Preparing for the Attestation Deadline: a SWIFT Audit Checklist

As we close out the year many organisations are hyper focused on the newly updated 2018 Customer Security Programme, which now requires users to be compliant with all mandatory controls or else be reported to the appropriate regulator. If the thought of this deadline causes panic, good, it should – 31 December will be here before you know it. Thankfully I’ve put together a SWIFT audit checklist to make sure your preparations are on track for success.

Built from anecdotal data I’ve been collecting since 2017 as I’ve undertaken a number of ‘Health Check’ audits across a wide variety of companies, this CSP audit checklist covers how to avoid a host of basic compliance oversights that would prevent your organization from achieving compliance status. I share these items with you to ensure you don’t make similar mistakes that could compromise your security and your reputation.

CSP Audit Checklist:

• Designation and segregation of the secure zone
  In a similar principle to PCI, organisations are required to formally segregate SWIFT related applications from the rest of the infrastructure. As a first step in meeting these requirements, it’s critical that organisations define the scope of the safe zone in addition to segregating the environment. It’s also important to make sure that you can adequately demonstrate that the integrity of the zones has been maintained.
   
• Application life cycle management and patching
  Make sure you’re able to attest to the fact that your critical infrastructure is in compliance and that necessary patches were made on a timely basis.
   
• Multi-factor authentication
  There’s no need to say anything other than implement it. Simply thinking about implementing it isn’t sufficient.

• Database and Software Integrity and detection of anomalous activity
  These are understandably some of the most challenging controls to deal with, both in terms of scope and practical application. Most organisations opt to use standard industry software to perform these checks and that’s fine. Make sure, however, to validate that the tools are actually running and have proof of that fact.
   
• Crisis planning
  Make sure business continuity plans are current and that they reflect current issues and make specific reference to cyber security. Also, make sure all detailed plans have been appropriately tested.
   
• Training
  Employee training should not be considered a “one-and-done” endeavour. Organisations should make sure that frequent training is conducted with all staff and that role specific training is done with those who have privileged access.
   
• Documentation
  This is arguably the most important factor in the attestation process. Be prepared to demonstrate compliance across the entire scope of the CSP, with evidence of all current procedures, diagrams and documentation.

As you make the preparations necessary to comply with this newest edition of SWIFT’s CSP, it’s important to remember that payment fraud is ever changing. It’s critical to keep up if you’re going to keep your organisation protected. This CSP audit checklist is a good place to start to ensure that your payments are safe and your reputation remains intact. If you need more detailed guidance, however, you can also review the recent post “Everything you need to know about the Updated SWIFT Customer Security Controls Framework.”