What is new in the recently released CSP v2020?€¦ · What is new in the recently updated CSP?...
Transcript of What is new in the recently released CSP v2020?€¦ · What is new in the recently updated CSP?...
What is new in the recently released CSP v2020? What is new in the recently updated CSP?
2
What is new in the recently updated CSP? |SWIFT Customer Security Programme
In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the CSP. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external third party organization.
While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design, the implementation, and the operating effectiveness of the controls.
What is new in the recently updated CSP?The introduction of a new assessment methodology
The CCF v2020 also introduces some changes to the controls to adapt the framework to the evolution of the cyber threat landscape and to progressively improve the overall growth of the control environment.
Two advisory controls, introduced in v2019, are being promoted to mandatory:
• 1.3 – Virtualization platform protection: The objective is to secure the virtualization platform and virtual machines hosting the SWIFT-related components to the same level as physical systems
• 2.10 – Application hardening: The objective is to reduce the attack surface of SWIFT-related components by performing interfaces and application hardening
Two new advisory controls are introduced:
• 1.4A – Restrict Internet access: This control has been extracted from control 1.1 and centralize the guidance related to internet access
• 2.11A – RMS business control: This control has been extracted from control 2.9A to split the transactions and RMA business controls
Finally one control is being extended:
• 2.4A – Back-office data flow security: The middleware components are now included in the scope
Auditing the CSPHow different will your declaration be on 31.12.2020?
3
An update of the control framework
CSP assessment
· Compliance assessment
· Compliance declaration
Compliance reportCSP 2019
CSP 2020
AUGUST2019
JANUARY
2020JANUARY
2021CSCF v2020 release
· Change indentifications such as advisory controls promoted to mandatory
· Gap assessment
· Projects plan
· Budget definition
CSCF v2020 projects
· Implementation of new requirements
· Improvement of previously identified gaps
· Preparation of next audit
Independent Assessment Framework preparation
· Mandatory controls
· Method: Design, implementation and operating effectivness evaluation
Reporting analysis
· Assessments are analyzed by SWIFT
· Additional evidences requested by SWIFT
· Communication to third parties and business partners
IAF
What is new in the recently updated CSP? |SWIFT Customer Security Programme
4
What is new in the recently updated CSP? |SWIFT Customer Security Programme
Banking information is some of the most important to keep private. That's why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.
How we can help?
The SWIFT CSCF v2020 controls
v2020 mandatory
v2020 advisory
Created in version XX as advisory
AXX
Promoted in version XX to mandatory
MXX
3.1 Physical security
Physically secure
the environment
2.1 Internal data flow security
2.3 System hardening
2.5A External transmission data protection
2.9A Transaction business controls
2.2 Security updates
2.8A Criticalactivity outsourcing
Reduce attack surface and vulnerabilities
1.1 SWIFT environment protection
1.2 Operating system privileged account control
2.7 Vulnerability scanning
M20
2.6 Operator session confidentiality and integrity M
19
2.11A RMA business controls
A20
1.3A Virtualization platform protection
M20
A19
2.10A Application hardening
M20
A19
1.4ARestrict internet access
A20
2.4A Back-office data flow security
A20
Restrict internet access and protect
critical systems from general IT
environment
4.1 Password policy
4.2 Multi-factor authentication
Prevent compromise of
credentials
5.1 Logical access control
5.2 Token management
5.3A Personnel vetting process
Manage identities and segregate
privileges
6.1 Malware protection
6.2 Software integrity
6.3 Database integrity
6.5A Intrusion detection
6.4 Logging and monitoring
Detect anomalous activity to systems
or transaction records
7.1 Cyber incident response planning
7.2 Security training and awareness
7.3A Penetration testing
7.4A Scenario risk assessment
Plan for incident response and information
sharing
5.4 Physicaland logicalpassword storage M
19
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 286,000 people make an impact that matters at www.deloitte.com.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2019 Deloitte Tax & Consulting
Stéphane HurtaudPartner – Information & Technology Risk+352 451 454 [email protected]
Maxime VeracDirector – Information & Technology Risk+352 451 454 [email protected]
Contacts