SWIFT Security Controls Framework Goes into Effect

By Seth Jaffe.

For banks and financial institutions using the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) network, the new year brought a requirement to self-attest compliance against new mandatory and, optionally, advisory controls promulgated by SWIFT through its Customer Security Controls Framework. Security professionals will recognize these controls as generally standard in the industry, and likely already implemented in a robust security program.

The mandatory controls are:

  1. Protect the SWIFT environment (through methods such as segregation)
  2. Implement privileged account control
  3. Secure internal data flow (through methods such as two-way TLS)
  4. Perform routine security updates
  5. Harden security in accordance with a security standard (i.e. CIS, DISA STIG, NIST), or a local regulator’s guidelines, or a vendor’s guidelines
  6. Secure the physical environment
  7. Establish and maintain a password policy
  8. Implement multi-factor authentication
  9. Control logical access by applying the security principles of (1) need-to-know, (2) least privilege, and (3) segregation of duties
  10. Manage hardware tokens
  11. Protect from malware
  12. Perform periodic software integrity checks
  13. Perform periodic database integrity checks
  14. Log and monitor anomalous activity
  15. Define, prepare, and test an incident response plan
  16. Conduct annual security awareness training


Of interesting note is the inclusion of threat sharing in the guidelines, which will be the subject of a subsequent post on LEO’s incident response blog.


  1. […] prior article on compliance with the SWIFT Security Controls Framework focused on those controls designated mandatory by the Society for Worldwide Interbank Financial […]

Leave a Comment