of the SWIFT network user entities to optimize the security and protection of their own environment. Thus, the various control points (some mandatory and some optional) must be the object, annually, of a self-assessment by the customer. But this is no longer sufficient, according to the new guidelines of this standard.

With the introduction of the Independent Assessment Framework (IAF), a new independent assessment model, the self-assessment must be supplemented by an annual SWIFT audit by an independent external provider. If an organization is not in compliance with the requirements, all members of the network will be notified, which will severely limit the organization's ability to transact business and make payments over the SWIFT network.

In addition to the CSP, organizations integrating a SWIFT infrastructure can use our pentest services to evaluate the concrete security of all or part of their IT infrastructure against attacks.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.