Scribd Logo
Hochladen

Willkommen bei Scribd!

  • CSP Delloite

    Hochgeladen von

    Nahid Hasan
    95 Ansichten5 Seiten
    CSP Delloite

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    CSP Delloite

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    95 Ansichten5 Seiten

    CSP Delloite

    Hochgeladen von

    Nahid Hasan
    CSP Delloite

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 5

    What is new in the recently released

    CSP v2020?
    What is new in the recently updated CSP?
    What is new in the recently updated CSP? |SWIFT Customer Security Programme

    What is new in the recently


    updated CSP?
    The introduction of a new assessment methodology
    In order to improve the level of assurance currently provided by the self-attestations, an independent assessment framework
    (IAF) has been developed by SWIFT and will require all attestations to be supported by an independent assessment from the
    CSP. The self-assessment will no longer be possible and SWIFT customers will now have to rely on an independent assessment
    performed either by their internal second or third line of defense (e.g. risk management, internal audit, etc.), or by an external
    third party organization.

    While a self-attestation usually takes a light approach, an independent assessment should rely on evidence for the design,
    the implementation, and the operating effectiveness of the controls.

    2
    What is new in the recently updated CSP? |SWIFT Customer Security Programme

    An update of the control framework


    The CCF v2020 also introduces some changes to the Two new advisory controls are introduced:
    controls to adapt the framework to the evolution of the
    •• 1.4A – Restrict Internet access: This control has
    cyber threat landscape and to progressively improve the
    been extracted from control 1.1 and centralize the
    overall growth of the control environment.
    guidance related to internet access

    Two advisory controls, introduced in v2019, are being •• 2.11A – RMS business control: This control has been
    promoted to mandatory: extracted from control 2.9A to split the transactions
    and RMA business controls
    •• 1.3 – Virtualization platform protection: The
    objective is to secure the virtualization platform
    Finally one control is being extended:
    and virtual machines hosting the SWIFT-related
    components to the same level as physical systems •• 2.4A – Back-office data flow security: The
    middleware components are now included in the scope
    •• 2.10 – Application hardening: The objective
    is to reduce the attack surface of SWIFT-related
    components by performing interfaces and application
    hardening

    Auditing the CSP


    How different will your declaration be on 31.12.2020?

    AUGUST JANUARY JANUARY


    2019 2020 2021
    CSCF v2020 release CSCF v2020 projects Independent Assessment Reporting analysis
    Framework preparation
    · Change indentifications · Implementation of · Assessments are
    such as advisory new requirements · Mandatory controls analyzed by SWIFT
    controls promoted to
    mandatory · Improvement of · Method: Design, · Additional evidences
    previously identified implementation and requested by SWIFT
    · Gap assessment gaps operating
    effectivness · Communication to
    · Projects plan · Preparation of next evaluation third parties and
    audit business partners
    · Budget definition

    CSP assessment

    · Compliance
    assessment CSP
    Compliance report
    CSP
    2019 IAF 2020
    · Compliance
    declaration

    3
    What is new in the recently updated CSP? |SWIFT Customer Security Programme

    How we can help?


    Banking information is some of the most important to keep private. That's why recent high-profile cyber-attacks on
    customers using Society for Worldwide Interbank Financial Telecommunications (SWIFT) are so significant. Deloitte
    can help business leaders navigate the factors associated with implementing SWIFT's Customer Security Controls
    Framework (CSCF) as well as address SWIFT dependencies and ultimately disrupt through innovation.

    The SWIFT CSCF v2020 controls

    Created in Promoted in
    v2020 v2020 version XX as version XX to
    mandatory advisory advisory mandatory
    A M
    XX XX

    Restrict internet 1.2 Operating


    access and protect 1.3A 1.4A
    1.1 SWIFT system Virtualization M Restrict
    critical systems environment privileged platform 20
    internet
    from general IT protection account protection access
    environment control A A
    19 20

    2.1 Internal 2.5A External 2.7 2.9A


    2.3 System transmission Transaction 2.11A RMA
    data flow Vulnerability business
    security hardening data scanning business
    protection controls controls
    M M
    Reduce attack surface 20 20
    and vulnerabilities
    2.6 Operator
    2.2 Security 2.4A Back- session 2.8A Critical 2.10A M

    updates office data confidentiality activity Application 20

    flow security and integrity M outsourcing hardening


    A A
    20 19 19

    Physically
    secure 3.1 Physical
    the environment security

    Prevent
    compromise of 4.1 Password 4.2 Multi-factor
    credentials policy authentication

    Manage identities 5.3A 5.4 Physical


    and segregate 5.1 Logical 5.2 Token Personnel and logical
    access control management vetting password
    privileges process storage M
    19

    Detect anomalous
    activity to systems 6.3 Database 6.4
    6.1 Malware 6.2 Software Logging and 6.5A Intrusion
    or transaction protection integrity integrity detection
    records monitoring

    Plan for incident 7.1 Cyber


    response and 7.2 Security 7.3A 7.4A
    incident Penetration Scenario risk
    information response training and
    awareness testing assessment
    sharing planning

    4
    Contacts
    Stéphane Hurtaud
    Partner – Information & Technology Risk
    +352 451 454 434
    shurtaud@deloitte.lu

    Maxime Verac
    Director – Information & Technology Risk
    +352 451 454 258
    mverac@deloitte.lu

    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”),


    its global network of member firms, and their related entities. DTTL (also
    referred to as “Deloitte Global”) and each of its member firms are legally
    separate and independent entities. DTTL does not provide services to clients.
    Please see www.deloitte.com/about to learn more.

    Deloitte is a leading global provider of audit and assurance, consulting,


    financial advisory, risk advisory, tax and related services. Our network of
    member firms in more than 150 countries and territories serves four out of
    five Fortune Global 500® companies. Learn how Deloitte’s approximately
    286,000 people make an impact that matters at www.deloitte.com.

    This communication contains general information only, and none of Deloitte


    Touche Tohmatsu Limited, its member firms or their related entities
    (collectively, the “Deloitte network”) is, by means of this communication,
    rendering professional advice or services. Before making any decision or taking
    any action that may affect your finances or your business, you should consult
    a qualified professional adviser. No entity in the Deloitte network shall be
    responsible for any loss whatsoever sustained by any person who relies on this
    communication.

    © 2019 Deloitte Tax & Consulting

    Das könnte Ihnen auch gefallen