The SWIFT Customer Security Controls Framework (CSCF) is composed
of mandatory and advisory security controls for SWIFT users. The
mandatory security controls establish a security baseline for
the entire community. They must be implemented by all users on
their local SWIFT infrastructure. SWIFT has chosen to prioritise
these mandatory controls to set a realistic goal for near-term,
tangible security gains and risk reduction.
The advisory
controls are based on recommended practice that SWIFT recommends
all users to implement. Over time, controls may change due to
the evolving threat landscape, the introduction of new
technologies, the evolution of security-related regulations in
major jurisdictions, developments in cybersecurity practices, or
user feedback,.
As such, some advisory controls may become
mandatory, or new controls may be added. All controls are
articulated around three overarching objectives:
- Secure your Environment
- Know and Limit Access
- Detect and Respond
Finally, control definitions are in line with existing information security
industry standards.
The information outlined in the SWIFT Customer Security Controls Framework
(CSCF) document form the general, product-agnostic controls. All users must read
the controls set out in this document carefully, and prepare their own
organisation for implementation. To complement the CSCF, SWIFT publishes
product-specific Security Guidance (SG) document documents.
These
provide the
minimum security recommendations as well as additional guidance on how the
existing security features of SWIFT’s messaging interfaces suite should be
configured to align with the latest CSCF.
To ensure adoption, and to
complement
the CSCF, SWIFT publishes further details of the related attestation policy and
process in the SWIFT Customer Security Controls Framework (CSCF) Policy
document. The document contains information on:
- The requirement to attest against SWIFT’s mandatory security controls
- The process and timelines for submitting your attestation to the KYC-Security Attestation application
- The process for viewing counterparties’ attestation via the KYC Security Attestation application
- Follow-up actions in case of non-compliance according to the reporting timelines.