SWIFT Security Controls Framework Goes into Effect
By Seth Jaffe.
For banks and financial institutions using the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) network, the new year brought a requirement to self-attest compliance against new mandatory and, optionally, advisory controls promulgated by SWIFT through its Customer Security Controls Framework. Security professionals will recognize these controls as generally standard in the industry, and likely already implemented in a robust security program.
The mandatory controls are:
- Protect the SWIFT environment (through methods such as segregation)
- Implement privileged account control
- Secure internal data flow (through methods such as two-way TLS)
- Perform routine security updates
- Harden security in accordance with a security standard (i.e. CIS, DISA STIG, NIST), or a local regulator’s guidelines, or a vendor’s guidelines
- Secure the physical environment
- Establish and maintain a password policy
- Implement multi-factor authentication
- Control logical access by applying the security principles of (1) need-to-know, (2) least privilege, and (3) segregation of duties
- Manage hardware tokens
- Protect from malware
- Perform periodic software integrity checks
- Perform periodic database integrity checks
- Log and monitor anomalous activity
- Define, prepare, and test an incident response plan
- Conduct annual security awareness training
Of interesting note is the inclusion of threat sharing in the guidelines, which will be the subject of a subsequent post on LEO’s incident response blog.