SWIFT users are required by the Customer Security Controls Framework (CSCF) to demonstrate compliance with at least all mandatory controls through an annual independent assessment. In a SWIFT assessment of this kind, the security of an organization's SWIFT infrastructure and SWIFT systems is checked to ensure that they are protected against potential security threats and vulnerabilities.
November and December are typical months for the annual SWIFT Assessment. You are therefore probably in the middle of preparing for or in the middle of your current SWIFT CSCFv2023 assessment. Have you ever considered using your current assessment to carry out a gap analysis in preparation for the next CSCFv2024 assessment?
Tobias Weber, Managing Security Consultant and SWIFT Auditor at usd AG, explains the advantages of this approach and also takes a look at the upcoming changes under CSCFv2024:
Combine current SWIFT Assessment with Gap-Analysis
The phases of a SWIFT Assessment year usually run in the same way: the corresponding assessments are always carried out for all SWIFT users concerned from July of each year until the end of the year, so that they receive their report in January at the latest and can prove their compliance with the security requirements. At the same time, an update of the CSCF for the following year is regularly published in July.
This means that SWIFT is not only giving users a transition phase of roughly one year for the newly introduced frameworks, but is also enabling a joint gap analysis alongside the upcoming assessment. Use this opportunity to make the most of the transition phase until your SWIFT Assessment in the second half of 2024. Take an early look at the changes in newly published controls and determine which implementations are necessary to fulfill by the next assessment.
CSCFv2024 - Changes at a glance
In order to be well prepared, SWIFT users should familiarize themselves with the changes at an early stage. If you take a look at the CSCFv2024, the following 3 key takeaways can be noted:
- The basic structure of the framework has remained the same.
- As previously announced, cloud security has been given greater importance. For example, Control 2.8 ("Outsourced Critical Activity Protection") is now mandatory for all architecture types: Infrastructures should thus be better protected against risks that can arise from the outsourcing of critical activities.
- There are some changes to Control 2.4A ("Back Office Data Flow Security"): The scope has been extended and a new Appendix H shows the various complex possibilities. For example, every data exchange must now be protected either end-to-end or transitively. However, this control becomes mandatory in two phases: First, the focus is on new connections. In the next step, the protection of existing connections will become mandatory. We assume that these objectives will be reflected in the next CSCF releases.
Do you need assistance with your SWIFT Assessment or with a joint Gap-Analysis?