What is new in the recently released CSP v2020? What is new in the recently updated CSP?

2

What is new in the recently updated CSP? |SWIFT Customer Security Programme

In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the CSP. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external third party organization.

While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design, the implementation, and the operating effectiveness of the controls.

What is new in the recently updated CSP?The introduction of a new assessment methodology

The CCF v2020 also introduces some changes to the controls to adapt the framework to the evolution of the cyber threat landscape and to progressively improve the overall growth of the control environment.

Two advisory controls, introduced in v2019, are being promoted to mandatory:

• 1.3 – Virtualization platform protection: The objective is to secure the virtualization platform and virtual machines hosting the SWIFT-related components to the same level as physical systems

• 2.10 – Application hardening: The objective is to reduce the attack surface of SWIFT-related components by performing interfaces and application hardening

Two new advisory controls are introduced:

• 1.4A – Restrict Internet access: This control has been extracted from control 1.1 and centralize the guidance related to internet access

• 2.11A – RMS business control: This control has been extracted from control 2.9A to split the transactions and RMA business controls

Finally one control is being extended:

• 2.4A – Back-office data flow security: The middleware components are now included in the scope

Auditing the CSPHow different will your declaration be on 31.12.2020?

3

An update of the control framework

CSP assessment

· Compliance assessment

· Compliance declaration

Compliance reportCSP 2019

CSP 2020

AUGUST2019

JANUARY

2020JANUARY

2021CSCF v2020 release

· Change indentifications such as advisory controls promoted to mandatory

· Gap assessment

· Projects plan

· Budget definition

CSCF v2020 projects

· Implementation of new requirements

· Improvement of previously identified gaps

· Preparation of next audit

Independent Assessment Framework preparation

· Mandatory controls

· Method: Design, implementation and operating effectivness evaluation

Reporting analysis

· Assessments are analyzed by SWIFT

· Additional evidences requested by SWIFT

· Communication to third parties and business partners

IAF

What is new in the recently updated CSP? |SWIFT Customer Security Programme

4

What is new in the recently updated CSP? |SWIFT Customer Security Programme

Banking information is some of the most important to keep private. That's why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.

How we can help?

The SWIFT CSCF v2020 controls

v2020 mandatory

v2020 advisory

Created in version XX as advisory

AXX

Promoted in version XX to mandatory

MXX

3.1 Physical security

Physically secure

the environment

2.1 Internal data flow security

2.3 System hardening

2.5A External transmission data protection

2.9A Transaction business controls

2.2 Security updates

2.8A Criticalactivity outsourcing

Reduce attack surface and vulnerabilities

1.1 SWIFT environment protection

1.2 Operating system privileged account control

2.7 Vulnerability scanning

M20

2.6 Operator session confidentiality and integrity M

19

2.11A RMA business controls

A20

1.3A Virtualization platform protection

M20

A19

2.10A Application hardening

M20

A19

1.4ARestrict internet access

A20

2.4A Back-office data flow security

A20

Restrict internet access and protect

critical systems from general IT

environment

4.1 Password policy

4.2 Multi-factor authentication

Prevent compromise of

credentials

5.1 Logical access control

5.2 Token management

5.3A Personnel vetting process

Manage identities and segregate

privileges

6.1 Malware protection

6.2 Software integrity

6.3 Database integrity

6.5A Intrusion detection

6.4 Logging and monitoring

Detect anomalous activity to systems

or transaction records

7.1 Cyber incident response planning

7.2 Security training and awareness

7.3A Penetration testing

7.4A Scenario risk assessment

Plan for incident response and information

sharing

5.4 Physicaland logicalpassword storage M

19

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 286,000 people make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2019 Deloitte Tax & Consulting

Stéphane HurtaudPartner – Information & Technology Risk+352 451 454 434shurtaud@deloitte.lu

Maxime VeracDirector – Information & Technology Risk+352 451 454 258mverac@deloitte.lu

Contacts