Friday, December 29, 2017
As part of its commitment to continual process improvement, SWIFT introduced the Customer Security Programme (CSP) in March 2017, a cybersecurity initiative. Members were invited to share views on how to protect the SWIFT network and adjacent, connected environments from cyber fraud. CSP architecture is based on the SWIFT Customer Security Controls Framework, which includes 16 mandatory and 11 advisory security controls for SWIFT users. Mandatory controls establish a baseline for the SWIFT community. Advisory controls are based on good practice and could become mandatory at a later date.
"Banks are generally ahead of the curve when it comes to cybersecurity," stated Steven Grossman, Vice President of Strategy and Enablement at Bay Dynamics Inc. "These controls are not unusual or foreign, but integrating them into existing frameworks can be challenging, especially for larger banks with legacy infrastructures resulting from mergers and acquisitions."
SWIFT representatives said SWIFT combined internal threat analysis with industry expert advice to meet three objectives: secure your environment, know and limit access, and detect and respond. CSP mandatory and advisory controls are designed to advance the latest security best practices, SWIFT analysts noted. For this reason, the society plans to update its user handbook on a regular basis.
"SWIFT's CSP is designed to be a collaborative effort between SWIFT and its users to strengthen the overall security of the financial ecosystem," the CSP document stated. "All users must therefore read the controls set out in this document carefully, and prepare for implementation within their own organization." To ensure adoption, SWIFT users must self-attest compliance with mandatory controls and may optionally indicate compliance with advisory security controls. All self-attestation forms must be submitted by the Jan. 1, 2018, deadline, SWIFT representatives stated. Compliance status of each member will be visible to all other members of the SWIFT network to foster transparency and encourage cooperation among peers.
"In their attestations, members will need to confirm their compliance with each of the mandatory controls," Grossman said. "Other institutions in the network will have access to these attestations and can make informed decisions regarding parties they're transacting with; this puts additional peer pressure on the community."
"The control framework is specifically meant to secure the infrastructure connecting into SWIFT," Grossman said. "Participating banks need to be properly segmented from the network; individuals need to be segmented to ensure that no one person has too many capabilities and transactions can be monitored for anomalous patterns."
Members must implement specific mandatory controls, organized under the objectives to: restrict access, reduce attack surface and vulnerabilities, physically secure the environment, prevent compromise of credentials, manage identities and segregate privileges, detect anomalous activity to systems or transaction records, and plan for incident response and information sharing. Full details on mandatory controls, including specific steps and areas to address, are available at www.swift.com/myswift/customer-security-programme-csp .
Grossman advised financial institutions and SWIFT members not to ignore the CSP advisory controls, which complement mandatory controls. "They are based on best practices and there's no guarantee that they won't become mandatory," he said. The advisory controls are organized under the objectives to: reduce attack surface and vulnerabilities, manage identities and segregate privileges, detect anomalous activity to systems or transaction records, and plan for incident response and information sharing. Details on the advisory controls are also provided at www.swift.com/myswift/customer-security-programme-csp .
SWIFT documentation advised users to assess which areas of guidance are relevant and apply control mandates accordingly. "It is the expectation that only a small subset of users - typically large or complex institutions ‒ will consider alternative implementation routes for one or more controls," the authors wrote. "In every case, users are responsible for assessing their own adherence to the mandatory controls and self-attesting compliance irrespective of the implementation solution deployed."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
