SWIFT CSP Re-Assessment: Benefits, Opportunities and Conditions

19. April 2023

According to the Customer Security Controls Framework (CSCF), SWIFT users are required to comply with at least all mandatory controls on an annual basis by undergoing an independent assessment. A SWIFT assessment reviews the security of an organization's SWIFT infrastructure and systems to ensure that they are protected against potential security threats and vulnerabilities.

Last year, SWIFT released version CSCFv2023, an update of the framework that, among other things, revised the Re-Assessment process. Tobias Weber, Managing Security Consultant at usd AG and auditor of several international security standards, explains how the newly defined Re-Assessment process fits into the existing SWIFT CSP Assessment process and what advantages it can bring for SWIFT users.

Demonstration of compliance according to the SWIFT CSP

SWIFT requires all SWIFT users to be compliant with the SWIFT CSP and therefore to comply with at least all mandatory controls from the CSCF. This compliance is required equally from all users, regardless of their connection to SWIFT:

Companies that are directly connected to SWIFT and use SWIFT products must complete the full assessment. However, companies that are indirectly connected via a service provider (a so-called "service bureau") must also fulfill the SWIFT CSP. Although the provider operates the products and the security zone, which considerably reduces the scope of the actual user, the users are still required to complete their own assessment. The service provider itself must comply with a separate program, the Provider Security Program.

After a successful assessment, SWIFT users receive two documents: a detailed report and the Assessment Completion Letter. The detailed report contains information on which controls were audited and which findings resulted from the audit. The Assessment Completion Letter confirms that the audit has been performed and is fully completed. The latter must be submitted to SWIFT again annually as proof of compliance.

What is the process of a SWIFT assessment?

The basis for the SWIFT assessment is the architecture type at hand. SWIFT distinguishes 5 types: A1, A2, A3, A4 and B. If it is not clear to a company which architecture type is used, this can be clarified in a workshop with a SWIFT auditor or alternatively by sending a request to SWIFT. The architecture type determines all parameters for the subsequent assessment: scale, concrete controls and scope.

usd AG auditors offer SWIFT assessments for all architecture types. The procedure is based on the recommendations of SWIFT and consists of the following steps:

Preparation

In a joint kick-off with the contact persons on the customer side, our auditors plan the upcoming audit and answer initial questions, for example, how advisory controls should be handled. According to SWIFT, these are not mandatory for compliance, but we recommend that they be audited and implemented once for general security reasons.

In initial review sessions, together with the customer, we check whether the appropriate architecture type has been selected for the environment (Scope Review) and whether assessment results from the previous year can be reused for the upcoming assessment (Re-Assessment Review).

The duration and scope of the preparation phase may vary depending on the complexity of the scope and the assessment.

Assessment

In the assessment phase, we review the implementation of the CSCF controls. The results of the review, possible findings and unresolved questions are immediately discussed with the contact persons. Based on this, we prepare a report and present all the results of the assessment as well as the resulting open points in a personal meeting.

Remediation

If open points or points for possible non-compliance have been identified in the assessment, the SWIFT standard allows these to be corrected or closed after the assessment. The result is recorded in an update of the report.

Closing

The closing of a SWIFT audit process is the handover of the two documents necessary for the customer: The detailed report and the Assessment Completion Letter. We also like having a retrospective look at what went well and what can be optimized for the next audit.

Advantages of the Re-Assessment Process

In the update of the framework, more precisely in the accompanying IAFv2023, the possibility of Re-Assessment was clarified. Previously known to SWIFT users as "Delta Assessment", this process allows the reuse of previous assessment results. This possibility is based on some conditions that can be assessed with the following questions:

The initial question to be answered before use must always be a general assessment: Can the audit results from the previous year be used again, in other words, can these results still be relied upon? Impediments to using the audit results from the previous year can be, for example, major changes to the environment, new SWIFT services, new providers or new architecture types in the environment.

If the results are not usable for the reasons listed, a new full assessment must be performed in which each individual control must be fully tested.

If there were no changes and the results can be used generally, further assessments for each individual control are necessary:

  1. Was the assessment performed against the previous or the current version? They are valid only if they have already been performed on the basis of the new version of the framework.
  2. Was the result collected in the previous year or are you already basing it on the result from the year before last year? Only results from the previous year may be used.
  3. Have changes been made to the control itself within the framework? Has the subject of the control changed? The results are only valid if the control itself has remained the same.
  4. Is the design of the environment or the implementation unchanged? Both must have remained unchanged so that the results may be used for the reassessment process.

The use of prior year results is a great advantage for institutions. However, the final acceptance of the results is ultimately at the discretion of the auditor.


In the next blogpost, we will take a look at the most important changes to the controls that SWIFT CSCFv2023 will bring to SWIFT users.

Do you have questions or need assistance with your upcoming SWIFT assessment? Contact us, we're happy to help.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories