Swift Customer Security Programme (CSP) CSP-Assessor Question # 3 Topic 1 Discussion

The CSCF, under Control "6.1 Security Awareness" and related security controls, mandates the definition and implementation of a Password/PIN Policy for components requiring user authentication to protect the SWIFT environment. Let’s evaluate each option:

•Option A: Operator PCs, (physical or virtual) systems running SWIFT-related components, network devices protecting the secure zone(s), bridging servers

This requires a Password/PIN Policy. Operator PCs, systems running SWIFT components (e.g., Alliance Access), network devices (e.g., VPN boxes), and bridging servers need authentication policies to secure access, as per CSCF Control "2.3 System Hardening" and "6.1."

•Option B: Jump server(s), SWIFT-related components at application level

This requires a Password/PIN Policy. Jump servers and application-level components (e.g., Alliance Gateway) must have authentication mechanisms to protect the secure zone, aligning with CSCF Control "1.1 SWIFT Environment Protection."

•Option C: Personal tokens or mobile devices used as a possession factor

This does not require a Password/PIN Policy. Personal tokens or mobile devices (e.g., secure code cards or soft tokens) are possession factors used in multi-factor authentication (MFA), typically alongside a password or PIN. However, the CSCF does not mandate defining a Password/PIN Policy for thetokens/devices themselves, as their security relies on physical possession and manufacturer hardening, not user-defined policies. The "Outsourcing Agents - Security Requirements Baseline v2025" supports this by focusing policy requirements on systems, not possession factors.

•Option D: All equipment within the user environment

This requires a Password/PIN Policy. The CSCF applies policies to all in-scope equipment to ensure comprehensive security, contradicting the question’s intent to identify an exception.

Summary of Correct Answer:

A Password/PIN Policy must not be defined and implemented for personal tokens or mobile devices used as a possession factor (C).

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Control 6.1 and 2.3 mandate password policies for systems.

•Outsourcing Agents - Security Requirements Baseline v2025: Excludes possession factors from policy requirements.

•Assessment template for Mandatory controls: Focuses on system authentication policies.

========