Mandatory Outsourced Critical Activity Protection (Control 2.8): Reflecting the increased use of outsourcing and cloud services, this control has been made mandatory, with additional clarifications provided to ensure comprehensive protection of outsourced critical activities.
Phased Promotion of Back Office Data Flow Security (Control 2.4A): To encourage the early identification and securing of back-office data flows and the servers facilitating these connections, changes have been made to this control. While it remains advisory for now, organizations are urged to start identifying and assessing these flows for security.
Clarifications and Minor Changes: To improve usability and comprehension, various controls have been clarified or slightly modified. These include:
- Aligning risk drivers for Controls 2.1 (Internal Data Flow Security) and 2.4 (Back Office Data Flow Security).
- Integrating USB ports protection into Control 2.3 (System Hardening).
- Moving the optional enhancement for application allowlisting to Control 2.3.
- Explicit mention in Control 2.9 (Transaction Business Controls) that business controls can occur outside the secure zone.
- Aligned wording in Controls 3.1 (Physical Security) and 5.2 (Token Management) regarding token supervision and storage.
- Recommendations for equipment sanitization in Control 3.1.
- Title alignments and wording adjustments in various controls for consistency and clarity.
Integration and Monitoring Enhancements: The framework now more explicitly integrates Control 6.4 (Logging and Monitoring) across other controls where log monitoring is relevant, and Control 7.4 (Scenario-based Risk Assessment) acknowledges the use of existing information security risk management processes.
Revisions in Appendices and Framework Structure:
- Updated glossary and clarifications on the roles of service providers and third parties.
- Alignment of Appendix E with the latest security standard versions.
- Updated information on the CREST GUI and Gateway in Appendix F.
- Clarifications on securing WebAccess webservers as customer connectors.
Corrections and Updates from the October 2023 Publication: These include combining the first two principles to support the framework’s objectives, aligning sections on the scope of security controls, corrections in the Security Controls Summary Table, and updates in the Risk Driver Summary Matrix.
These changes reflect Swift’s continued focus on enhancing the security framework in response to evolving needs, particularly considering the increased adoption of outsourcing and cloud-based solutions within the community.
World Informatix Cyber Security is a global leader in SWIFT CSP Assessments, remediation guidance, and consultation.