usd AG Offers Assessment according to SWIFT Customer Security Controls Framework (CSCF)

8. July 2021

SWIFT has become an integral part of international payment traffic. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global member-owned cooperative that provides secure financial messaging services to its community of 11,000 banks and financial institutions.

SWIFT Customer Security Programme

In response to the cyber attack on the Bangladesh Bank in 2016, SWIFT developed the Customer Security Programme (CSP). The requirements of the CSP are intended to strengthen the security of the global banking system and actively support customers in the fight against cyber attacks. In addition, the CSP aims to improve the exchange of information within the community and boost endpoint security.

SWIFT Customer Security Controls Framework

Based on these security requirements, SWIFT developed a set of control guidelines that all companies connected to the network must comply with: the Customer Security Controls Framework (CSCF).

The CSCF consists of mandatory and advisory controls. The ever-increasing requirements for security in the financial sector lead to a continuous adaptation of the CSCF to the current situation. The CSCF has evolved to include 22 mandatory and nine advisory controls against which customers need to attest.

What are the requirements for SWIFT members?

According to the CSCF, SWIFT members are required to provide annual confirmation of their compliance with all mandatory controls to SWIFT. In the past, banks and financial institutions could provide this proof through a "user initiated assessment" in form of a self-assessment.

For quality assurance reasons, however, an important change was made in 2020 with regard to this proof of compliance: According to the Independent Assessment Framework (IAF), all members will be required to provide evidence through an independent assessment in the future. This can be performed by external auditors as well as by internally independent persons with appropriate expertise (e.g. internal auditors).

How we support you with your assessment

"At usd, we combine many years of auditing experience in the payment industry with extensive know-how in regulatory projects in the financial sector. This means that we have the best qualifications to support our customers in SWIFT audits as well. I am therefore glad that we are now officially listed as a partner in SWIFT's CSP Assessment Providers Directory.*" announces Anna Magdalena-Kohl, Team Lead Sales Security Audits & PCI.

Our tips for a good preparation towards the assessment:

  1. Determine the desired type of assessment at an early stage: by an external auditor or through internal auditing.
  2. If an external auditor has been chosen, start looking for a suitable partner in time and involve him or her in the preparation at an early stage.
  3. Prepare yourself sufficiently for the assessment. In an independent assessment, whether by an internal audit or an external auditor, stricter requirements will usually be placed on processes and documentation than with self-certification. A gap analysis or a short workshop to compare the implemented processes and the CSCP controls can be a good start.

You need support in preparing or would like us to lead the assessment? Contact us, we will be happy to help.

*SWIFT does not certify, warrant, endorse or recommend any service provider listed in its directory and SWIFT customers are not required to use providers listed in the directory

Also interesting:

How do I become an Auditor?

How do I become an Auditor?

Are you passionate about both the technical and organizational aspects of cyber security and want to help companies improve their security as an Auditor? Nico Fechtner, Senior Consultant in the division Security Audits & PCI, provides insights into his daily work...

Security Advisory for Tracim

Security Advisory for Tracim

The analysts at usd HeroLab examined the Tracim collaboration platform while conducting their security analyses. They identified a vulnerability in the application's file upload process. It allows HTML files to be uploaded, leading to a stored cross-site...