SWIFT CSP 2022 - Deloitte

SWIFT CSP 2022

08 June 2022

SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 2

Agenda

Introduction

SWIFT CSP compliance Deloitte global benchmark;

Basics of the SWIFT CSP;

Independent assessment and its challenges;

SWIFT CSP trends;

SWIFT-related infrastructure in the cloud;

Q&A.

Banking information is some of the most important information to keep private. That is why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.


João FradePartner Deloitte Portugal

Michal ZavodnySenior Manager Deloitte Bélgica

Filipe SilvaSenior Manager Deloitte Portugal

Filipe MoraisManager Deloitte Portugal

Speakers:

4SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A

SWIFT CSP 2021 Benchmark

SWIFT CSP 2022


58,62%

41%

CSP compliance mandatory controls Initial Assessment

Compliant

Non-compliant

72,41%

27,59%

CSP compliance mandatory controlsFinal Assessment

Compliant

Non-compliant

SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs (A1 – A3)


SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs (A4 and B-Type)

67%

33%

CSP compliance mandatory controlsInitial Assessment

Compliant

Non-Compliant

72,22%

27,78%

CSP compliance mandatory controlsFinal Assessment

Compliant

Non-Compliant


0%

10%

20%

30%

40%

50%

60%

1.1 1.2 1.3 1.4 2.1 2.2 2.3 2.6 2.7 2.10 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.2 6.3 6.4 7.1 7.2

Non Compliant Minimum Compliant High Maturity Compliant

Compliancy per control in the Final Assessment for A1-A3 types

SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs

1.1 SWIFT Environment Protection

1.2 Operating System Privileged Account Control

1.3 Virtualisation Platform Protection

1.4 Restriction of Internet Access

2.1 Internal Dataflows

2.2 Security Updates

2.3 Systems Hardening

2.6 Operator Session Confidentiality and Integrity

2.7 Vulnerability Scanning

2.10 Application Hardening

3.1 Physical Security

4.1 Password Policy

4.2 Multi-factor Authentication

5.1 Logical Access Control

5.2 Token Management

5.4 Physical and Logical Password Storage

6.1 Malware Protection

6.2 Software Integrity

6.3 Database Integrity

6.4 Logging and Monitoring

7.1 Cyber Incident Response Planning

7.2 Security Training and Awareness


0%

10%

20%

30%

40%

50%

60%

1.4 2.2 2.3 2.6 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.4 7.1 7.2

Compliancy per control in the Final Assessment for A4/B-types

Non Compliant Minimum Compliant High Maturity Compliant

SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs

1.4 Restriction of Internet Access

2.2 Security Updates

2.3 Systems Hardening

2.6 Operator Session Confidentiality and Integrity

3.1 Physical Security

4.1 Password Policy

4.2 Multi-factor Authentication

5.1 Logical Access Control

5.2 Token Management

5.4 Physical and Logical Password Storage

6.1 Malware Protection

6.4 Logging and Monitoring

7.1 Cyber Incident Response Planning

7.2 Security Training and Awareness


SWIFT CSP 2022

SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 10 10SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A

Self-attestation of compliance by 31 Dec 2017

27 controls16 Mandatory + 11 Advisory

Self-attestation of compliance by 31 Dec 2019 for 2019 and 31 Dec 2020 in 2020.

• In June 2020, SWIFT postponed the need to support the self-attestation by an independent assessment to 2021.

• v2019 framework can be used also for 2020 self-attestation.

29 controls19 Mandatory + 10 Advisory

31 controls21 Mandatory + 10 AdvisoryCompliance by 31 Dec 2020

Community standard assessment by 31 Dec 2021

• Self-attestation must to be completed between June and December and is then valid till the end of the following year

• Self-attestation must be supported by an independent external or internal assessment.


20172018

20192020

2021

Community standard assessment by 31 Dec 2022

• Self-attestation must to be completed between June and December and is then valid till the end of the following year

• Self-attestation must be supported by an independent external or internal assessment.


2022

SWIFT Customer Security Programme evolution



SWIFT user (BIC owner)BIC owner must perform self-attestation every year by 31 December for all mandatory controls.KYC portal on swift.com is open as of 1 July.

FrameworkSWIFT specific framework with 5 architecture types based on SWIFT related architectures. SWIFT user must meet the control objectives (taking into account implementation guidelines).

Non-compliant self-attestationIn case of self-attestation that is not supported by an independent assessment or not complying with all controls. This is visible via KYC or can be requested via KYC (in case of opt-out)

Independent assessmentSelf attestation must be supported by an external or internal independent assessment (independent from 1st level).

Point in timeSelf-attestation (and also the supporting independent assessment) is sufficient as point in time.

Independent assessor

SWIFT user

Assess controls usingframework

Assessment results:- completion letter- formal report

Performs self-attestation


SWIFT Customer Security Programme


Scope of the assessment – architecture types

Communication interface

Operating System

Virtualization

Secondary site

Identity management

MFA server

(extended) secure zone

General Enterprise

Firewall

Switches/routers

IDS

SWIFT Operators

General operator PCs

Service provider

Back office

General Enterprise

Messaging interface


Back office system I

Back office system II

Back office system III

Midleware

Operating System

SWIFT connector

Operating System

Virtualization

Messaging interface

Operating System

Virtualization

SIEM

VA

Anti-malware

Administrators


SWIFT operators


GUI

Operating System

B type

A4 type

A3 type

A2 type

A1 type

Jump server

Operating System

In scope

In scope

Out of scope

Advisory components

Supporting components

Customer connector

Operating System

client connector

SWIFTnet


Significant scope change for A4 architecture

“customer connector” is now a mandatory component for A4 architecture type. There is a significant number of controls (1.2; 1.3;

1.4; 2.2; 2.3; 2.6; 2.7; 3.1; 4.1; 4.2; 5.1; 5.4; 6.1; 6.3 and 6.4) that need to be assessed for customer connector application level and

underlying operating system and virtual platform.

Control 2.9 Transaction Business Controls

Advisory controls that became mandatory in the v2022 CSCF.

New control 1.5A

The new (advisory) control 1.5A was added to the framework: Customer Environment Protection.

Point of attention – this control will become mandatory in the v2023 CSCF.

The 2022 SWIFT CSP update and its impact

03

02

01

Changes to the 2022 CSCF version

Changes in the scope of the existing controls

In case of 1.2 System Privileged Account Control scope was increased and two components were added - Dedicated Operator PC

and Network devices protecting the secure zone.

04



Significant scope increase

for architecture A4

01

SWIFT Operators


Service provider

Back office

Messaging interface


General Enterprise

Customer connector

Operating System

Virtualization

Back office system

In scope

In scope

Out of scope

Advisory components

Additionally, the customer connecter is

now considered as a mandatory in-scope

component for the following controls:

1.2; 1.3; 1.4; 2.2; 2.3; 2.6; 2.7; 3.1; 4.1;

4.2; 5.1; 5.4; 6.1; 6.3 and 6.4.

Customer connector

Operating System

Virtualization

Customer Connector Definition:

Customer connector includes generic file

transfer solutions or local middleware

systems implementations, such as IBM® MQ

server, used to facilitate communication with

SWIFT related components offered by a

service provider.

SWIFTnet



New control 1.5A – Applicable for A4 architectureThe new (advisory) control 1.5 A was added to the framework: Customer Environment Protection. With control 1.1 as basis for this control,

this control focuses mainly on the A4 architecture types in order to improve security of customer connectors used for SWIFT messaging.

Customers are advised to place their customer connector inside an existing secure zone or create a new Customer Secure Zone.

SWIFT Operators


Service provider

Back office

Messaging interface


General Enterprise

Back office system

Back office system

In scope

In scope

Out of scope

Advisory components

Customer connector

Operating System

Virtualization

Middleware server

Operating System

Virtualization

Customer protected environment

Firewall

Switches/routers

Back office system

Back office system

Middleware server

Operating System

Virtualization

General Enterprise

Jump server

Operating System

Virtualization

SWIFT Operators

Dedicated operator PCs

4.2 - MFA

4.2 - MFA

02

SWIFTnet


Independent assessment and its challenges

SWIFT CSP 2022


Delivering an efficient assessment without compromises on quality. Keys to successful independent assessments

Quality AssuranceDelivering high quality is key for us.

Senior team members will perform QA reviews.

Project Management Giving clients the opportunity

to focus on their business.

CSP perimeter and components

List of formally approved SWIFT CSP perimeter and components in scope throughout the engagement

In case new CSP components are identified

Insufficient time for

gaps remediation

Assessment is performed

as audit using checklists

Early gaps notification

Key stakeholders are notified about any identified gaps against control objectives and confirmation process is triggered.

Assessment against control objectives

Controls implemented are assessed against the control objectives of the framework.

Controls type mapping

Understanding of controls nature (centralized, decentralized, components based) and adjusted assessment.

Inefficient assessment

of controls

Constant changes of the

assessment scope

Remediated gapsRe-testing


Below is the list of the most common control failures that we identified during the assessments against the SWIFT CSCFList of common control failures identified by Deloitte

7 common pitfalls

Re-use of Enterprise network

SWIFT components are placed in one corporate network.SWIFT subnet was created but enterprise firewall is used to protect.

Reliance on corporate identity

systems

Corporate identity management is used also for SWIFT components.

Firewall protecting the secure zone relies on enterprise identity management.

Single sign-on to jump server reliant on enterprise identity management.

Data flow protection

Confidentiality, integrity, and (authenticity) of data flows not protected.

SWIFT Tip not considered.

4-eyes principles

Sensitive permissions are not separated to prevent by-passing the 4-Eyes principle.

4-eyes principles not considered for SWIFT certificates (security officers).

Incompliant multi-factor authentication

Multi-factor authentication is not enforced or not at the right stage.

Multi-factor authentication incorrectly designed.

Different level of control

compliance

Same level of controls is not applied across all technologies and components.

Access to secure zone

Operating systems are accessed directly without a use of jump server (in case of general operator PC).


SWIFT CSP trendsSWIFT CSP 2022


SWIFT CSP trends

CSP

Regulator interest

Increased importance

Automation

SWIFT Infrastructure in the cloud

Un-isolation

Use of cloud based solutions

Compliance

Cloud


CSP Infrastructure in the cloud

SWIFT CSP 2022


CSP Infrastructure in the cloud


Q&ASWIFT CSP 2022


Main team contacts

João Carlos FradePartner Deloitte Portugal+351 966 304 [email protected]

Michal ZavodnySenior Manager Deloitte Bé[email protected]

Bert TruymanPartner Deloitte Bé[email protected]

João is a partner since 2004, with experience in several Internal Control, Internal Audit, Sustainability and Enterprise Risk. João leads the IT Specialists team in Portugal and are responsible for several projects with application of risk management models and 27001 standards.

Michal is Deloitte’s SWIFT CSP Initiative lead and has led more than 100 SWIFT Customer Security programme assessments across the globe for various clients – Central banks, structurally important banks and international institutions.

Bert is a partner in Risk Advisory with 20 years of experience in the evaluation of business processes and complex IT environments. Bert leads the Assurance group, which provides IT Audit, Third party assurance, Risk & Controls, and compliance services.

© 2022. Para informações, contacte Deloitte & Associados, SROC S.A

“Deloitte” refere-se a uma ou mais firmas membro e respetivas entidades relacionadas da rede global da Deloitte Touche Tohmatsu Limited ("DTTL"). A DTTL (também referida como "Deloitte Global") nem cada uma das firmas membro são entidades legais separadas e independentes, que não se obrigam ou vinculam entre si relativamente a terceiros. A DTTL e cada firma membro da DTTL e entidades relacionadas são responsáveis pelos seus próprios atos e omissões e não das restantes. A DTTL não presta serviços a clientes. Para mais informação aceda a www.deloitte.com/pt/about.

A Deloitte é líder global na prestação de serviços de audit & assurance, consulting, financial advisory, risk advisory, tax e serviços relacionados. A nossa rede de firmas membro compreende mais de 150 países e territórios e presta serviços a quatro em cada cinco entidades listadas na Fortune Global 500®. Para conhecer o impacto positivo criado pelos mais de 345.000 profissionais da Deloitte aceda a www.deloitte.com.

Esta comunicação inclui apenas informações gerais e nem a Deloitte Touche Tohmatsu Limited (DTTL), a sua rede global de firmas membro ou entidades relacionadas (coletivamente rede Deloitte) está a prestar aconselhamento ou serviços através desta comunicação. Antes de tomar alguma decisão ou medidas que o afetem financeiramente ou ao seu negócio deve consultar um profissional qualificado. Não são dadas garantias (explícitas ou ímplicitas) relativamente à precisão ou detalhe da informação constante nesta comunicação, pelo que a DTTL, as suas firmas membro, entidades relacionadas ou colaboradores não deverão ser responsabilizados por quaisquer danos ou perdas decorrentes de ações baseadas nesta comunicação. A DTTL e cada uma das firmas membro são entidades separadas e independentes.

http://www.deloitte.com/pt/about

http://www.deloitte.com/

SWIFT CSP 2022 - Deloitte

Documents

Transcript of SWIFT CSP 2022 - Deloitte