External SWIFT Evaluation of the Customer Security Program (CSP).
Since November 2019, the Audit Company Active-Audit registered as a provider of services, listed on the directory of the international interbank information transfer and payment system (SWIFT) under the Customer Security Program (CSP). By being listed as a service provider with SWIFT, our customers are able to publish their KYC Security Attestation. Effective from 07/01/2020, the publishing of this attestation is mandatory
According to the SWIFT Community Standard Assessment, from mid-2020 all users will be required to complete the “Standard Community Assessment”. All attestations will need to be evaluated independently, which should be achieved using:
- External evaluation of an independent external organization; For a list of companies that can assist in conducting independent CSCF evaluations, see the “Europe” link. https://www.swift.com/myswift/customer-security-programme-csp_/community-engagement/cyber-firms-directory\
- Requirements for internal assessors
– self-assesment, should be performed by the second or third line of the user protection function (for example, risk management or internal audit), and which does not depend on the first line protection function that presented the attestation (for example, as a CISO office) or its functional equivalent ( depending on the circumstances).
– must have relevant up-to-date experience in assessing cybersecurity related controls - SWIFT reserves the right to seek independent external guarantees (CSP clause 2.3). If a SWIFT user is selected for evaluation on a SWIFT request, a notification from SWIFT is sent to CISO. SWIFT requires users selected for evaluation to appoint an independent third-party (i.e., external) evaluator and use standardized SWIFT templates to conduct an independent evaluation. The involvement of independent internal parties, including those performing the functions of internal audit, is not allowed to conduct an assessment at the request of SWIFT. Users are required to inform SWIFT about the company providing the external assessment services using a standardized notification template. SWIFT reserves the right to confirm the authority of the supplier (company) to conduct the assessment, the qualifications of the personnel (persons) performing the assessment, and / or their ability to assess compliance with the requirements of the CSCF.
The assessment methods we use are:
• Inquiries: interviewing relevant staff.
• Surveillance: direct observation of the existence of specific control measures.
• Inspection: obtaining evidence gathered by checking documents and records.
• Testing: practical verification of system security features and selective evidence collection.
The fact that we are listed in the SWIFT directory confirms our international audit certifications and expertise in the fields of assessment and cybersecurity management systems. This listing also provides us with the opportunity to receive support and exchange methodologies for conducting independent assessments under the Customer Security Program (CSP).
Regulations:
• Customer Security Program (CSP) v2019
• Customer Security Program (CSP) v2020
• Customer Security Control Policy (CSCP) v2019
• KYC Security Attestation
• Excel-based CSCF evaluation templates and forms
More:
By reference:
1. CSSP directory: https://www.swift.com/myswift/customer-security-programme-csp_/community-engagement/cyber-firms-directory
2. CSP assessment providers directory: https://www.swift.com/myswift/customer-security-programme-csp/find-external-support/directory-csp-assessment-providers
Disclaimer: Swift does not certify, warrant, endorse or recommend any service provider listed in its directory and Swift customers are not required to use providers listed in the directory