SWIFT CSP 2022 - Deloitte
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of SWIFT CSP 2022 - Deloitte
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 2
Agenda
Introduction
SWIFT CSP compliance Deloitte global benchmark;
Basics of the SWIFT CSP;
Independent assessment and its challenges;
SWIFT CSP trends;
SWIFT-related infrastructure in the cloud;
Q&A.
Banking information is some of the most important information to keep private. That is why recent high-profile cyber-attacks on customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 3
João FradePartner Deloitte Portugal
Michal ZavodnySenior Manager Deloitte Bélgica
Filipe SilvaSenior Manager Deloitte Portugal
Filipe MoraisManager Deloitte Portugal
Speakers:
4SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
SWIFT CSP 2021 Benchmark
SWIFT CSP 2022
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 5
58,62%
41%
CSP compliance mandatory controls Initial Assessment
Compliant
Non-compliant
72,41%
27,59%
CSP compliance mandatory controlsFinal Assessment
Compliant
Non-compliant
SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs (A1 – A3)
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 6
SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs (A4 and B-Type)
67%
33%
CSP compliance mandatory controlsInitial Assessment
Compliant
Non-Compliant
72,22%
27,78%
CSP compliance mandatory controlsFinal Assessment
Compliant
Non-Compliant
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 7
0%
10%
20%
30%
40%
50%
60%
1.1 1.2 1.3 1.4 2.1 2.2 2.3 2.6 2.7 2.10 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.2 6.3 6.4 7.1 7.2
Non Compliant Minimum Compliant High Maturity Compliant
Compliancy per control in the Final Assessment for A1-A3 types
SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs
1.1 SWIFT Environment Protection
1.2 Operating System Privileged Account Control
1.3 Virtualisation Platform Protection
1.4 Restriction of Internet Access
2.1 Internal Dataflows
2.2 Security Updates
2.3 Systems Hardening
2.6 Operator Session Confidentiality and Integrity
2.7 Vulnerability Scanning
2.10 Application Hardening
3.1 Physical Security
4.1 Password Policy
4.2 Multi-factor Authentication
5.1 Logical Access Control
5.2 Token Management
5.4 Physical and Logical Password Storage
6.1 Malware Protection
6.2 Software Integrity
6.3 Database Integrity
6.4 Logging and Monitoring
7.1 Cyber Incident Response Planning
7.2 Security Training and Awareness
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 8
0%
10%
20%
30%
40%
50%
60%
1.4 2.2 2.3 2.6 3.1 4.1 4.2 5.1 5.2 5.4 6.1 6.4 7.1 7.2
Compliancy per control in the Final Assessment for A4/B-types
Non Compliant Minimum Compliant High Maturity Compliant
SWIFT Customer Security Programme Deloitte benchmarkResults based on more than 500 BICs
1.4 Restriction of Internet Access
2.2 Security Updates
2.3 Systems Hardening
2.6 Operator Session Confidentiality and Integrity
3.1 Physical Security
4.1 Password Policy
4.2 Multi-factor Authentication
5.1 Logical Access Control
5.2 Token Management
5.4 Physical and Logical Password Storage
6.1 Malware Protection
6.4 Logging and Monitoring
7.1 Cyber Incident Response Planning
7.2 Security Training and Awareness
9SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
SWIFT CSP 2022
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 10 10SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
Self-attestation of compliance by 31 Dec 2017
27 controls16 Mandatory + 11 Advisory
Self-attestation of compliance by 31 Dec 2019 for 2019 and 31 Dec 2020 in 2020.
• In June 2020, SWIFT postponed the need to support the self-attestation by an independent assessment to 2021.
• v2019 framework can be used also for 2020 self-attestation.
29 controls19 Mandatory + 10 Advisory
31 controls21 Mandatory + 10 AdvisoryCompliance by 31 Dec 2020
Community standard assessment by 31 Dec 2021
• Self-attestation must to be completed between June and December and is then valid till the end of the following year
• Self-attestation must be supported by an independent external or internal assessment.
31 controls22 Mandatory + 9 AdvisoryCompliance by 31 Dec 2021
20172018
20192020
2021
Community standard assessment by 31 Dec 2022
• Self-attestation must to be completed between June and December and is then valid till the end of the following year
• Self-attestation must be supported by an independent external or internal assessment.
32 controls22 Mandatory + 10 AdvisoryCompliance by 31 Dec 2022
2022
SWIFT Customer Security Programme evolution
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 10
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 11 11SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
SWIFT user (BIC owner)BIC owner must perform self-attestation every year by 31 December for all mandatory controls.KYC portal on swift.com is open as of 1 July.
FrameworkSWIFT specific framework with 5 architecture types based on SWIFT related architectures. SWIFT user must meet the control objectives (taking into account implementation guidelines).
Non-compliant self-attestationIn case of self-attestation that is not supported by an independent assessment or not complying with all controls. This is visible via KYC or can be requested via KYC (in case of opt-out)
Independent assessmentSelf attestation must be supported by an external or internal independent assessment (independent from 1st level).
Point in timeSelf-attestation (and also the supporting independent assessment) is sufficient as point in time.
Independent assessor
SWIFT user
Assess controls usingframework
Assessment results:- completion letter- formal report
Performs self-attestation
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 11
SWIFT Customer Security Programme
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 12
Scope of the assessment – architecture types
Communication interface
Operating System
Virtualization
Secondary site
Identity management
MFA server
(extended) secure zone
General Enterprise
Firewall
Switches/routers
IDS
SWIFT Operators
General operator PCs
Service provider
Back office
General Enterprise
Messaging interface
Communication interface
Back office system I
Back office system II
Back office system III
Midleware
Operating System
SWIFT connector
Operating System
Virtualization
Messaging interface
Operating System
Virtualization
SIEM
VA
Anti-malware
Administrators
General operator PCs
SWIFT operators
General operator PCs
GUI
Operating System
B type
A4 type
A3 type
A2 type
A1 type
Jump server
Operating System
In scope
In scope
Out of scope
Advisory components
Supporting components
Customer connector
Operating System
client connector
SWIFTnet
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 13 13SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
Significant scope change for A4 architecture
“customer connector” is now a mandatory component for A4 architecture type. There is a significant number of controls (1.2; 1.3;
1.4; 2.2; 2.3; 2.6; 2.7; 3.1; 4.1; 4.2; 5.1; 5.4; 6.1; 6.3 and 6.4) that need to be assessed for customer connector application level and
underlying operating system and virtual platform.
Control 2.9 Transaction Business Controls
Advisory controls that became mandatory in the v2022 CSCF.
New control 1.5A
The new (advisory) control 1.5A was added to the framework: Customer Environment Protection.
Point of attention – this control will become mandatory in the v2023 CSCF.
The 2022 SWIFT CSP update and its impact
03
02
01
Changes to the 2022 CSCF version
Changes in the scope of the existing controls
In case of 1.2 System Privileged Account Control scope was increased and two components were added - Dedicated Operator PC
and Network devices protecting the secure zone.
04
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 14
The 2022 SWIFT CSP update and its impact
Significant scope increase
for architecture A4
01
SWIFT Operators
General operator PCs
Service provider
Back office
Messaging interface
Communication interface
General Enterprise
Customer connector
Operating System
Virtualization
Back office system
In scope
In scope
Out of scope
Advisory components
Additionally, the customer connecter is
now considered as a mandatory in-scope
component for the following controls:
1.2; 1.3; 1.4; 2.2; 2.3; 2.6; 2.7; 3.1; 4.1;
4.2; 5.1; 5.4; 6.1; 6.3 and 6.4.
Customer connector
Operating System
Virtualization
Customer Connector Definition:
Customer connector includes generic file
transfer solutions or local middleware
systems implementations, such as IBM® MQ
server, used to facilitate communication with
SWIFT related components offered by a
service provider.
SWIFTnet
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 15
The 2022 SWIFT CSP update and its impact
New control 1.5A – Applicable for A4 architectureThe new (advisory) control 1.5 A was added to the framework: Customer Environment Protection. With control 1.1 as basis for this control,
this control focuses mainly on the A4 architecture types in order to improve security of customer connectors used for SWIFT messaging.
Customers are advised to place their customer connector inside an existing secure zone or create a new Customer Secure Zone.
SWIFT Operators
General operator PCs
Service provider
Back office
Messaging interface
Communication interface
General Enterprise
Back office system
Back office system
In scope
In scope
Out of scope
Advisory components
Customer connector
Operating System
Virtualization
Middleware server
Operating System
Virtualization
Customer protected environment
Firewall
Switches/routers
Back office system
Back office system
Middleware server
Operating System
Virtualization
General Enterprise
Jump server
Operating System
Virtualization
SWIFT Operators
Dedicated operator PCs
4.2 - MFA
4.2 - MFA
02
SWIFTnet
16SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
Independent assessment and its challenges
SWIFT CSP 2022
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 17
Delivering an efficient assessment without compromises on quality. Keys to successful independent assessments
Quality AssuranceDelivering high quality is key for us.
Senior team members will perform QA reviews.
Project Management Giving clients the opportunity
to focus on their business.
CSP perimeter and components
List of formally approved SWIFT CSP perimeter and components in scope throughout the engagement
In case new CSP components are identified
Insufficient time for
gaps remediation
Assessment is performed
as audit using checklists
Early gaps notification
Key stakeholders are notified about any identified gaps against control objectives and confirmation process is triggered.
Assessment against control objectives
Controls implemented are assessed against the control objectives of the framework.
Controls type mapping
Understanding of controls nature (centralized, decentralized, components based) and adjusted assessment.
Inefficient assessment
of controls
Constant changes of the
assessment scope
Remediated gapsRe-testing
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 18
Below is the list of the most common control failures that we identified during the assessments against the SWIFT CSCFList of common control failures identified by Deloitte
7 common pitfalls
Re-use of Enterprise network
SWIFT components are placed in one corporate network.SWIFT subnet was created but enterprise firewall is used to protect.
Reliance on corporate identity
systems
Corporate identity management is used also for SWIFT components.
Firewall protecting the secure zone relies on enterprise identity management.
Single sign-on to jump server reliant on enterprise identity management.
Data flow protection
Confidentiality, integrity, and (authenticity) of data flows not protected.
SWIFT Tip not considered.
4-eyes principles
Sensitive permissions are not separated to prevent by-passing the 4-Eyes principle.
4-eyes principles not considered for SWIFT certificates (security officers).
Incompliant multi-factor authentication
Multi-factor authentication is not enforced or not at the right stage.
Multi-factor authentication incorrectly designed.
Different level of control
compliance
Same level of controls is not applied across all technologies and components.
Access to secure zone
Operating systems are accessed directly without a use of jump server (in case of general operator PC).
19SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
SWIFT CSP trendsSWIFT CSP 2022
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 20 20SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
SWIFT CSP trends
CSP
Regulator interest
Increased importance
Automation
SWIFT Infrastructure in the cloud
Un-isolation
Use of cloud based solutions
Compliance
Cloud
21SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
CSP Infrastructure in the cloud
SWIFT CSP 2022
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 22
CSP Infrastructure in the cloud
23SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
Q&ASWIFT CSP 2022
SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A 24 24SWIFT Customer Security Program (CSP)© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
Main team contacts
João Carlos FradePartner Deloitte Portugal+351 966 304 [email protected]
Michal ZavodnySenior Manager Deloitte Bé[email protected]
Bert TruymanPartner Deloitte Bé[email protected]
João is a partner since 2004, with experience in several Internal Control, Internal Audit, Sustainability and Enterprise Risk. João leads the IT Specialists team in Portugal and are responsible for several projects with application of risk management models and 27001 standards.
Michal is Deloitte’s SWIFT CSP Initiative lead and has led more than 100 SWIFT Customer Security programme assessments across the globe for various clients – Central banks, structurally important banks and international institutions.
Bert is a partner in Risk Advisory with 20 years of experience in the evaluation of business processes and complex IT environments. Bert leads the Assurance group, which provides IT Audit, Third party assurance, Risk & Controls, and compliance services.
© 2022. Para informações, contacte Deloitte & Associados, SROC S.A
“Deloitte” refere-se a uma ou mais firmas membro e respetivas entidades relacionadas da rede global da Deloitte Touche Tohmatsu Limited ("DTTL"). A DTTL (também referida como "Deloitte Global") nem cada uma das firmas membro são entidades legais separadas e independentes, que não se obrigam ou vinculam entre si relativamente a terceiros. A DTTL e cada firma membro da DTTL e entidades relacionadas são responsáveis pelos seus próprios atos e omissões e não das restantes. A DTTL não presta serviços a clientes. Para mais informação aceda a www.deloitte.com/pt/about.
A Deloitte é líder global na prestação de serviços de audit & assurance, consulting, financial advisory, risk advisory, tax e serviços relacionados. A nossa rede de firmas membro compreende mais de 150 países e territórios e presta serviços a quatro em cada cinco entidades listadas na Fortune Global 500®. Para conhecer o impacto positivo criado pelos mais de 345.000 profissionais da Deloitte aceda a www.deloitte.com.
Esta comunicação inclui apenas informações gerais e nem a Deloitte Touche Tohmatsu Limited (DTTL), a sua rede global de firmas membro ou entidades relacionadas (coletivamente rede Deloitte) está a prestar aconselhamento ou serviços através desta comunicação. Antes de tomar alguma decisão ou medidas que o afetem financeiramente ou ao seu negócio deve consultar um profissional qualificado. Não são dadas garantias (explícitas ou ímplicitas) relativamente à precisão ou detalhe da informação constante nesta comunicação, pelo que a DTTL, as suas firmas membro, entidades relacionadas ou colaboradores não deverão ser responsabilizados por quaisquer danos ou perdas decorrentes de ações baseadas nesta comunicação. A DTTL e cada uma das firmas membro são entidades separadas e independentes.