The updated Framework includes changes to the existing controls and provides additional guidance and clarification on its implementation
SWIFT has published the updated Customer Security Controls Framework (CSCF) v2020, which sets a security baseline for all SWIFT users as part of its Customer Security Programme (CSP). Under v2020, a number of changes will be introduced to the existing controls, and additional guidance and clarification provided on the implementation guidelines. You can access the CSCF v2020 here. (SWIFT login ID required).
First published in 2017, the CSCF evolves over time with the aim of continuously raising the security bar in a pragmatic way, thereby addressing new and arising threats. The updates incorporate advances in cybersecurity practice and respond to feedback provided by the SWIFT community.
Changes outlined in the CSCF v2020, include:
- the promotion of two existing advisory controls to mandatory;
- the introduction of two new advisory controls;
- the extension of an advisory control to include middleware/MQ servers
As a result, the CSCF v2020 is now composed of 21 mandatory and 10 advisory controls. Two advisory controls, 1.3 and 2.10, which aim to protect and reduce potential vulnerabilities on critical systems where virtualisation is being used more frequently, and on critical interface components, have been promoted to mandatory.
Two new advisory controls, 1.4A and 2.11A, have been introduced to provide guidance on a) restricting internet access and b) Relationship Management Application (RMA) business control.
Furthermore, advisory control 2.4A has been expanded to include middleware/MQ servers to help protect the upstream back-office application flows. Additional controls guidance and/or clarifications have been included in numerous areas, including controls scope, architecture types, security controls compliance, expectations on general operator PCs, token management and intrusion detection.
In addition to clarifications on existing controls, the CSCF v2020 should already be consulted to help customers plan and budget any action required on their end. The CSCF v2020 will become effective in the KYC-SA, the online repository for customer attestations, in July 2020.
Attesting compliance against the CSCF v2020 will be mandatory by the end of 2020.
As part of the Change Management process for the CSCF, controls updates are usually announced mid-year, with attestation and compliance against the mandatory controls of any new version required between July and December of the following year. This is intended to allow enough time, up to 18 months, for customers to budget, plan and implement updates. The Change Management process can also include emergency releases if certain changes to the CSCF cannot wait until the next scheduled release but we anticipate emergency releases to be a rare occurrence.
You can access the CSCF v2020 here. (SWIFT login ID required).
CSCF v2019 on KYC-SA
The KYC Security Attestation (KYC-SA) application for the CSCF v2019 is now available and customers can start to attest their level of compliance against this baseline. The deadline for attesting is 31 December 2019 and all SWIFT users must self-attest compliance with, at the minimum, the mandatory controls set out in SWIFT’s Customer Security Controls Framework v2019.
The CSCF v2019 is available in full here. (SWIFT login ID required).
Customer Security Programme
The Customer Security Programme (CSP), launched by SWIFT in 2016, is designed to help customers implement the practices that are critical to help defend against, detect and recover from cybercrime.