If you’re in charge or part of the compliance team for Swift pre-attestation, you’ll know the complexities of getting the job finished. Bizzdesign’s Swift CSP Compliance (link to webpage) enables you to complete the mandatory annual Security Attestation, which forms part of the Customer Security Program (CSP), using architecture models built on our enterprise architecture platform, Bizzdesign Horizzon. Architecture modeling provides a far more efficient and effective way of capturing, documenting, communicating, and managing the Swift Customer Security Program (CSP). Models can evolve and be reused realizing higher assurance at a substantially reduced cost.
Our Swift CSP compliance solution gives visibility of your compliance posture at the click of a button, helps you see your enterprise’s real-time compliance status, and gives you a line of sight from business goals to compliance activities. Furthermore, Swift CSP compliance data becomes connected to the enterprise security and compliance data model, thereby improving your overall cyber security posture.
1. Complete and accurate Swift information in a single repository
Customers use Bizzdesign Horizzon as an architecture repository, populating it with information concerning architecture views, components, relationships, standards, and reference architectures, among other things. A natural extension of this is to include information regarding Swift CSP risks, compliance objectives, requirements, and control measures.
To illustrate how this would work, Swift specifies the recommended architectures of certain connectivity components in the network. For example, all Hardware Security Modules (HSM) processing Swift financial messages-related data must be deployed in a ‘secure zone. The secure zone is a segmented and controlled environment bound to the Customer Security Controls Framework (CSCF). This can efficiently be modeled in an architecture diagram on the Bizzdesign Horizzon platform.
An appropriate modeling approach would be to follow the TOGAF® Standard to model Architecture Building Blocks (ABB) based on the Swift Reference Architecture and Solution Building Blocks representing the implementation of the architecture at your organization. This approach has been described in a whitepaper by The SABSA Institute: T100 – Modelling SABSA® with ArchiMate®. This whitepaper illustrates a model-based approach for creating an enterprise’s security architecture by capturing SABSA® artifacts in the architecture repository. Regulatory and Standards-based compliance is also covered in the SABSA® Security Overlay, which is particularly interesting when dealing with CSP Security Attestation. This way, your organization can reuse patterns, concepts, and relationships throughout their architecture model.
To manage counterparty risk, the Swift CSP allows counterparties to request Security Attestation documents from the parties they are dealing with. Following a standard modeling notation such as ArchiMate® and a common modeling approach derived from ABB allows for a simpler understanding of the counterparty’s architecture that would support effective risk management.
Bizzdesign’s Swift CSP Compliance solution shows the CSCF requirements fulfilled for each SWIFT Control Objective
2. A structured approach to ensure coverage of controls
You can create architecture views for each of the controls of the CSCF, which describe how the control is implemented and how it realizes the specified control requirements. Once the objects and relationships are modeled per the current infrastructure, automated analysis can validate compliance with the CSCF and visualize the compliance status in management reports and dashboards. Furthermore, as these are programmatically analyzed, gaps or blind spots become apparent, and objects not modeled appropriately appear non-compliant. Scripts detect if something is non-compliant because it’s incorrectly modeled or if it doesn’t exist. You can then model it correctly, or it presents a gap of where you need to implement relevant controls to become compliant. The use of automation also uncovers advisory controls that the financial institution may already be compliant with but are unaware of. This provides a structured approach to ensuring completeness in the coverage of controls against the scope of applicability defined for each control in the Swift CSCF reference architecture. We provide this reference architecture as an ArchiMate® model that can be deployed and connected to the ABBs and SBBs of the customer’s Swift implementation model. Bizzdesign Horizzon’s repository tracks all changes in the model. Every change is logged, and every change in the architecture is captured. It’s also possible to go back in time to view the history of the architecture. This is useful when viewing the architecture evolution or tracing an architectural change impacting compliance to control objectives.
Overview of the Swift CSP program implemented in Bizzdesign Horizzon
3. See real-time compliance status – at the click of a button
Swift attestation also needs to be independently assessed. Bizzdesign Horizzon is used for publishing the architecture and reports for the assessor to verify. Bizzdesign Horizzon sites allow for interactive navigation across the complete architecture environment – you get a line of sight of everything, from your business goals to compliance activities. The models can include references to evidence sources for assessors to check the existence and effectiveness of controls, providing a mechanism for ‘closed loop governance’ to ensure control objectives are achieved. This reporting and navigation capability is available in read-only to ensure the integrity of information, and the architecture views can be downloaded for inclusion in standalone documents.
A dashboard of the overview of controls compliant with CSCF requirements
Using architectural analysis, it becomes transparent how your organization complies with the requirements specified in the CSCF. For mandatory and advisory controls, the application and technology components can be formalized, which can then be attested in the independent assessment. Moreover, Swift CSP compliance data connects to the enterprise security and compliance data model. Discover control gaps through compliance modeling, and you’ll improve your overall cyber security posture by closing these gaps.
If you’re interested in learning more, request a live demo of our Swift CSP solution or watch the webinar replay.