SWIFT Customer Security Controls Framework (v2022) on AWS
Publication date: July 21, 2021 (Document Revisions)
Abstract
The
SWIFT
Customer Security Programme
The SWIFT Customer Security Controls Framework (CSCF) consists of both mandatory and advisory security controls for SWIFT users. Mandatory security controls establish a security baseline for the entire community, and must be implemented by all users on their local SWIFT infrastructure. With the shift to cloud computing, Appendix G of the latest CSCF provides guidance for users using digital connectivity.
The objective of this guide is to provide SWIFT customers with
sufficient information and best practices to implement the CSCF
security controls when implementing their
SWIFT
Client Connectivity Stack on AWS
Are you Well-Architected?
The
AWS Well-Architected Framework
For more expert guidance and best practices for your cloud
architecture—reference architecture deployments, diagrams, and
whitepapers—refer to the
AWS Architecture Center
Introduction
With the current business landscape created by the COVID-19 pandemic, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) issued the v2021 guidance for its users to implement its updated Customer Security Programme (CSP) and Customer Security Controls Framework (CSCF).
The latest CSP now requires a community-standard assessment for all users and all assessments submitted from 2021 onwards will require an independent assessment.
This document provides guidance for SWIFT connectivity deployed on the AWS Cloud and is structured on the 7 Requirement sections described in the CSP.
The latest v2022 guidance includes five changes from v2021. Three of the changes—Control 2.9, Control 6.2, and Control 6.3—are out of scope for Cloud Providers according to Appendix G of the CSP. A new advisory control(Control 1.5A) was added. It is nearly identical to Control 1.1 and the guidelines are the same. Finally, the scope of Control 1.2 has been extended to a new architecture type, but there are no changes to the AWS guidance.