Last month, SWIFT published updates to its CSCF (Customer Security Control Framework), which outlines mandatory and advisory security controls for organisations.
The CSCF contains a set of operational and technical controls that are updated and expanded upon annually, depending on current threat landscapes. Organisations that use SWIFT are required to adapt their security controls accordingly and attest to their compliance status with each update.
What has changed?
The latest version of SWIFT CSCF contains 23 mandatory and 9 advisory controls, compared to the previous version, which contained 21 mandatory and 10 advisory controls.
However, it is not simply the case that controls have been added or removed. The CSCF has also adapted several existing measures to streamline the compliance process and account for new security issues.
The changes relate to the following controls:
Control 1.2 (Operating System Privileged Account Control)
The Operating System Privileged Account Control existed in last year’s version of CSCF, but v2022 expands the scope on an advisory basis.
Under the new version of the framework, the control addresses general-purpose operator PCs, and as such it covers architecture B.
Control 2.9 (Transaction Business Controls)
Previously an advisory measure, Transaction Business Control is now mandatory following clarification on its scope and implementation guidelines.
The move supports other regulations, such as the CPMI (Committee on Payments and Market Infrastructure, which is also designed to reduce the risk of payment fraud related to endpoint security.
Control 1.5A (Customer Environment Protection)
This is a new advisory control that has been created to ensure protection for the “customer connector” and other customer-related equipment.
Organisations can achieve compliance by aligning the new control applicable for architecture A4 with the existing Control 1.1 that’s already applicable to the other architecture A types.
Control 6.2 (Software Integrity) and 6.3 (Database Integrity)
Last year’s version of CSCF introduced customer connectors as an advisory component in scope of several controls. In addition to this, the latest version of the framework creates advisory controls related to Software Integrity and Database Integrity for architecture A4.
What else do you need to know?
The latest version of the CSCF also makes minor amendments to existing controls to “improve the usability and comprehension of the document and help you implement the framework as intended”.
These are unlikely to change organisations’ compliance status but could help them improve existing processes.
The requirements became mandatory in July 2022, with organisations being required to adopt its controls by the end of the year.
If you’re looking for advice evaluating your compliance status and meeting your requirements, IT Governance is here to help.
Our SWIFT CSCF Readiness Assessment compares your IT controls against those required under the CSCF. We’ll also use our findings to provide guidance to help you achieve your desired target state.
We are listed in SWIFT’s directory of CSP assessment providers and approved to perform assessments globally. Our specialist team has extensive cyber security project expertise, and specifically within the financial services sector.
We have a strong understanding of a wide range of different technology landscapes across numerous sectors, so you can be sure that you’ll receive expert guidance no matter what challenges you face.