SWIFT CSP as a security framework, independent assessment

In addition to the PCI DSS standard that protects cardholder data, the Society for Worldwide Interbank and Financial Communications has launched the SWIFT CSP (Customer Security Program).

2017 was the year in which its first version saw the light of day and provided a security control framework for the environments through which SWIFT transfers operate in the interbank messaging systems for cross-border transfers used by most of the world's banks. Its main objective is to implement the minimum controls necessary to ensure that messages are transmitted through secure and reliable channels between all financial institutions involved in the process. Therefore, it is of utmost importance that financial institutions that are part of the interbank payment ecosystem consider implementing the latest version of the CSCF (Customer Security Controls Framework) v 2023. To comply with the CSP, SWIFT users must support their certification with an independent assessment. The Independent Assessment Framework (IAF) develops the key concepts and rules that guide an independent assessment conducted by an external party and/or an independent internal department.

More specifically, the independent review can be performed as follows:

• The review could be performed by internal assessors if they belong to an area independent from the one that operates the controls, i.e. second or third line of defense (compliance, risk management or internal audit) any person who does not report to the CISO.
• The review could be performed by independent third-party assessors or CSP assessment providers with expertise in cybersecurity assessment.
• The review could be carried out by a mixed team, composed of internal and external evaluators, is also an option.

Ask us any questions you may have about how you can comply with SWIFT CSP

Reference: https://www.swift.com/news-events/webinars/swift-customer-security-programme-information-sessions-h1