← Frameworks / Financial Security

SWIFT Customer Security Controls Framework v2024

Mandatory security controls framework for all 11,000+ SWIFT-connected financial institutions globally. 32 controls (25 mandatory, 7 advisory) across 3 objectives: secure your environment, know and limit access, detect and respond. Annual independent assessment attestation required. Covers network segmentation, privileged access, system hardening, transaction business controls, malware protection, logging/monitoring, and incident response for SWIFT financial messaging infrastructure. Aligned with ISO 27002, NIST CSF, PCI DSS 4.0.

Clauses: 32

Avg Coverage: 84.4%

Publisher: SWIFT (Society for Worldwide Interbank Financial Telecommunication) Version: v2024

SWIFT CSCF → SP 800-53 SP 800-53 → SWIFT CSCF Coverage Analysis

Clause	Title	SP 800-53 Controls
SWIFT.1.1	SWIFT Environment Protection (Mandatory)	SC-07 SC-32 AC-04 CA-03 CM-07
SWIFT.1.2	Operating System Privileged Account Control (Mandatory)	AC-02 AC-05 AC-06 AU-02 IA-02
SWIFT.1.3	Virtualisation or Cloud Platform Protection (Mandatory)	SC-07 SC-28 SC-39 AC-04 CM-06
SWIFT.1.4	Restriction of Internet Access (Mandatory)	SC-07 AC-04 AC-20 CM-07
SWIFT.1.5	Customer Environment Protection (Mandatory)	SC-07 AC-04 CA-03
SWIFT.2.1	Internal Data Flow Security (Mandatory)	SC-08 SC-12 SC-13 IA-03
SWIFT.2.2	Security Updates (Mandatory)	SI-02 CM-07 SA-22
SWIFT.2.3	System Hardening (Mandatory)	CM-02 CM-06 CM-07 SC-07
SWIFT.2.4A	Back Office Data Flow Security (Advisory)	SC-08 SC-13 AC-04
SWIFT.2.5A	External Transmission Data Protection (Advisory)	SC-08 SC-28 MP-05 SC-12
SWIFT.2.6	Operator Session Confidentiality and Integrity (Mandatory)	AC-17 SC-08 AC-11 AC-12 AU-14
SWIFT.2.7	Vulnerability Scanning (Mandatory)	RA-05 SI-02 CM-08
SWIFT.2.8	Outsourced Critical Activity Protection (Mandatory)	SA-09 SR-01 SR-03 SR-06 CA-03
SWIFT.2.9	Transaction Business Controls (Mandatory)	AC-03 AU-02 AU-06 SI-04
SWIFT.2.10	Application Hardening (Mandatory)	CM-06 CM-07 SA-11
SWIFT.2.11A	RMA Business Controls (Advisory)	AC-02 AC-03
SWIFT.3.1	Physical Security (Mandatory)	PE-02 PE-03 PE-06 PE-08 MP-02 MP-04
SWIFT.4.1	Password Policy (Mandatory)	IA-05 AC-07
SWIFT.4.2	Multi-Factor Authentication (Mandatory)	IA-02 IA-05
SWIFT.5.1	Logical Access Control (Mandatory)	AC-02 AC-03 AC-05 AC-06
SWIFT.5.2	Token Management (Mandatory)	IA-05 PE-03 PS-04
SWIFT.5.3A	Staff Screening Process (Advisory)	PS-03 PS-06
SWIFT.5.4	Password Repository Protection (Mandatory)	IA-05 SC-28 AC-03 AU-02
SWIFT.6.1	Malware Protection (Mandatory)	SI-03 SI-04
SWIFT.6.2	Software Integrity (Mandatory)	SI-07 CM-03 CM-05
SWIFT.6.3	Database Integrity (Mandatory)	SI-07 SC-28 AC-03 AC-06 CP-09
SWIFT.6.4	Logging and Monitoring (Mandatory)	AU-02 AU-03 AU-06 AU-09 AU-12 SI-04
SWIFT.6.5A	Intrusion Detection (Advisory)	SI-04 SC-07
SWIFT.7.1	Cyber Incident Response Planning (Mandatory)	IR-01 IR-04 IR-05 IR-06 IR-08
SWIFT.7.2	Security Training and Awareness (Mandatory)	AT-01 AT-02 AT-03
SWIFT.7.3A	Penetration Testing (Advisory)	CA-08 RA-05
SWIFT.7.4A	Scenario-Based Risk Assessment (Advisory)	RA-03 PM-16 CP-04