SWIFT Customer Security Controls Framework Compliance

As reported by Investopedia, SWIFT, the Society for Worldwide Interbank Financial Telecommunications, is a messaging network that financial institutions use to securely transmit information and instructions through a standardised system of codes.

SWIFT Customer Security Controls (CSC) Framework

According to SWIFT¹:

The SWIFT Customer Security Controls Framework describes a set of mandatory and advisory security controls for SWIFT users.

Mandatory security controls establish a security baseline for the entire community and must be implemented by all users on their local SWIFT infrastructure. SWIFT has chosen to prioritise these mandatory controls to set a realistic goal for near-term, tangible security gain and risk reduction.

Advisory controls are based on good practice that SWIFT recommends users to implement. Over time, mandatory controls may change due to the evolving threat landscape and some advisory controls may become mandatory.

All controls are articulated around three overarching objectives:

1. Secure your Environment
2. Know and Limit Access
3. Detect and Respond

Thales can help you comply with all three objectives.

1. https://www.swift.com/myswift/customer-security-programme-csp/security-controls

Thales can help you comply with the following sections of the CSC framework:

Section 1.2. “Operating System Privileged Account Control”
Section 5. “Manage Identities and Segregate Privileges”
Section 6. “Detect Anomalous Activity to Systems or Transaction Records”3

CipherTrust Data Security Platform

The CipherTrust Data Security Platform from Thales makes it easy and efficient to manage data-at-rest security across your entire organisation. Built on an extensible infrastructure, the platform features multiple data security products that can be deployed individually or in combination to deliver advanced encryption, tokenisation and centralised key management. This data security solution prepares your organisation for the next security challenge and new compliance requirements at the lowest TCO.

Data Access Control

• Separation of privileged access users and sensitive user data. With the CipherTrust Data Security Platform, administrators can create a strong separation of duties between privileged administrators and data owners. The CipherTrust Data Security Platform encrypts files while leaving their metadata in the clear. In this way, IT administrators – including hypervisor, cloud, storage and server administrators – can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.
• Separation of administrative duties. Strong separation-of-duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys or administration. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.
• Granular privileged access controls. Thales’s solution can enforce very granular, least-privileged user access management policies, enabling protection of data from misuse by privileged users as well as external attacks. Granular privileged user access management policies can be applied by user, process, file type, time of day and other parameters. Enforcement options are very granular; they can be used to control not only permission to access clear-text data, but what file-system commands are available to a user.

Security Intelligence Logs

Detailed data access audit logs delivered by CipherTrust Transparent Encryption are useful not only for compliance, but also for the identification of unauthorised access attempts, as well as to build baselines of authorised user access patterns. CipherTrust Security Intelligence completes the picture with pre-built integration to leading Security Information and Event Management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorised access attempts and all the data needed to build behavioural patterns required for identification of suspicious usage by authorised users.