SWIFT has admitted that its guidance for customer security was not met with unanimous praise, after it launched the guidance following major attacks in 2016.
Speaking on the development of the customer security program (CSP) at ISSE 2017 in Brussels, SWIFT lead customer engineer Olivier Dazard said that ahead of the attack on SWIFT and the Bank of Bangladesh, it thought that customer security was not its problem and it was traditionally focused on its own data systems and whilst it would provide some security guidance, it would offer nothing beyond that.
“That was not sustainable, not with this incident and there were others afterwards - but we have no evidence that SWIFT was compromised,” he said. This led to the CSP program which provided customers secure tools and a list of 27 security controls which relate to existing industry standards such as PCI DSS or ISO standards.
SWIFT also wanted to provide a place where customers could compare instances. Dazard added that the 27 controls are defined into three top objectives: secure your environment, know and limit access, and detect and respond.
From the three objectives also determine the SWIFT customer security controls framework of eight points:
Dazard said that of the 27 controls that 11 are “strongly recommended to be implemented across the board.” However, when the document was published, customers were unhappy with the guidance saying “who are you to tell us what to do, you’re too prescriptive”, which caused SWIFT to step back and make sure that the objective was clear so that they know why they are recommended to be implemented.
As a result it proposed an implementation guidance, as some 'less mature' customers wanted guidance on what to do, so SWIFT still produced some guidance and asked customers to either meet controls using an alternative implementation that they proposed - but still addressing the control objective or addressing the risk, or just use the implementation guidelines that it produced.
SWIFT also added a ‘know your customer’ tool that will be mandated to all customers by the end of 2017 and as of December 2018, customers will be asked to comply with all mandatory controls using either implementation guidelines, or an alternative.
“I can see by the questions that we receive that we are slowly but surely getting there,” he concluded