Fluid Attacks Database

SWIFT CSCF

Last updated: 2024/02/07

SWIFT Customer Security Controls Framework (CSCF) establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. SWIFT provides the global messaging system that financial organizations use to transmit information and instructions securely. Users can compare the security controls they have implemented with those listed in the CSCF to identify and remediate any compliance gaps. The version used in this section is v2024.

Control-Requirement Mapping

Definition	Requirements
1_2. Operating system privilege account control	033. Restrict administrative access 095. Define users with privileges
1_3. Virtualization or cloud platform protection	222. Deny access to the host essential 062. Define standard configurations
1_4. Restriction of Internet access	249. Locate access points
2_1. Internal data flow security	153. Out of band transactions 174. Transactions without a distinguishable pattern 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
2_2. Security updates	262. Verify third-party components 353. Schedule firmware updates
2_3. System hardening	266. Disable insecure functionalities
2_5A. External transmission data protection	153. Out of band transactions
2_6. Operator session confidentiality and integrity	181. Transmit data using secure protocols 336. Disable insecure TLS versions 023. Terminate inactive user sessions
2_10. Application hardening	266. Disable insecure functionalities
3_1. Physical security	205. Configure PIN 232. Require equipment identity 266. Disable insecure functionalities 273. Define a fixed security suite
4_1. Password policy	127. Store hashed passwords 130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 332. Prevent the use of breached passwords 333. Store salt values separately
4_2. Multi-factor authentication	362. Assign MFA mechanisms to a single account
5_1. Logical access control	186. Use the principle of least privilege 035. Manage privilege modifications 096. Set user's required privileges
5_2. Token management	305. Prioritize token usage 335. Define out of band token lifespan 357. Use stateless session tokens 362. Assign MFA mechanisms to a single account 031. Discard user session data
5_4. Password repository protection	184. Obfuscate application data 185. Encrypt sensitive information 380. Define a password management tool
6_1. Malware protection	155. Application free of malicious code
6_2. Software integrity	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
6_3. Database integrity	172. Encrypt connection strings 330. Verify Subresource Integrity
6_4. Logging and monitoring	376. Register severity level 075. Record exceptional events in logs 079. Record exact occurrence time of events

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.