serving information security needs

SWIFT Information Security:

SWIFT Customer Security Controls
Framework v2019 GAP-Analyze Offer

2019
 ISSP | Information Systems Security Partners.
www.isspgroup.com
SWIFT Customer Security Controls Framework v2019 GAP-Analyze Offer

ISSP, a multiservice cybersecurity company with its offices in Eastern Europe region is pleased to provide
the support to implementing SWIFT Customer Security Controls Framework (CSCF) v2019 fulfillment of
requirements.

The service includes:

- PHASE1: Detailed to SWIFT system&process Scoping, GAP Analysis, Risk Assessment,
- PHASE2: Assistance in implementation of necessary controls for getting SWIFT CSCF fulfilment of
requirements,
- PHASE3: Consulting support during SWIFT audit

Hereby ISSP confirms its readiness to provide the proposed volume of services, as well as the availability
of the necessary expertise and resources.

ISSP is keen to discuss current proposal in more detail during the meeting to answer any additional
questions and to consider possible next steps together.
 
With Compliments,
Information Systems Security Partners
 serving information security needs
what we do

Founded in 2008 ISSP provides full cycle professional cyber security

services: from compromise and vulnerability assessment, penetration
and security testing as well as cybersecurity consulting to integration of
cybersecurity technologies, digital forensics, managed security services,
managed detection and response services, and  threat intelligence.

We help businesses, organizations, industries, governments, and

academia face the challenge of dealing with the constant threat of
cyberattacks and protect critical systems, networks and data from ever
increasing and constantly evolving cyber threats.
SWIFT CSCF domains
SWIFT CSCF timeline
 Our approach

Scope formalization SWIFT infrastructure

SWIFT CSCF is organizational (policy, process, roles) and technical Validation of objectives vulnerability scanning
issue.

Selecting SWIFT Infrastructure to be included in ISMS scope Review High Level

Information Security Policy

We recommend to perform a SWIFT infrastructure vulnerability

scanning. Risk assessment
+
Risk Treatment
Risk assessment will permit to identify security needs for company. Recommendations
Phase 1
Technical and
Once the Critical Risks are assessed, controls to be designed are Implementation
selected and should be implemented and documented. ISSP offer to SWIFT CSCF Controls
recommendation

support the Customer during its SWIFT CSCF implementation with Implementation
Awareness
(most by Customer,
3 axes: assistance by ISSP)
• Consulting for policy and procedure review/creation Policy/Procedure
• Consulting for implementation of security processes and controls Pre-audit
• Technical product recommendation when applicable Readiness check with
SWIFT CSCF PEN-testing
ISSP will include a pre-audit to check the readiness of SWIFT CSCF. Phase 2

The last stage is the Audit by SWIFT. ISSP will be supporting the Customer Audit by SWIFT
Support
customer during
during Audit. audit Phase 3

* - implementation of security controls is done by Customer, supported and led by ISSP

 Deliverables

By the completion of the current set of services, Customer will receive the following output
(deliverables) pending to selected package/options:

Documentation deliverables: Vulnerability management:

1. Project planning 1. SWIFT infrastructure vulnerability scanning

2. SWIFT CSCF GAP analysis
3. Risk analysis
4. Risk treatment recommendation
5. SWIFT CSCF control planning 2. Pen-testing
6. Customized Policy/Procedure
7. Controls Creation Assistance
 Overall Project Timeline
Offer timeline
Phase Task Delivery ISSP 1 2 3 … …
SWIFT scope / Security Policy * Scope / SWIFT CSCF Documentation Analyze 5.0        

Risk Assessment / Risk Treatment *Hi-level Risk Assessment *Risk Treatment        

Phase 1 5.0

Statement of Applicability / Risk Treatment Recommendations *Risk Treatment Recommendations        

 
5.0
               

Phase 2 Assistance in implementation of necessary controls for getting Assistance in implementation of necessary controls for getting  
SWIFT CSCF fulfilment of requirements, SWIFT CSCF fulfilment of requirements,
               

Phase 3 Assistance during the SWIFT Audit Assistance During The SWIFT Audit          
               

Management Project Management *Planning, minutes

Follow-up Controls implementation monitoring *Update of Security control schedule *Mail minutes with alerts

"*" indicates document&process delivery

 Other support/services

Other ISSP services facilitating SWIFT CSCF

implementations*:

• Penetration Test / Vulnerability scan • Incident management and report

o High chance of being required by auditor o “CERT” activity and support
o Internal / External scan with expert review o Help to incident readiness and handling
o Exploitation of vulnerability to enrich risk assessment

• Perform Awareness and Advance technical training(s) • Security Log Review

o Training available for all type of staff in company o Various options of log monitoring and
 General awareness (many language available) correlation
 Technical IT specialty (English/Russian) o Intelligence and Indicator of Compromising
 Director serious games (IOC)
o On-premise and Cloud analysis
• Creation and Support of ISO controls
o 25 operational controls needed to enforce ISO27k
o Those services largely decreasing load on customer
security team
* - to be discussed separately in case of necessity
 Why ISSP?

ISSP is a professional IT and IT security multiservice provider, which competencies are concentrated in
a high quality services brining the highest Time-to-Value indicator and which professional experience
is proved by leading companies in Ukraine, Kazakhstan, Georgia and worldwide*.
ISSP is nearly the only professional company which could fulfil the complete service, described within
current proposal:
• Only ISSP could professionally and complexly cover IT and IT Security challenges
• Only ISSP could deliver both: theoretical and practical output for IT and IT Security Assessments
• ISSP always stays on the edge of modern technologies in conjunction with year-to-year experience
of proved best practices enabling our actionable service to be highly ranked on each territory ISSP
is presented, no matter how strong competitors are.

Having its own Cybersecurity Training Center and Research Center, ISSP is able to provide a
continuous professional service to maintain compliance and cybersecurity controls to the
customer.

* - Customer’s reference letters could be provided upon separate request

serving information security needs
 serving information security needs
business units
ISSP consulting and integration unit provides integration and support of
cybersecurity technologies, turn-key cybersecurity solutions as well as
stand- alone services of cybersecurity consulting, compromise and
vulnerability assessment, penetration and security testing.
ISSP SOC – provides Managed Security Services, including Managed
Detection and Response, Incident Management, Compliance Management,
Security Platform management.

ISSP Training Center – conducts professional trainings including certified product

trainings and professional certification programs from EC-Council, ISC2, Mile2
as well as standard and customized in-house developed trainings.

ISSP Labs – specializes on cyber attacks and malware analysis, reverse

engineering, challenging computer forensics tasks, R&D in cybersecurity
and threat intelligence.
 serving information security needs
WESTERN CENTRAL UKRAINE SOUTH CENTRAL
EUROPE EUROPE EASTERN EUROPE CAUCASUS ASIA

Countries of Operations:

Europe and Central Asia

Offices:

Kyiv, Tbilisi, Almaty, Wroclaw and

Cork* (*to be opened in 2018)

100 Active service contracts

350 Turn-key projects accomplished
500 Professionals trained annually
 serving information security needs
services

ENGINEERING SERVICES AUDIT & CONSULTING MANAGED SECURITY

- Technologies Integration - Compliance Management - Platform Management
- Project Assessment - Risk Management - Incident Management
- Technical Support - Technical Audit - Vulnerabilities Management
- Detection and Response

TRAININGS & CERTIFICATION CYBERSECURITY

THREAT INTELLIGENCE
ASSESSMENT
- Certified Cybersecurity
Trainings - Penetration Tests - Cyber Attacks Analysis
- Vendor Based Technical - Compromise Assessment - Reverse Engineering
Trainings - Industrial Control Systems - Malware Analysis
- Tailored Trainings - Static Code Assessment - Digital Forensics
- Advanced Trainings - Malware Analysis - Darknet Intelligence
- Cybersecurity Forensics - Cyberthreat Intelligence
 serving information security needs
technologies
authorization and proven qualification in
NETWORK SECURITY DATA PROTECTION 20+ vendors’ technologies, including but
- Security Gateways - Data Leakage Prevention not limited to:
- Intrusion Prevention - Encryption & Digital Signature
- Web & Email Filtering - Mobile Data Protection
- Management & Monitoring - Archiving & backup
- Wireless Security

ENDPOINT SECURITY ACCESS CONTROL

- Multifactorial Authentication
- Endpoint Threat Detection
- Remote Access
- Mobile Devices Protection
- Role and account management
- Virtual Environment Security
- PKI
- Antivirus & Antimalware
- IDM and Privileged Account Mgt
- Device & application control

APPLICATION SECURITY MANAGEMENT

PROTECTION - Events & Incidents Management
- Policies monitoring and
- Web-Applications Protection
enforcement
- Databases Security
- Risk Control & Compliance
- Vulnerability Management
- Change Control
- Application Management
 Selected Key Accounts in Corporate Sector

serving information security needs

Banking

Energy

Telecom
 global visibility: media

serving information security needs

 serving information security needs
global visibility: conferences

In 2017 ISSP experts spoke at major cybersecurity conferences in Miami,

Vienna, Warsaw, Dublin, Prague, Stockholm, Marrakesh, Almaty, Boston, Kyiv
 serving information security needs
active involvement in
global cybersecurity community

Global CERT initiative

Global Forensics initiative
Global Education and Research initiative
Cybersecurity Initiatives
serving information security needs