SWIFT Security Controls Framework Goes into Effect

By Seth Jaffe.

For banks and financial institutions using the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) network, the new year brought a requirement to self-attest compliance against new mandatory and, optionally, advisory controls promulgated by SWIFT through its Customer Security Controls Framework. Security professionals will recognize these controls as generally standard in the industry, and likely already implemented in a robust security program.

The mandatory controls are:

  1. Protect the SWIFT environment (through methods such as segregation)
  2. Implement privileged account control
  3. Secure internal data flow (through methods such as two-way TLS)
  4. Perform routine security updates
  5. Harden security in accordance with a security standard (i.e. CIS, DISA STIG, NIST), or a local regulator’s guidelines, or a vendor’s guidelines
  6. Secure the physical environment
  7. Establish and maintain a password policy
  8. Implement multi-factor authentication
  9. Control logical access by applying the security principles of (1) need-to-know, (2) least privilege, and (3) segregation of duties
  10. Manage hardware tokens
  11. Protect from malware
  12. Perform periodic software integrity checks
  13. Perform periodic database integrity checks
  14. Log and monitor anomalous activity
  15. Define, prepare, and test an incident response plan
  16. Conduct annual security awareness training


Of interesting note is the inclusion of threat sharing in the guidelines, which will be the subject of a subsequent post on LEO’s incident response blog.

Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.


Leave a Comment