SWIFT Security Controls
On 27 September 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) announced a new set of core banking security standards and an associated assurance framework as part of its Customer Security Programme.
Compliance with 16 security controls (listed below) will be mandatory for all SWIFT customers – including those connected through service bureaus – from 1 January 2018.
Customers will also be able to choose to implement a further 11 advisory controls.
All SWIFT customers will have to demonstrate their compliance by annual self-attestation. Some randomly selected customers will have to provide additional assurance of their compliance via internal or external audit.
To ensure transparency, SWIFT customers’ compliance status will be available to their counterparts.
Organisations in the financial sector will have only nine months between the final standards being published and their being enforced.
Achieving accredited certification to the international standard for information security management, ISO 27001, is the best way of complying with the international best practice that underpins the new SWIFT controls.
Until the final standards are issued in March 2017, ISO 27001 provides the most obvious starting point for SWIFT customers.
On this page
-
Introduction
-
Implementation timeline
-
SWIFT mandatory and advisory controls – October 2016 version
-
ISO 27001
Introduction
Following a series of high-profile wire fraud incidents, including the theft of some $81 million from Bangladesh’s central bank in early 2016, the interbank messaging service SWIFT came under increasing pressure to improve cyber security in the financial sector and reduce the risk of wire fraud.
In October 2016, SWIFT released a set of core security standards to “raise the security bar for customers on the SWIFT network”.
More than 11,000 banking and securities organisations, market infrastructures and corporate customers in more than 200 countries use SWIFT’s messaging platform, products and services. All of them must comply with SWIFT’s new baseline cyber security controls by 1 January 2018.
Implementation timeline
-
October 2016
SWIFT released preliminary details about the controls. These are detailed in the table below.
-
March 2017
Following a two-month validation period in which SWIFT will engage with nominated security contacts at SWIFT National Member Groups, the final requirements will be published in March 2017. Banking partners will then have just nine months to comply.
-
January 2018
From 1 January 2018, SWIFT will enforce the use of the controls by reporting any non-compliant customer to their regulators.
SWIFT mandatory and advisory controls – October 2016 version
SWIFT’s assurance framework has three objectives and eight principles, which are underpinned by 27 controls.
16 controls are mandatory (M1 to M16 below) and 11 are advisory (A1 to A11 below).
The 27 controls are mapped against recognised international standards – NIST, the PCI DSS and ISO 27002 (the code of practice for information security controls that supports ISO 27001).
To ensure transparency, SWIFT customers’ compliance status will be available to their counterparts.
|
3 objectives
|
8 principles
|
16 mandatory controls
|
11 advisory controls
|
|
Secure your environment
|
1. Restrict Internet access
|
|
|
|
|
2. Segregate critical systems from general IT environment
|
M1. Operating system privileged account control
|
|
|
|
|
M2. SWIFT environment segregation |
|
|
|
3. Reduce attack surface and vulnerabilities
|
M3. Internal data flow security
|
A1. Back office data flow security
|
|
|
|
M4. Security patching
|
A2. External transmission data protection
|
|
|
|
M5. System hardening
|
A3. Session integrity
|
|
|
|
|
A4. Vulnerability scanning
|
|
|
|
|
A5. Critical activity outsourcing
|
|
|
|
|
A6. Transaction business controls
|
|
|
4. Physically secure the environment
|
M6. Physical security
|
|
|
Know and limit access
|
5. Prevent compromise of credentials
|
M7. Password policy
|
|
|
|
|
M8. Multi-factor authentication
|
|
|
|
6. Manage identities and segregate privileges
|
M9. User account management
|
A7. Personnel vetting process
|
|
|
|
M10. Token management
|
A8. Physical and logical password storage
|
|
Detect and respond
|
7. Detect anomalous activity to systems or transaction records
|
M11. Malware protection
|
A9. Intrusion detection
|
|
|
|
M12. Database integrity
|
|
|
|
|
M13. Logging and monitoring
|
|
|
|
|
M14. Software integrity
|
|
|
|
8. Plan for incident response and information sharing
|
M15. Cyber incident response planning
|
A10. Penetration testing
|
|
|
|
M16. Security training and awareness
|
A11. Scenario risk assessment
|
Please note that these controls are subject to change. The final versions will be released in March 2017.
Organisations in the financial sector will then have only nine months before the standards are enforced, from January 2018. This is not long for a compliance project.
ISO 27001
Until the final controls are issued in March 2017, the international standard for information security management, ISO 27001, is the most obvious starting point for SWIFT customers.
ISO 27001 is the only information security standard against which organisations can achieve independently accredited certification, demonstrating that they have implemented the information security best practice that underpins the new SWIFT controls.
Moreover, as well as relying on attestations of compliance, SWIFT customers will be able to request additional assurance from their counterparts that they have implemented security best practice. ISO 27001 provides such assurance.
Click here for more information about ISO 27001 >>
ISO 27001 implementation packages
IT Governance's ISO 27001 packaged solutions have helped hundreds of organisations implement ISO 27001 at a speed and for a budget that is appropriate to their individual needs and preferred project approach.
Each fixed-price solution combines products and services that can be accessed online and deployed by any company in the world, whatever its size, type or location.
Find out more about our ISO 27001 packaged solutions and which one is right for you >>
ISO 27001 training
IT Governance is responsible for the world’s first accredited programme of ISO 27001 education. The ISO 27001 learning pathway provides training courses from Foundation to Advanced level, and offers opportunities to attain industry-standard qualifications awarded by IBITGQ.
Find out more about IT Governance’s ISO 27001 learning pathway >>
Cyber incident response management
The speed at which you identify a breach, combat the spread of malware, prevent access to data, and remediate the threat will make a significant difference in controlling risk, costs, and exposure during an incident.
With an effective incident response plan, you will be able to detect incidents at an earlier stage and develop an effective defence against the attack.
Find out more about cyber incident response management, and learn how IT Governance can help your organisation prepare for the worst >>
Call us now on +44 (0)845 170 1750 or email us to find out more about how we can help you comply with the mandatory SWIFT security controls.
Information correct as of October 2016. This page will be updated as new information becomes available.