Ivan Spiteri
Director of Technology Advisory & Assurance
Q. Do CSP controls only apply to local SWIFT hardware?
A: No. Organizations with an indirect link to the SWIFT network also need to comply with the controls. The components in scope are documented in the CSCF within each control. For example, regular computers used by employees of the Treasury department (to access Alliance Lite2 GUI, for instance) are also in scope, as these are the General Purpose Operator PCs (GPOPC).
Q: We are already ISO 27001 or PCI-DSS certified. Can we refer to our certification and avoid a CSP assessment?
A: No. However, having a certification such as ISO 27001 means your organization is mature in terms of its internal control framework and its documentation, which will greatly facilitate the assessment. Policies and procedures will likely already be in place, and your employees will know what it’s like to be audited and what we, as assessors, will ask as evidence of the implementation of controls.
In rare cases, a compliance analysis could be conducted, which would entail performing a mapping exercise between the SWIFT framework and the certification you have. However, it is likely that gaps between both will still exist, meaning that the CSP assessment will need to take place for the remaining controls.
Q: If I outsource my SWIFT connection or the hosting of my SWIFT components, does that have an impact on my architecture type?
A: Outsourcing the connection or hosting of SWIFT components to a third party does not change your architecture type. For instance, if you use a SaaS Treasury Management System (TMS), you are still responsible for the security of your own enterprise network and the connection to the SaaS TMS. Although you do not own the hardware, you are responsible for its security in the eyes of SWIFT. Therefore, you will need to ascertain that your supplier is CSP compliant, or even review their CSP security controls yourself.