SWIFT Security Controls Framework Advisory Controls
By Seth Jaffe.
Our prior article on compliance with the SWIFT Security Controls Framework focused on those controls designated mandatory by the Society for Worldwide Interbank Financial Telecommunication. But SWIFT included, in its framework, eleven advisory controls that are worth mentioning. They are:
- Implement confidentiality, integrity, and mutual authentication mechanisms to protect back office data flows
- Encrypt sensitive data leaving the secure zone
- Safeguard the confidentiality and integrity of interactive operator sessions
- Scan secure zone and operator PC systems for vulnerabilities
- Protect outsourced activities to the same standard of care as if operated within the organization
- Implement RMA and transaction controls to keep transaction activity to within the normal bounds of business activity
- Vet staff operating SWIFT infrastructure prior to initial employment
- Store recorded passwords in a protected physical or logical location
- Deploy an intrusion detection system on the network
- Conduct penetration testing
- Improve incident response preparedness by conducting scenario-driven risk assessments
In the coming weeks, expect additional articles from some of our security professionals–including our compliance guru Noah Weisberger–weighing in on the mandatory and advisory controls.
Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.