SWIFT Customer Security Programme

SWIFT’s Customer Security Controls Framework (CSCF)

The Society for Worldwide Interbank Financial Telecommunications (SWIFT) Customer Security Programme (CSP) has laid standard security controls known as the Customer Security Controls Framework (CSCF). These aim at assisting SWIFT-connected customers in having more secure local environments, while also safeguarding the financial ecosystem. The SWIFT CSCF covers both mandatory and advisory security controls.

Independent assessments of SWIFT’s CSCF attestations

SWIFT users are required to assess their level of compliance against the SWIFT CSCF on an annual basis. In order for this to be carried out in a uniform manner, SWIFT issues an Independent Assessment Framework (IAF) document which provides a framework for undertaking assessments against the SWIFT CSCF.

Moreover, SWIFT requires that all attestations against CSCF must be independently assessed as part of the Community-Standard Assessment (CSA) process in order for each control to be evaluated as compliant or otherwise. This is meant to further enhance the integrity, consistency, and accuracy of attestations, and also to further safeguard the security of the global financial community. This can either be done by an external third party or an internal, independent function maintaining the appropriate competencies and certifications. The option to self-assess remains available but is considered as non-compliant.

SWIFT sets stringent requirements for internal assessors in terms of independence, cybersecurity experience, and relevant certifications. On the other hand, SWIFT users opting for an external assessment must ensure that it is performed by an independent external organisation. Among others, such organisations must have cybersecurity assessment experience, while the individual assessors require relevant security industry certification(s).

Support offered by Mazars in Malta

At Mazars in Malta, we can support SWIFT users throughout this whole independent assessment process.

Our auditors:

• have ample experience in performing assessments and reviews of CSCF compliance in banking environments.
• have sufficient training and expertise in the SWIFT security control framework and detailed mandatory and advisory controls.
• have extensive financial service experience serving clients in cybersecurity and IT audit and advisory projects.
• hold recognised industry qualifications such as Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, etc.

You will be provided with a detailed Gap Analysis between the SWIFT CSCF requirements and your current control level; where necessary, we will provide recommendations for improvement. Furthermore, you will be provided with completed CSCF mandatory and advisory controls checklists together with the CSCF Assessment Completion letter.

If you require further guidance or details in relation to this process, please do not hesitate to contact us so that we may assist you.

Get in touch