SWIFT CSCF

Summary

SWIFT Customer Security Controls Framework (CSCF) establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. SWIFT provides the global messaging system that financial organizations use to transmit information and instructions securely. Users can compare the security controls they have implemented with those listed in the CSCF to identify and remediate any compliance gaps. The version used in this section is v2024.

Definitions

Definition	Requirements
SWIFTCSC-1_2. Operating system privilege account control	033. Restrict administrative access 095. Define users with privileges
SWIFTCSC-1_3. Virtualization or cloud platform protection	222. Deny access to the host essential 062. Define standard configurations
SWIFTCSC-1_4. Restriction of Internet access	249. Locate access points
SWIFTCSC-2_1. Internal data flow security	153. Out of band transactions 174. Transactions without a distinguishable pattern 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
SWIFTCSC-2_2. Security updates	262. Verify third-party components 353. Schedule firmware updates
SWIFTCSC-2_3. System hardening	266. Disable insecure functionalities
SWIFTCSC-2_5A. External transmission data protection	153. Out of band transactions
SWIFTCSC-2_6. Operator session confidentiality and integrity	181. Transmit data using secure protocols 336. Disable insecure TLS versions 023. Terminate inactive user sessions
SWIFTCSC-2_10. Application hardening	266. Disable insecure functionalities
SWIFTCSC-3_1. Physical security	205. Configure PIN 232. Require equipment identity 266. Disable insecure functionalities 273. Define a fixed security suite
SWIFTCSC-4_1. Password policy	127. Store hashed passwords 130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 332. Prevent the use of breached passwords 333. Store salt values separately
SWIFTCSC-4_2. Multi-factor authentication	362. Assign MFA mechanisms to a single account
SWIFTCSC-5_1. Logical access control	186. Use the principle of least privilege 035. Manage privilege modifications 096. Set user's required privileges
SWIFTCSC-5_2. Token management	305. Prioritize token usage 335. Define out of band token lifespan 357. Use stateless session tokens 362. Assign MFA mechanisms to a single account 031. Discard user session data
SWIFTCSC-5_4. Password repository protection	184. Obfuscate application data 185. Encrypt sensitive information 380. Define a password management tool
SWIFTCSC-6_1. Malware protection	155. Application free of malicious code
SWIFTCSC-6_2. Software integrity	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
SWIFTCSC-6_3. Database integrity	172. Encrypt connection strings 330. Verify Subresource Integrity
SWIFTCSC-6_4. Logging and monitoring	376. Register severity level 075. Record exceptional events in logs 079. Record exact occurrence time of events

Last updated

2024/02/07