SWIFT Customer Security Controls Framework FAQ

1 SWIFT Customer Security Controls Framework

Why has SWIFT launched new security controls?

SWIFT has published a set of core security controls that every SWIFT customer must meet. These
controls reflect good security practice and should apply to all systems and processes within the end-
to-e d tra sa tio hai . SWIFT ill spe ifi all a date their appli atio for the usto er’s SWIFT-
related infrastructure. Applying these controls will raise the security bar for customers on the SWIFT
network and further support customers in their efforts to prevent and detect fraudulent use of their
local infrastructure. Communication and implementation of these controls will also help to increase
security awareness and education in the on-going fight against cyber fraud.

What are the main principles?

The core security controls are based upon three overarching objectives which address major areas of
attention for cyber-security efforts. These three objectives are supported by eight principles, which
have been carefully defined in consultation with industry experts:

Secure your environment

1. Restrict Internet access

2. Segregate critical systems from the general enterprise IT environment
3. Reduce attack surface and known vulnerabilities (for example, by ensuring timely
security updates)
4. Physically secure the environment.

SWIFT Customer Security Controls Framework FAQ. April 2017

Know and limit access

1. Prevent the compromise of credentials

2. Manage identities and segregate the privileges of local infrastructure users.

Detect and respond

1. Detect anomalous activity on systems or transaction records
2. Plan for incident response and share information.

The detailed security controls which support these three overarching security objectives and eight
core principles were published and validated with customers before their formal introduction in April
2017.

What is the scope of the security controls?

SWIFT’s ore se urit o trols a d related assura e progra appl to all SWIFT-related
infrastructure. However, given the persistence and growing sophistication of cyber-attacks, SWIFT
recommends that these measures are applied as broadly as possible as a matter of good security
pra ti e. The se urit o trols ha e ee desig ed to e appli a le e o d the usto er’s SWIFT-
related infrastructure. SWIFT therefore urges customers to consider their compliance with the
controls beyond their SWIFT-related infrastructure, broadening the scope of their application of the
security controls to all systems and processes within the end-to-end transaction chain.

How will the SWIFT Customer Security Controls Framework be rolled-out?

The detailed SWIFT Customer Security Controls Framework documentation was made available at
the end of October 2016 and a formal 2-month period of customer validation was conducted from
November through to December 31st 2016. A final version of the SWIFT Customer Security Controls
Framework document was issued in April 2017.

To ensure adoption, SWIFT will require customers to provide self-attestation against the mandatory
controls. The requirements will be immediately applicable to all users connected to SWIFT.
As of April 2017 users can already begin to evaluate their compliance against the security controls
and prepare for self-attestation as of July 2017 via the self-attestation folder in the KYC Registry. All
users must have submitted their self-attestation by end 2017.
Customers may make their compliance status available to their counterparties (via a security
attestation folder in the KYC Registry), providing transparency and allowing other users on the
network to apply risk-based decision making regarding their counterparty relationships.

Will all of the security controls be enforced?

The SWIFT Customer Security Controls Framework comprises 16 mandatory and 11 advisory
controls. All customers must self-attest compliance against the mandatory controls before end of
2017. Implementation of the advisory controls is strongly recommended to further strengthen the
se urit of usto ers’ local infrastructure.

SWIFT Customer Security Controls Framework FAQ. April 2017

How have the controls been designed and validated?

The security controls are built on SWIFT’s e isti g se urit guidance, taking into account the latest
intelligence on known cyber threats and incidents. They have been reviewed by external industry
experts and assessed against industry standard frameworks and good security practices. A two-
month period of customer validation was conducted via National Member and User Groups in late
2016.

How do SWIFT’s security controls map with international security standards?

A mapping of the security requirements against the main international industry standards has been
made available together with the publication of detailed documentation on the security controls.
These standards include PCI-DSS, ISO 27002, and NIST.

What if a customer’s SWIFT technology footprint is limited, do they still need to confirm
compliance with the security requirements?

All users connecting to SWIFT directly or indirectly must comply with the mandatory security
controls. The SWIFT Customer Security Controls Framework document describes the different
technology footprints and architecture types and indicates the components to which the security
controls attestation process applies.

How can users implement the SWIFT security controls?

Each security control is supported by recommended implementation details, a description of the IT

components it relates to as well as suggested optional enhancements. In addition, SWIFT provides a
mapping between the security controls and the recommendations from SWIFT security guidance
documents (Alliance Security Guidance, Certified customer managed interface, the Alliance Remote
gateway, Alliance Lite2). Customers can find this information in Knowledge Base tip 5020786.

2 Regarding Customer Security Work Sessions

When will the Customer Security Work Sessions commence?

Community engagement Customer Security Work Sessions worldwide will commence April 2017 and
will run through to December 2017.

Are the Customer Security Work Sessions only for the big banks?

No. Participation will be extended to a broad spectrum of SWIFT users, with particular attention paid
to reaching small and medium-sized users who are not necessarily in regular contact with SWIFT.
Customer Security Work Sessions will be developed in close coordination with National Member and
User Groups and their networks, and also central banks, corporates, banking and other industry
associations as appropriate.

SWIFT Customer Security Controls Framework FAQ. April 2017

Where can I find out about the Customer Security Work Sessions in my area?

Information on the Customer Security Work Sessions will be posted in the Customer Security
Programme section on swift.com, and customers will be invited to attend. Prior to the Customer
Security Work Sessions being conducted, SWIFT will reach out to National Member and User Groups
to discuss engagement and practical arrangements for the Customer Security Work Sessions in their
respective countries.

What will be presented at the Customer Security Work Sessions?

In terms of content, the Customer Security Work Sessions will provide an opportunity to share
information on the SWIFT Customer Security Controls Framework and Customer Security Attestation
Process, as well as to understand local needs and in some cases to introduce global and local security
consulting and assurance vendors that may be able to provide support to the community on their
implementation and /or assessment of the security controls.
SWIFT will also provide the community with direction on how and where to access further updates
including self-service tools such as the mySWIFT knowledge base, SWIFTSmart for training, the CSP
pages on swift.com and direct channels into local experts. As the Customer Security Work Sessions
are rolled out worldwide, we will centrally monitor and collect feedback, providing further updates
to Frequently Asked Questions that can be shared back with the community. Customer Security
Work Sessions will take place between April and December 2017 worldwide.

- end -

SWIFT Customer Security Controls Framework FAQ. April 2017