SWIFT Security Controls Framework Advisory Controls
By Seth Jaffe.
Our prior article on compliance with the SWIFT Security Controls Framework focused on those controls designated mandatory by the Society for Worldwide Interbank Financial Telecommunication. But SWIFT included, in its framework, eleven advisory controls that are worth mentioning. They are:
- Implement confidentiality, integrity, and mutual authentication mechanisms to protect back office data flows
- Encrypt sensitive data leaving the secure zone
- Safeguard the confidentiality and integrity of interactive operator sessions
- Scan secure zone and operator PC systems for vulnerabilities
- Protect outsourced activities to the same standard of care as if operated within the organization
- Implement RMA and transaction controls to keep transaction activity to within the normal bounds of business activity
- Vet staff operating SWIFT infrastructure prior to initial employment
- Store recorded passwords in a protected physical or logical location
- Deploy an intrusion detection system on the network
- Conduct penetration testing
- Improve incident response preparedness by conducting scenario-driven risk assessments
In the coming weeks, expect additional articles from some of our security professionals–including our compliance guru Noah Weisberger–weighing in on the mandatory and advisory controls.