SWIFT CSCF | Compliance | Fluid Attacks Help

SWIFT CSCF

logo

Summary

SWIFT Customer Security Controls Framework (CSCF) establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. SWIFT provides the global messaging system that financial organizations use to transmit information and instructions securely. Users can compare the security controls they have implemented with those listed in the CSCF to identify and remediate any compliance gaps. The version used in this section is v2024.

Definitions

Definition Requirements
1_2. Operating system privilege account control 033. Restrict administrative access
095. Define users with privileges
1_3. Virtualization or cloud platform protection 062. Define standard configurations
222. Deny access to the host essential
1_4. Restriction of Internet access 249. Locate access points
2_1. Internal data flow security 153. Out of band transactions
174. Transactions without a distinguishable pattern
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
2_2. Security updates 262. Verify third-party components
353. Schedule firmware updates
2_3. System hardening 266. Disable insecure functionalities
2_5A. External transmission data protection 153. Out of band transactions
2_6. Operator session confidentiality and integrity 023. Terminate inactive user sessions
181. Transmit data using secure protocols
336. Disable insecure TLS versions
2_10. Application hardening 266. Disable insecure functionalities
3_1. Physical security 205. Configure PIN
232. Require equipment identity
266. Disable insecure functionalities
273. Define a fixed security suite
4_1. Password policy 127. Store hashed passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords
333. Store salt values separately
4_2. Multi-factor authentication 362. Assign MFA mechanisms to a single account
5_1. Logical access control 035. Manage privilege modifications
096. Set user's required privileges
186. Use the principle of least privilege
5_2. Token management 031. Discard user session data
305. Prioritize token usage
335. Define out of band token lifespan
357. Use stateless session tokens
362. Assign MFA mechanisms to a single account
5_4. Password repository protection 184. Obfuscate application data
185. Encrypt sensitive information
380. Define a password management tool
6_1. Malware protection 155. Application free of malicious code
6_2. Software integrity 178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
6_3. Database integrity 172. Encrypt connection strings
330. Verify Subresource Integrity
6_4. Logging and monitoring 075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.