The updated framework provides additional guidance on the implementation guidelines and includes changes to the existing controls
The Customer Security Programme (CSP), launched by SWIFT in 2016, is designed to help customers implement the practices that are critical to help defend against, detect and recover from cybercrime. The security of our community requires everyone’s participation and starts with each individual organisation’s own security. To help with this, in March 2017 SWIFT published the Customer Security Controls Framework (CSCF) as part of the CSP. This is a set of security controls – 16 mandatory and 11 advisory – that set a security baseline for all SWIFT users. The security controls were developed in conjunction with industry experts and designed to be in line with existing information security industry standards: PCI-DSS, ISO 27002, and NIST. Attesting compliance with the security controls is an essential step for customers towards securing their SWIFT-related infrastructure.
The security controls are kept under constant monitoring to take into account emerging and evolving cyber threats. SWIFT has published the new Customer Security Controls Framework (CSCF) v2019, which sets out a number of changes to the existing controls and provides some additional guidance and clarification on the implementation guidelines. As a result, the CSCF v2019 is now composed of 19 mandatory and 10 advisory controls. Three advisory controls, 2.6A, 2.7A and 5.A4, have been promoted to mandatory and two new advisory controls have been introduced to address a) virtualisation platform protection and b) SWIFT-related applications hardening. The CSCF v2019 can now be consulted but will only become effective in the KYC-SA, the online repository for customer attestations, in July 2019. All SWIFT users must attest against the mandatory controls of this new version by the end of 2019.
In the meantime, users must attest their compliance against the current set of controls no later than the end of 2018, dependent on the expiry date of their current attestation.
As part of the Change Management process for the CSCF, controls updates are usually announced mid-year, with attestation and compliance against the mandatory controls of any new version required between July and December of the following year, dependent on the expiry date of the attestation. This is intended to allow enough time, up to 18 months, for customers to budget, plan and implement potentially needed updates. The Change Management process can also include emergency releases if certain changes to the CSCF cannot wait until the next scheduled release but we anticipate emergency releases to be a rare occurrence.