Inspection or regular audit of the SWIFT Customer Security Programme (CSP)

(CSP) provides a verified set of security controls designed to help users establish a secure infrastructure and internal environment. Feel free to contact us for cyber advisory options and a guide to implementing CSP compliance, which we will tailor to your needs.

Since the establishment of the SWIFT Customer Security Programme (SWIFT CSP), we have been providing independent assessment, audit, and advisory services to meet compliance requirements.

Our auditors possess over 10 years of relevant experience in Information Technology (IT) auditing and IT security within banks, payment institutions, and central banks in Croatia, Bosnia and Herzegovina, Serbia, Slovenia, Albania, North Macedonia, and other countries.

Our staff includes Swift Certified Assessors in the subject area: CSP Assessments.

 

Assessment process

Our assessments include both mandatory and advisory controls as part of the standard assessment practice.

A complete assessment (described in more detail in the Independent Assessment Process Guidelines) includes:

  • Preparation for the preliminary assessment and consultations (initial preparatory meeting, architecture decision tree),
  • Preparation for testing all controls -gathering information, defining and communicating the testing plan and the list of required data/evidence, defining specific evidence retention requirements, expected SWIFT architecture diagram,
  • On-site assessment – testing and review of compliance data (performed by two auditors), use of the latest SWIFT assessment templates, limited use of the Nessus scanner (locally or through our licence),
  • Draft reporting - producing the Draft Assessment Report (technical discussion on the draft report),
  • Final reporting – producing the Final Assessment Report
  • Post-assessment activities –producing the Completion Letter  follow-up activities, support in the remediation process, and additional KYC updates – no later than December 31 of the current year, project
  • Project closure - completion and documentation activities, including deletion of all evidence from our systems within 30 days (our standard practice).

 

Testing methods

Our assessors use a mix of testing methods (appropriate to a user’s specific circumstances), such as: inquiry, observation, inspection, re-performance etc.  The degree of assessor emphasis on a particular control is proportional to the level of risk involved.

  

About SWIFT CSP

The reality is that increasingly powerful and sophisticated cyber threats underscore the importance of a proactive, long-term, and agile response. SWIFT customers are responsible for securing their own environment and network access. SWIFT’s Customer Security Programme (CSP) was introduced to support users in controlling and protecting against information fraud.

The CSP provides a proven set of security controls carefully designed to contribute/help users secure their local environment/infrastructure and establish a more reliable and secure financial ecosystem.

The SWIFT Customer Security Control Framework (CSCF) describes a set of mandatory and advisory security controls for SWIFT users. Mandatory security controls establish a security 1 base for the entire community and must be implemented by all users on their local SWIFT infrastructure. SWIFT has prioritized these mandatory controls to set a realistic goal for short-term, achievable security and risk reduction. Advisory controls are based on good practice that SWIFT recommends users to implement.
All controls are grouped around three main objectives:

  • "Secure your environment",
  • "Know and limit access", and
  • "Detect and respond"

Controls are proactively refined through ongoing user feedback, cyber threat research, expert analysis, and adherence to industry security standards.

 

CSCF based on Cyber Security Advisory and Audit

More details about the certification of the latest version and the attestation process (between July and December) using the KYC Registry Security Attestation application are available on the SWIFT website and in the Customer Security Controls Framework document.

Additional details about our advisory services and independent control assessment are available upon request.

Contact persons: Nebojsa Bulatović, Ljiljana V. Radovanović

Phone: +38765666468 

Mail:  [email protected]    [email protected]