External SWIFT Evaluation of the Client Security Program (CSP).

Since November 2019, the Audit Company Active-Audit has been a partner of the international interbank information transfer and payment system (SWIFT) under the Client Security Program (CSP). Partnership with SWIFT enables our customers to pass KYC Security Attestation. From 07/01/2020 passing this certification is mandatory.

According to the SWIFT Community Standard Assessment, from mid-2020 all users will be required to complete the “Standard Community Assessment”. All certifications will need to be evaluated independently, which should be achieved using:

• External evaluation of an independent external organization; For a list of companies that can assist in conducting independent CSCF evaluations, see the “Europe” link. https://www.swift.com/myswift/customer-security-programme-csp_/community-engagement/cyber-firms-directory\
• Requirements for internal evaluators
  – self-certification (internal assessment), should be performed by the second or third line of the user protection function (for example, risk management or internal audit), and which does not depend on the first line protection function that presented the certification (for example, as a CISO office) or its functional equivalent ( depending on the circumstances).
  – must have relevant up-to-date experience in assessing cybersecurity related controls
• SWIFT reserves the right to seek independent external guarantees (CSP clause 2.3). If a SWIFT user is selected for evaluation on a SWIFT request, a notification from SWIFT is sent to CISO. SWIFT requires users selected for evaluation to appoint an independent third-party (i.e., external) evaluator and use standardized SWIFT templates to conduct an independent evaluation. The involvement of independent internal parties, including those performing the functions of internal audit, is not allowed to conduct an assessment at the request of SWIFT. Users are required to inform SWIFT about the company providing the external assessment services using a standardized notification template. SWIFT reserves the right to confirm the authority of the supplier (company) to conduct the assessment, the qualifications of the personnel (persons) performing the assessment, and / or their ability to assess compliance with the requirements of the CSCF.

The assessment methods we use are:

• Inquiries: interviewing relevant staff.
• Surveillance: direct observation of the existence of specific control measures.
• Inspection: obtaining evidence gathered by checking documents and records.
• Testing: practical verification of system security features and selective evidence collection.

Our Partnership with SWIFT confirms the quality of our services in the area of ​​auditing information security and cybersecurity management systems, and also gives us the opportunity to receive support and exchange the methodology for conducting self-certification on the Client Security Program (CSP).

Regulations:
• Client Security Program (CSP) v2019
• Client Security Program (CSP) v2020
• Client Security Control Policy (CSCP) v2019
• KYC Safety Certification
• Excel-based CSCF evaluation templates and forms

More:
1. By reference https://www.swift.com/myswift/customer-security-programme-csp_/community-engagement/cyber-firms-directory