Shared Infrastructure Programme

Security and Operational Framework 2020

– Detailed Description

This document establishes a set of mandatory security controls for service bureaux participating in the Shared
Infrastructure Programme. This version of the document is effective as from 1st January 2020.

03 January 2020
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Table of Contents
Description

Table of Contents
Preface .................................................................................................................................................3
SWIFT Security Control Framework Summary ...............................................................................4
Framework Objectives and Principles .............................................................................................5
Scope of Controls ..............................................................................................................................7
Controls Structure ..............................................................................................................................9
Controls Compliance .......................................................................................................................10
Controls Summary Table .................................................................................................................11
Detailed Control Description ...........................................................................................................15
Legal Notices ....................................................................................................................................29

27 December 2019 2
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Preface
Description

Preface
About this document
This document establishes a set of mandatory security controls for service bureaux
participating in the Shared Infrastructure Programme.
Intended audience
This document is intended for parties that offer or want to offer shared infrastructure
services in the context of the Shared Infrastructure Programme.
Significant changes
This version aligns with the SWIFT’s Customer Security Control Framework (CSCF) v2020
removing the now obsolete elements incorporated in the CSCF itself. It also clarifies and
rationalises few other existing elements such as expectations regarding performance
monitoring (controls 8.x) and resilience (controls 9.x).
Note Additional guidance and other clarifications to existing CSCF controls have to be
retrieved from the CSCF v2020 documents as they are not visible in this
documents only referring to the control objective and statement.
Changes after publication of the advance information
The updated framework was published as advance information in October 2019. After that
date, the following inconsistencies were updated:
• Control 1.1.3 was rewritten to highlight the requirements present in the CSCF and the
need of a network configuration review process.
Related documentation
• Shared Infrastructure Programme Terms and Conditions
• Shared Infrastructure Policy
• Customer Security Programme Terms and Conditions
• Customer Security Controls Framework (CSCF)
• Shared Infrastructure Programme area of swift.com
• SWIFT Certified Interface Programme Overview
• List of certified interface providers
• SWIFT General Terms and Conditions
• SWIFT Corporate Rules
• SWIFT By-laws
• SWIFT Personal Data Protection Policy
• SWIFT Trademark Guidelines

27 December 2019 3
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed SWIFT Security Control Framework Summary
Description

SWIFT Security Control Framework Summary

While customers are responsible for protecting their own environments and access to
SWIFT, SWIFT’s Customer Security Programme (CSP) was introduced in 2016 to support
customers in the fight against cyber fraud.
The CSP establishes a common set of security controls designed to help customers to
secure their local environments and to foster a more secure financial ecosystem. That set of
security controls is described in the SWIFT customer Security Controls Framework (CSCF).
Similarly, the Shared Infrastructure Programme aims at defining a reference for secure and
reliable indirect connectivity to SWIFT’s services through required compliance to Shared
Infrastructure Programme security but also operational controls.
For the sake of consistency and uniformity, the Shared Infrastructure Programme Security
controls have been aligned with, although sometimes extending the controls from the CSCF.
The CSCF describes a set of mandatory and advisory security controls for SWIFT users
against which SWIFT users self attest. However, the Shared Infrastructure Programme
mandates all of them but two (2.9 Transaction Business Controls and 2.11 RMA Controls
which are by default not applicable so far) to the service bureaux considering the inherent
concentration of risks due to their traffic aggregation role as an Architecture A1 or A2 (as
per the CSCF definition).
All Shared Infrastructure Programme controls are articulated around five overarching
objectives: Secure your Environment, Know and Limit Access, Detect and Respond,
Maintain SWIFT Services Availability, and Limit Customer Business Disruption. The
controls have been developed based on SWIFT's analysis of cyber threat intelligence and in
conjunction with industry experts and users’ feedback. The Control Definitions are also
intended to be in line with existing information security industry standards.
The controls outlined in this document represent to the extent possible general product-
agnostic controls. They should not be considered exhaustive or all-inclusive, and do not
replace a well-structured security, operational, and risk framework that covers the whole
end-to-end transaction chain, sound judgment, or compliance with the latest best practices.
Given the evolving nature of cyber threats, it is the intention to regularly assess the controls,
and to refine and expand them as deemed necessary by publishing a new version of this
document. Consequently, please ensure that you always use the latest available version of
this document located in the Shared Infrastructure Programme area of swift.com. Similarly,
make sure that you are using this document with the latest available version of the related
CSCF document located in the Customer Security Program area of swift.com.
To ensure adoption of and continued compliance to the controls, SWIFT has developed an
attestation and compliance process that will require service bureaux to self-attest
compliance against all the latest Shared Infrastructure Programme security and operational
controls on an annual basis before the end of April, or two weeks prior to an on-site
inspection planned before end of April. Such self-attestation status reporting will have to be
done through an on-line tool when available and/or by filling out a standard questionnaire in
offline format. Comprehensive info regarding the compliance process, the implication
regarding the service bureau status, and its display in the service bureau Directory can be
found in the Shared Infrastructure Programme Terms and Conditions.

27 December 2019 4
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Framework Objectives and Principles
Description

Framework Objectives and Principles

The security and operational controls are based on five overarching framework objectives.
Three objectives, Secure your Environment, Know and Limit Access, and Detect and
Respond, are related to Security in full alignment with the Customer Security Controls
Framework while extended to cope with Client-Supporting Security. Two objectives,
Maintain SWIFT Services Availability and Limit Customer Business Disruption, are
devoted to Operational Excellence.
Those framework objectives are supported by thirteen (eight security and five operational)
principles. Objectives are the highest level structure for security and operational excellence
within the service bureau's local environment. The associated principles elaborate on the
highest priority focus areas within each objective. The objectives and corresponding
principles include:

The controls listed in this document underpin the above objectives and principles. The
controls are intended to help mitigate specific cybersecurity and availability risks that SWIFT
users, as customers of a service bureau, face. Within each control, SWIFT has documented
the main objective the control is designed to help mitigate. Complying with the Control
Statements in line with the Implementation Guidelines aims to prevent or minimise
undesirable and potentially fraudulent business consequences or disruptions, such as:
• unauthorised sending or modification of financial transactions
• processing of altered or unauthorised SWIFT inbound transactions
• business conducted with an unauthorised counterparty
• confidentiality breach (of business data, computer systems, or operator details)
• integrity breach (of business data, computer systems, or operator details)
• availability breach or business disruptions
Ultimately, these consequences represent enterprise level risks, including:
• financial risk

27 December 2019 5
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Framework Objectives and Principles
Description

• legal risk
• regulatory risk
• reputational risk

27 December 2019 6
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Scope of Controls
Description

Scope of Controls
The controls in this document are scoped to encompass a defined set of components in the
provider's local environment in complement of the CSCF Scope described below. Refer to
the CSCF document for a description of the various components.

The service bureaux play a critical Man-in-the-Middle role between their customers being
SWIFT users and the SWIFT network.
Therefore, in a service bureau’s infrastructure, the Business and/or or Web Application(s)
and other customer facing components, are considered as messaging interface/other
SWIFT-related applications and are in scope as depicted below.

In case of multiple SWIFT related applications (excluding the messaging and

communication interface) owned by the service bureau, the security controls only apply to
the data exchange layer.
The security controls apply also to the dataflow between service bureau’s customer
infrastructure and the service bureau’s infrastructure.

27 December 2019 7
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Scope of Controls
Description

If the service bureau outsources any component of its infrastructure or service to a third
party (for example, to an external IT provider, cloud provider, or a hosting provider), then the
service bureau remains responsible for the conformance with the security controls and must
seek compliance from its third party.

27 December 2019 8
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Controls Structure
Description

Controls Structure
Security and operational controls in this document are articulated in three parts: General
Control Information, Control Definition, and Implementation Guidance, as described below.
Control Number and Title
Each control has a unique number and title aligned with the CSCF. All CSCF controls are
Mandatory and must be implemented by service bureaux. Only exceptions are 2.9
Transaction Business Controls and 2.11 RMA Controls which, by default, are not taken into
account in the Shared Infrastructure Programme compliance evaluation. In order to reduce
cross-reference problems along the Shared Infrastructure Programme Security and
Operational Framework releases, the controls numbering is not altered (for example, when
introducing new items). Similarly, obsolete controls do not result in renumbering other
controls. Such controls are marked as Obsolete and only referred to for numbering
relevance.
Control Definition
Control Objective: the security goal to be achieved irrespective of the implementation
method.
When a control complements an existing control, the Control Objective is not repeated.
Implementation Guidance
Control Statement: the requirement by which the Control Objective can be fulfilled and that
requires compliance with by the service bureau.
When a control complements an existing control, the Control Statement may not be
repeated.
Implementation Guidelines: SWIFT-formulated method for control implementation that
must be taken into account during self-assessment reporting and that will be used as
baseline during on-site inspections.

27 December 2019 9
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Controls Compliance
Description

Controls Compliance
As per the security controls structure described in the Control Structure chapter, the
objective of a control states the security goal to be achieved irrespective of the
implementation method used.
To comply with a security control, service bureaux must implement a solution that fulfils all
the following conditions:
• meets the stated Control Objective
• addresses the risk drivers (see CSCF Appendix A for a risk matrix and Appendix C for
illustrations of such risks)
• covers the in-scope components
The Control Statement is the suggested mean to fulfil the control objective and the
Implementation Guidelines are common methods for implementing the control.
Compliance can be obtained by either of the following methods:
• implementing a solution aligned with the implementation guidance provided in this
document or in the CSCF by SWIFT
• implementing an alternative solution to the SWIFT-formulated implementation
guidance, which equally meets the control objective and addresses related outlined
risks
In such (last) case, deployed controls, their effectiveness, and particular environment
specificities have to be taken into account to properly assess the control objective
compliance of the solution (risk assessment approach).
Service bureaux are ultimately responsible for assessing the suitability of SWIFT-formulated
implementation guidance in their environment or determining if they wish to adopt
alternative implementation solutions. However, the implementation guidance section will be
considered as an "audit checklist" during on-site inspection referred in the Shared
Infrastructure Programme Terms and Conditions. Therefore, in the case that some
implementation guidelines elements are not present or partially covered, mitigations as well
as particular environment specificities have to be taken into account to properly assess the
overall guidelines adherence level.

27 December 2019 10
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Controls Summary Table
Description

Controls Summary Table

The following table provides an overview of all the Shared Infrastructure Programme
security and operational controls, structured according to the principle they support.
Note In this table, you find all valid controls and, for numbering relevance, the obsolete
references. When obsolete references have been removed in the scope of the
2020 updates, then the reasoning behind the removal is shortly explained.
Reading convention
Type of controls Description

Non-shaded controls The plain Customer Security Controls Framework (CSCF) controls. They
are fully documented in the CSCF document.

Shaded controls The controls that complement and extend the CSCF controls.

27 December 2019 11
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Controls Summary Table
Description

Principle Security (1-7) & Operational (8-12) Control

1 Restrict Internet Access and Protect Critical Systems from General IT Environment

1.1 SWIFT Environment Protection

1.1.1 Obsolete – covered in 1.1
1.1.2 Obsolete – Incorporated in 1.1.3
1.1.3 Network Configuration
1.2 Operating System Privileged Account Control
1.3 Virtualisation Platform Protection
1.3.1 Obsolete – covered in 1.3
1.4 Restriction of Internet Access

2 Reduce Attack Surface and Vulnerabilities

2.1 Internal Data Flow Security

2.2 Security Updates
2.3 System Hardening
2.4 Back-office Data Flow Security
2.5 External Transmission Data Protection
2.5.1 Customer Data Flow Security
2.6 Operator Session Confidentiality and Integrity
2.7 Vulnerability Scanning
2.7.1 Vulnerability Scanning Frequency & Scope
2.8 Critical Activity Outsourcing
2.8.1 Provide Shared Connectivity Services
2.8.2 Outsourcing Critical Activities
2.8.3 Obsolete
2.8.4 Obsolete
2.8.5 Obsolete
2.8.6 Obsolete
2.8.7 Limit Access to Customers’ Messaging Data
2.8.8 Critical Activities on Behalf of the Customers
2.9 Transaction Business Controls (Not Applicable by default)
2.10 Application Hardening
2.11 RMA Controls (Not Applicable by default)

3 Physically Secure the Environment

3.1 Physical Security

4 Prevent Compromise of Credentials

4.1 Password Policy

27 December 2019 12
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Controls Summary Table
Description

4.2 Multi-factor Authentication

5 Manage Identities and Segregate Privileges

5.1 Logical Access Control

5.2 Token Management
5.3 Personnel Vetting Process
5.4 Physical and Logical Password Storage

6 Detect Anomalous Activity to Systems or Transaction Records

6.1 Malware Protection

6.2 Software Integrity
6.3 Database Integrity
6.4 Logging and Monitoring
6.5 Intrusion Detection

7 Plan for Incident Response and Information Sharing

7.1 Cyber Incident Response Planning

7.1.1 Customer Security Incident Notification
7.2 Security Training and Awareness
7.3 Penetration Testing
7.3.1 Yearly Testing
7.4 Scenario Risk Assessment

8 Set and Monitor Performance

8.1 Define SLA

8.2 Obsolete – Covered in support requirements
8.3 Obsolete
8.4 Capacity Management
8.5 Early Availability of SWIFTNet Release andFIN Standards

9 Ensure Availability through Resilience

9.1 Local Resilience

9.2 Site and Systems Resilience
9.3 Physical Environment Controls
9.4 Connect Solidly to the SWIFT Network

10 Be Ready in Case of Disaster

10.1 Business Continuity Plan

11 Detect and Escalate Operational Malfunctions

11.1 Events Monitoring

11.2 Escalation Plan

27 December 2019 13
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Controls Summary Table
Description

11.3 Messaging Monitoring on Behalf of Customer

11.4 Customer Incident Notification
11.5 Customer Support Facility

12 Ensure Knowledge is Available

12.1 Maintain Expertise

27 December 2019 14
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

Detailed Control Description

The tables below provide description and details for the shaded controls of the previous
table, which are the ones that the Shared Infrastructure Programme adds to the full set of
the Customer Security Controls. The CSCF controls are not repeated here in details and
only list their Control Objective and statement. Full details, such as critical activities
definition or particular Implementation Guidelines to be adhered too as Baseline by the
service bureau, are available in the CSCF document.
Note In this section, the word user must be understood as service bureau.

1 Restrict Internet Access and Protect Critical Systems from General IT

Environment
1.1 SWIFT Control Objective: Ensure the protection of the user's local SWIFT
Environment infrastructure from potentially compromised elements of the general IT
Protection environment and external environment.
Control Statement: A segregated secure zone safeguards the user's SWIFT
infrastructure from compromises and attacks on the broader enterprise and
external environments.
1.1.3 Network Configuration To complement 1.1 SWIFT Environment Protection
Control Statement: The service bureau must ensure that the inbound and
outbound connectivity to the service bureau SWIFT infrastructure is restricted
to fullest extent possible and maintained.
Implementation Guidelines:
• Traffic is restricted (through filtering and/or firewall rules) considering
− The various sources (such as the service bureau’s customers, the
service bureau’s office network, the Internet)
− The specific documentation of the relevant product or service
deployed in the service bureau SWIFT infrastructure:
o the Network Access Control Guide and the Network
Configuration Tables Guide
o when using Alliance products, the Information for Hardening
Supported Operating Systems (available) indicating the
required listeners
o for all other products, reverting when necessary to the
software provider
• A process is implemented to regularly review and maintain the filtering
and/or firewall rules, at least once a year or when introducing
infrastructure/topology/technology/system changes.
1.2 Operating System Control Objective: Restrict and control the allocation and usage of
Privileged Account administrator-level operating system accounts.
Control Control Statement: Access to administrator-level operating system accounts is
restricted to the maximum extent possible. Usage is controlled, monitored, and
only permitted for relevant activities such as software installation and
configuration, maintenance, and emergency activities. At all other times, an
account with least privilege access is used.
1.3 Virtualisation Control Objective: Secure virtualisation platform and virtual machines (VM’s)
Platform Protection hosting SWIFT-related components to the same level as for physical systems.
Control Statement: Secure virtualisation platform, virtualised machines, and

27 December 2019 15
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

supporting virtual infrastructure (for example, firewalls) to the same level as

physical systems.
1.4 Restriction of Control Objective: Restrict Internet access from operator PCs and other
Internet Access systems within the secure zone.
Control Statement: All operator PCs and systems within the secure zone have
restricted direct internet access in line with business.

2 Reduce Attack Surface and Vulnerabilities

2.1 Internal Data Flow Control Objective: Ensure the confidentiality, integrity, and authenticity of
Security application data flows between local SWIFT-related applications.
Control Statement: Confidentiality, integrity, and authentication mechanisms
are implemented to protect SWIFT-related application-to-application and,
when used, jump server-to-application data flows.
Note: If an application is spread over several nodes or systems (virtual or
physical), then the (application) communication between those nodes also has
to be similarly protected.
2.2 Security Updates Control Objective: Minimise the occurrence of known technical vulnerabilities
within the local SWIFT infrastructure by ensuring vendor support, applying
mandatory software updates, and applying timely security updates aligned to
the assessed risk.
Control Statement: All hardware and software inside the secure zone and on
operator PCs are within the support lifecycle of the vendor, have been
upgraded with mandatory software updates, and have had security updates
promptly applied.
2.3 System Hardening Control Objective: Reduce the cyberattack surface of SWIFT-related
components by performing system hardening.
Control Statement: Security hardening is conducted and maintained on all in-
scope components.
2.4 Back-office Data Control Objective: Ensure the confidentiality, integrity, and mutual
Flow Security authenticity of data flows between SWIFT infrastructure components and the
back-office first hop they connect to.
Control Statement: Confidentiality, integrity, and mutual or message-level
based authentication mechanisms are implemented to protect data flows
between SWIFT infrastructure components and the back-office first hop they
connect to.
2.5 External Control Objective: Protect the confidentiality of SWIFT-related data
Transmission Data transmitted or stored outside of the secure zone as per operational processes.
Protection Control Statement: Sensitive SWIFT-related data leaving the secure zone as the
result of (i) operating system/application back-ups, business transaction data
replication for archiving or recovery purposes, or (ii) extraction for off-line
processing is protected when stored outside of a secure zone and encrypted
while in transit.
2.5.1 Customers Data Control Objective: Ensure the confidentiality, integrity, and authenticity of data
Flow Security flows between the service bureau SWIFT-related applications and their
customers.
Control Statement: Communication traffic between the SWIFT customers ' site
and the service bureau's SWIFT infrastructure are protected through secure
protocols to support the confidentiality, integrity and mutual authentication of
the data flows.
Implementation Guidelines:
• Secure protocols use current, commonly accepted cryptographic algorithms

27 December 2019 16
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

(for example, AES, ECDHE), with key lengths in accordance with current best
practices. More guidelines on cryptographic algorithms to be used in order
to provide integrity and confidentiality of data in transit can be found in
SWIFT Knowledge Base tip 5021566 algorithms and protocols.
• Customer multi-factor authentication must be implemented and used by all
SWIFT customers in human-to-machine communication at application and
also, when such access is required, at operating system level. This targets both
SWIFT-related components or Web applications and/or systems accessed by
customers to perform SWIFT-related operations (such as posting, creating,
approving, or modifying transactions). The machine-to-machine or application-
to-application communication (between the SWIFT customer and a service
bureau) must be authenticated. This is usually done by using a pre-shared
secret (at least 17 characters long) or a certificate (preferred option). Pre-
shared keys and certificates must be securely distributed.
2.6 Operator Session Control Objective: Protect the confidentiality and integrity of interactive
Confidentiality and operator sessions connecting to the local SWIFT infrastructure.
Integrity Control Statement: The confidentiality and integrity of interactive operator
sessions connecting to SWIFT-related applications or into the secure zone is
safeguarded.
2.7 Vulnerability Control Objective: Identify known vulnerabilities within the local SWIFT
Scanning environment by implementing a regular vulnerability scanning process.
Control Statement: Secure zone including dedicated operator PC systems are
scanned for vulnerabilities using an up-to-date, reputable scanning tool and
results are considered for appropriate resolving actions.
2.7.1 Vulnerability Superseding 2.7 Vulnerability Scanning
Scanning Frequency & Implementation Guidelines: Vulnerability scanning must be performed at least
Scope quarterly and should include network components (such as routers and
switches.)
2.8 Critical Activity Control Objective: Ensure protection of the local SWIFT infrastructure from
Outsourcing risks exposed by the outsourcing of critical activities.
Control Statement: Critical outsourced activities are protected, at a minimum,
to the same standard of care as if operated within the originating organisation.

2.8.1 Provide Shared To complement 2.8 Critical Activity Outsourcing

Connectivity Services Control Objective: Ensure that the service bureau provides actual shared
connectivity services.
Control Statement: The service bureau must own and operate the SWIFT
connectivity (VPN and SWIFTNet Link, and optionally an Alliance Gateway or
alternative gateway solution) and/or the SWIFT messaging interface (Alliance
Access, AMH or other certified messaging interface product).
Implementation Guidelines:
• Using a third party for the hosting of the systems is allowed.
• Service bureaux are allowed to outsource a back-up or disaster recovery
solution only to another Shared Infrastructure Programme registered
service bureau when:
- Service Level Agreements (SLA) and a Non-Disclosure Agreement
(NDA) are established with the other Shared Infrastructure
Programme Registered service bureaux. These SLA define the
standard of care under which those critical operations are carried
out by the other Shared Infrastructure Programme Registered
service bureau in line with those communicated to the service
bureau customers.

27 December 2019 17
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

- Shared Infrastructure Programme Registered Status of the

outsourced service bureau is reviewed at least twice a year.
2.8.2 Outsourcing To complement 2.8 A Critical Activity Outsourcing
Critical Activities Control Statement: Critical operations must be performed by the service
bureau.
Implementation Guidelines: The physical hosting of equipment with a third
party is not considered as a critical activity but contractual arrangements
between the service bureau and the third party that hosts shared
infrastructure components must provide the following details:
• provisions about SWIFT rights to audit this third party
• provisions supporting the availability commitments that the service bureau
has with its customers
• provisions appropriate escalation in case of integrity or confidentiality
incident/breach affecting the service bureau systems and (customers) data
Considerations for alternative implementation: In case change management
of hardware or operating system supporting the SWIFT service, or network
management and configuration, have to be outsourced, the following
minimum risk mitigating measures must be ensured and/or provisioned in the
contractual agreement:
• a clear identification of critical actions performed by the third party on
behalf of the service bureau and assurance they are performed as per the
operational controls
• a service level agreement (SLA) between the service bureau and the third party
• SWIFT's right to audit as per the operational controls and/or do an inspection of the
premises and operations of the third-party

• an annual audit, by the service bureau, of the third-party company should

be performed or positive, and internationally recognised Trusted Third
Party assurance reports such as ISAE 3402, ISAE 3000, or PCI-DSS covering
the activities outsourced by the service bureau in line with the operational
controls should be available and maintained

2.8.7 Limit Access to To complement 2.8 A Critical Activity Outsourcing

Customers' Messaging Control Objective: Protect the confidentiality of the customers’ messaging
Data data.
Control Statement: Unless explicitly requested by its customers, the service
bureau operator must not have access to the messages payload.
Context: Prevent leakage of customer's messaging data by limiting access to
those sensitive data.
Implementation Guidelines:
• By default, operators or administrators do not have access to the
customers’ messages payload (data should be encrypted in DB or access
subject to formal authorization for rights escalation and/or subject to
effective 4 eyes process).
• Formal authorisation by the customer to access his messages payload to be
recorded (can be contractually for support or explicit monitoring as per 8.1)
either globally or each time it is required (for temporary support at
customer request).
2.8.8 Critical Activities To support critical activity performed on behalf of your SWIFT customers and
on Behalf of the 2.8 A Critical Activity Outsourcing

27 December 2019 18
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

Customer Control Statement: Security-related operations performed by the service

bureau on behalf of its SWIFT customer must be performed according to strict
security procedures agreed between the service bureau and the customer.
The security-related operations cover (but are not limited to):
• PKI certificates administration (such as certificate lifecycle management,
RBAC roles assignment)
• users managements
• RMA management
• tokens management
Implementation Guidelines:
The agreed procedures must ensure that each security management operation:
• complies with the 4-eyes principle
• is restricted for access to the service bureau authorised personnel
• includes a back-up responsible person
• is recorded in an audit trail
• is reported upon request to the end customer
• is, when triggered by the customer, supported by a formal customer’s
request
Remote access from the service bureau to the SWIFT customer site to perform
activities requested by SWIFT customers must be strictly controlled (that is,
documented, approved, technically secure by ensuring mutual authentication
and usage of secure protocols, and monitored).
2.9 Transaction Not relevant by default but kept for alignment with CSCF.
Business Controls (Not To be considered if the service bureau is performing such control further to an
Applicable by default) explicit request of at least one customer or as part of its standard offering to its
customers.
2.10 Application Control Objective:
Hardening Reduce the attack surface of SWIFT-related components by performing
application hardening on the SWIFT-certified messaging and communication
interfaces and related applications.
Control Statement: All messaging interfaces and communication interface
products within the secure zone are SWIFT-certified Applications. Application
security hardening is conducted and maintained on all in-scope components.

2.11 RMA Controls Not relevant by default but kept for alignment with the CSCF.
(Not Applicable by To be considered if the service bureau performs such control on explicit
default) request of at least one customer as part of its standard offering to its
customers.

3 Physically Secure the Environment

3.1 Physical Security Control Objective: Prevent unauthorised physical access to sensitive
equipment, workplace environments, hosting sites, and storage.
Control Statement: Physical security controls are in place to protect access to
sensitive equipment, hosting sites, and storage.

4 Prevent Compromise of Credentials

27 December 2019 19
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

4.1 Password Policy Control Objective: Ensure passwords are sufficiently resistant against common
password attacks by implementing and enforcing an effective password policy.
Control Statement: All application and operating system accounts enforce
passwords with appropriate parameters such as length, complexity, validity,
and the number of failed log-in attempts. Similarly, personal tokens and mobile
devices enforce passwords or Personal Identification Number (PIN) with appropriate
parameters.

4.2 Multi-Factor Control Objective: Prevent that a compromise of a single authentication factor
Authentication allows access into SWIFT systems, by implementing multi-factor
authentication.
Control Statement: Multi-factor authentication is used for interactive user
access to SWIFT-related applications and operating system accounts.

5 Manage Identities and Segregate Privileges

5.1 Logical Access Control Objective: Enforce the security principles of need-to-know access,
Control least privilege, and segregation of duties for operator accounts.
Control Statement: Accounts are defined according to the security principles of
need-to-know access, least privilege, and segregation of duties.
5.2 Token Control Objective: Ensure the proper management, tracking, and use of
Management connected hardware authentication tokens (if tokens are used).
Control Statement: Connected hardware authentication tokens are managed
appropriately during assignment, distribution, revocation, use, and storage.
5.3 Personnel Vetting Control Objective: Ensure the trustworthiness of staff operating the local
Process SWIFT environment by performing personnel vetting in line with applicable
local laws and regulations.
Control Statement: Staff operating the local SWIFT infrastructure are vetted
prior to initial employment in that role and periodically thereafter.
5.4 Physical and Control Objective: Protect, physically and logically, a repository of recorded
Logical Password passwords.
Storage Control Statement: Recorded passwords are stored in a protected physical or
logical location, with access restricted on a need-to-know basis.

6 Detect Anomalous Activity to Systems or Transaction Records

6.1 Malware Control Objective: Ensure that the local SWIFT infrastructure is protected
Protection against malware.
Control Statement: Anti-malware software from a reputable vendor is installed
and kept up-to-date on all systems.
6.2 Software Integrity Control Objective: Ensure the software integrity of the SWIFT-related
applications.
Control Statement: A software integrity check is performed at regular intervals
on messaging interface, communication interface, and other SWIFT-related
applications.
6.3 Database Integrity Control Objective: Ensure the integrity of the database records for the SWIFT
messaging interface.
Control Statement: A database integrity check is performed at regular intervals
on databases that record SWIFT transactions.
6.4 Logging and Control Objective: Record security events and detect anomalous actions and
Monitoring operations within the local SWIFT environment.
Control Statement: Capabilities to detect anomalous activity are implemented,
and a process or tool is in place to frequently store and review logs.

27 December 2019 20
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

6.5 Intrusion Detection Control Objective: Detect and prevent anomalous network activity into and
within the local SWIFT environment.
Control Statement: Intrusion detection is implemented to detect unauthorised
network access and anomalous activity.

7 Plan for Incident Response and Information Sharing

7.1 Cyber Incident Control Objective: Ensure a consistent and effective approach for the
Response Planning management of cyber incidents.
Control Statement: The user has a defined and tested cyber incident response
plan.
7.1.1 Customer To complement 7.1 Cyber Incident Response Planning
Security Incident Control Statement: The service bureau must also notify each impacted SWIFT
Notification customer without delay in case of cyber/security incidents compromising the
confidentiality, integrity, or availability of their data.

7.2 Security Training Control Objective: Ensure that all staff are aware of and fulfil their security
and Awareness responsibilities by performing regular security training and awareness
activities.
Control Statement: Annual security awareness sessions are conducted for all
staff members, including role-specific training for SWIFT roles with privileged
access.
7.3 Penetration Control Objective: Validate the operational security configuration and identify
Testing security gaps by performing penetration testing.
Control Statement: Application, host, and network penetration testing is
conducted into and within the secure zone and on operator PCs.
7.3.1 Yearly Testing Superseding 7.3 Penetration Testing
Implementation Guidelines: The penetration testing must be performed
yearly.
7.4 Scenario Risk Control Objective: Evaluate the risk and readiness of the organisation based on
Assessment plausible cyberattack scenarios.
Control Statement: Scenario-driven risk assessments are conducted regularly
to improve incident response preparedness and to increase the maturity of the
organisation’s security programme.

8 Set and Monitor Performance

8.1 Define SLA Control Objective: Ensure availability by formally setting and monitoring the
objectives to be achieved.
Control Statement: SLA and NDA must be part of the contractual agreement
and cover critical activities performed on behalf of the SWIFT customers and
incidents escalation to them.
Implementation Guidelines:
Contractual agreement to contain NDA and SLA covering:
• the scope and hours of service
• the scope of access to message payload, including a description of
messaging monitoring and pro-active messaging monitoring on behalf of
customers (if applicable)
• response times to customer request
• highlights of the change management and incident management
procedures agreed between the service bureau and its customers
• the delegation of SWIFT customer shared security officer, when applicable

27 December 2019 21
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

• the delegation of any SWIFT customer configuration changes such as, but
not limited to, customer settings on the following components: messaging
and communication interface, HSMs, SWIFTNet Online Operations
Manager, and Secure Channel
8.2 Obsolete Covered in support requirements

8.3 Obsolete

8.4 Capacity Control Objective: Ensure availability, capacity, and quality of service to
Management customers.
Control Statement: the service bureau must demonstrate an effective capacity
planning process driving infrastructure changes when required.
Implementation Guidelines:
Capacity planning covering the SWIFT business needs must be performed at
least yearly. The formal capacity planning process must include:
• the monitoring of the current capacity of the resources underlying
Messaging and Communication interface
• the planning for future capacity based on anticipation of number of
customers variation and of system requirements
The capacity planning process must cover:
• a connectivity Pack (Gold, Silver) to ensure compliance with 9.4
Implementation Guidelines in terms of performance
• a communication interface (CPU, memory, and disks)
• a messaging interface (CPU, memory, and disks)
8.5 Early Availability of Control Objective: Ensure early availability of SWIFTNet releases and of the FIN
SWIFTNet Releases standards for proper testing by the customer before going live.
and of FIN Standards Control Statement: The service bureau must implement:
• SWIFTNet messaging services software upgrades at least 1 month before
products end of life
• SWIFT Standard releases at least 6 weeks before the annual FIN standard
changeover
Implementation guidelines:
Upgrade timely the software that enables SWIFTNet messaging
- for FIN, FileAct, Interact, and SWIFT WebAccess: SWIFTNet Link
- for SWIFNet Instant: Alliance Gateway Instant
Implement timely the new SWIFT Standards for testing in the Messaging
Interface.
After implementations are complete, communicate to the customer the
early availability to allow testing.

9 Ensure Availability through Resilience

27 December 2019 22
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

9.1 Local Resilience Control Objective: The service bureau must ensure that the service remains
available for customers in the event of a local disturbance or malfunction.
Control Statement: The service bureau must provide and test formal
monitoring and operational measures to allow timely activation of a local
fallback solution at the primary site to be able to cope with the customers'
traffic.
Implementation Guidelines:
These measures must include:
• The presence of a resilient (that is, duplicated, clustered, or virtualised)
production infrastructure supporting the SWIFT messaging, such as (but not
limited to):
− network components
− middleware (like MQ or ftp server)
− messaging and communication interfaces
− HSM boxes
• The availability of data to allow fast recovery in case of hardware or
software failure, such as (but not limited to):
− back-ups (or images) of the systems supporting the SWIFT messaging
− back-ups (at application level) of the messaging interface and the
communication interface
• In case resiliency is achieved by duplication, regular (at least once a year)
test of or switch to the local fallback solution must be performed.
Considerations for alternative implementations:
• multiple active sites, all being capable of running full load, can also ensure
service availability
9.2 Site and Systems Control Objective: The service bureau must ensure that the service remains
Resilience available for customers in the event of a site disaster.
Control Statement: The service bureau is required to have a disaster recovery
site that enable to meet the committed Recovery Time Objective (RTO) and
Recovery Point Objective (RPO).
Implementation Guidelines:
• The following infrastructure supporting the SWIFT messaging must be
present at the disaster recovery site
− network components
− jump server
− middleware (if applicable)
− SWIFT-related applications (if applicable)
− SWIFT related applications
− messaging and communication interfaces
− HSM boxes
• The service bureau must have documented disaster recovery procedures.
• The service bureau must regularly (at least yearly) perform disaster
recovery test with at least some customers involvement, confirming ability
to meet the committed RTO (that should not exceed 4 hours) and RPO (that

27 December 2019 23
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

should not exceed 6 hours).

9.3 Physical Control Objective: The service bureau must ensure that the service remains
Environmental available for customers in the event of a disturbance, a hazard, or an incident.
Controls Control Statement: the service bureau must implement environmental
controls that address risks exposures relevant to the location of its data
centres.
Implementation Guidelines:
These controls include:
• air conditioning (preferably resilient)
• earthquake protection, when relevant
• water leaks detection, when relevant
• fire detection and suppression measures
• diesel generator
• non-interruptible power supplies (UPS) and batteries (preferably resilient).
The service bureau or the hosting company must provide evidence of
activation of such environmental controls as well as the regular maintenance of
the related equipment
9.4 Connect Solidly to Control Objective: Availability and quality of service is ensured through usage
the SWIFT Network of the recommended SWIFT connectivity pack.
Control Statement: The service bureau must only operate Alliance Connect
Gold for its primary/active site(s) and an Alliance Connect Silver (with dual-VPN
solution) as the minimum for its disaster recovery site(s).
Context:
• Internet lines have no performance guarantees or managed resiliency and
are potentially more prone to distributed denial of service attacks
(DDOS)/cyber-attacks.
• SWIFT can monitor both Alliance Connect Gold lines in the case of failure
and negotiated SLA are provided on both leased lines connecting to one (or
two) managed networks operated by the network partners.
• In the case of a connection or line failure, there is an automatic fallback to
the other Alliance Connect Gold leased line, thereby limiting service
disruptions & keeping it transparent for the service bureau.
Implementation Guidelines:
The service bureau must ensure that there is sufficient bandwidth and
associated SWIFTNet Link throughput class to process the following live traffic
(excluding Test and Training):
• peak daily live traffic volumes taken over the previous 6 calendar months in
4 hours or less on the primary site
• average daily live traffic volumes taken over the previous 6 calendar
months in 6 hours or less on the disaster recovery site

10 Be Ready in Case of Major Disaster

10.1 Business Control Objective: Business continuity is ensured through documented plan
Continuity Plan communicated to potentially affected parties (service bureau and customers).
Control Statement: The service bureau must have a Business Continuity Plan
demonstrating the ability of the service bureau to guarantee the service in case
of major incidents and to ensure that customers are aware of, and when
requested, have access to a business continuity plan and disaster recovery

27 December 2019 24
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

procedures.
Implementation Guidelines:
Business Continuity Plan must be based on the Business Impact
Analysis, covering at least the SWIFT service.
Business continuity plan should (at minimum):
• sufficiently define how the service bureau deals with various types of
disruptions to its services (at least unavailability of the primary site, missing
key human resources and natural disaster)
• define alternative communication means (in case that network or mobile
phone networks are impacted by the disaster)

11 Monitor and Escalate Operational Malfunctions

11.1 Events Control Objective: Ensure a consistent and effective approach for the event
Monitoring monitoring and escalation.
Control Statement: Service bureaux must put in place procedures to detect (on
a continuous basis), escalate, and fix errors reported in installation and
operations log files of software, hardware, and network supporting SWIFT
operations (for example, operating system, Alliance Access, Alliance Gateway,
SWIFTNet Link, Alliance Web Platform, and other messaging interfaces).
This monitoring and reporting can be considered as the input trigger to the
management of incidents expressed above.
Implementation Guidelines:
• In addition to system and applicative logs, documented monitoring
procedures must also cover systems resource consumption (such as
memory or disk space) to support proper capacity planning as per control
8.4.
• Messaging logging must not display the message payload.
11.2 Escalation Plan Control Objective: Ensure a consistent and effective approach for the
management of incidents (Problem Management).
Control Statement: The service bureau must document and implement an
incident escalation plan.
Implementation Guidelines:
Similarly to the management of cyber security incidents expressed in control
7.1 Cyber Incident Response Planning, the documented escalation plan should
include:
• incident levels and associated triggers or criteria
• timers for the escalation of incidents to the next level
• staff informed once a predefined level of impact is reached
• role description of each level of escalation
• contact details of key staff involved in the incident level need to be
regularly reviewed
The escalation plan must be yearly reviewed and (at least partly) tested
regularly (can be as part of Business Continuity Plan testing).

27 December 2019 25
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Detailed Control Description
Description

11.3 Messaging To support critical activity performed by the service bureau on behalf of SWIFT
Monitoring on Behalf customers
of Customer Control Objective: Ensure a consistent and effective approach for the
customers’ messaging monitoring.
Control Statement: When the customer outsources the monitoring of its
messaging to a service bureau, this must be documented in the contractual
documentation.
Implementation Guidelines:
The service bureau must formally document and agree with the customer on
the processes to handle alerts in case of error and reports on data processing
received from SWIFT (for example, logical terminal disconnections, ACK/NAK
messages, and non-delivery reports).
11.4 Customer Control Statement: The service bureau must notify each impacted SWIFT
Incident Notification customer without delay in case of a major incident.
Implementation Guidelines:
An incident is considered as major if it has one of the following consequences:
• It prevents a customer from meeting its business requirements or
obligations.
• It prevents the service bureau from meeting its obligations as defined in the
customer Service Level Agreement.
11.5 Customer Support Control Objective: Effective support is offered to customers in case they face
Facility problems during their business hours.
Control Statement: Customer helpdesk and technical level 2 support (including
at least one service bureau specialist connectivity as described in control 12.1
Maintain Expertise) must be available during working hours of the service
bureau customers (which could be through on call coverage outside the service
bureau working hours).

12 Ensure Knowledge is Available

12.1 Maintain Control Objective: Ensure quality of service to customers through SWIFT
Expertise certified employees.
Control Statement: the service bureau must have at least:
• two employees certified for the SWIFT on-boarding skills
• two employees certified for the SWIFT technical skills
Implementation Guidelines:
The employees must pass respectively the Service bureau Specialist on-
boarding and the Service bureau Specialist connectivity exams.
Employees must maintain their certification by passing the exam within 6
months after there have been significant changes to the SWIFT on-boarding or
technical program (that is, a new major product release).
Considerations for alternative implementations: only applicable to new
service bureaux:
Having a formal arrangement in place (for example, a system care contract),
with service bureau specialists or SWIFT Certified specialists is allowed as a
temporary solution in anticipation of having own service bureau qualified as
service bureau specialist. This temporarily solution should not last longer than
1 year.
The service bureau having a common ownership (that is, belonging to the same
group) can assign each other service bureau specialists.

27 December 2019 26
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Appendix A
Description

Appendix A Machine-to-Machine Communication

Related Controls
For a better understanding of the scope of the dataflow controls, the following diagram
shows the machine-to-machine communication related controls.

27 December 2019 27
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Appendix B
Description

Appendix B Human-to-Machine Communication

Related Controls
For a better understanding of the scope of the dataflow controls, the following diagram show
the human-to-machine communication related controls.

27 December 2019 28
Shared Infrastructure Programme
Security and Operational Framework 2020 – Detailed Legal Notices
Description

Legal Notices
Copyright
SWIFT © 2019. All rights reserved.

Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order expressly grants you
that right, in which case ensure you comply with any other applicable conditions.

Disclaimer
The information in this publication may change from time to time. You must always refer to the latest available
version.

Translations
The English version of SWIFT documentation is the only official and binding version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: the SWIFT logo,
SWIFT, SWIFTNet, Sibos, 3SKey, Innotribe, the Standards Forum logo, MyStandards, and SWIFT Institute. Other
product, service, or company names in this publication are trade names, trademarks, or registered trademarks of
their respective owners.

27 December 2019 29