accesspay & swift customer security program · accesspay & swift customer security program...
TRANSCRIPT
AccessPay & SWIFTCustomer Security Program
Eddie White – AccessPay
Danny Doyle – AccessPay
September 2017
accesspay.com | [email protected] | 01618 228 604
Why Were You Invited To This Session?
• Because it is critical to secure your Payment Processing systems, SWIFT & BACS connectivity against cyber-threats.
• 2016 cases prove that the financial industry is at serious risk of cyber-attack.
• Attacks are global, sophisticated, and here to stay!
accesspay.com | [email protected] | 01618 228 604
Objectives Of This Session
• Be aware of the threat the payments community is facing and how the SWIFT CSP is helping.
• Understand the security controls that SWIFT is introducing to create a security baseline for the whole community.
• Get introduced to the mandatory security controls that you will need to comply with.
• Know what practical steps you will need to take to implement the CSP controls
• Understand how the attestation process works to increase industry transparency
• Discover how AccessPay & SWIFT can support you through the process
accesspay.com | [email protected] | 01618 228 604
SWIFT Lite2 for Business Applications L2BA
Does connecting to SWIFT via AccessPay as an L2BA customer affect how the SWIFT CSP applies to my organization?
Yes: L2BA clients use SWIFT “Architecture B”.
This means that some of the CSP controls are managed by AccessPay whilst others are managed by the client or managed jointly. This training session provides more details.
accesspay.com | [email protected] | 01618 228 604
Does connecting to SWIFT via Architecture B make a difference to how I attest?
Yes, this means that some of the security controls do not apply. Therefore in my self attestation I should mark my response as “Do not comply” with the clarification as “not applicable”.
AccessPay Client Attestations
accesspay.com | [email protected] | 01618 228 604
Connecting through AccessPay, who host your BIC, means that they are responsible for proving their compliance with these 5 Mandatory controls as part of a separate framework and audit.
1.1 – SWIFT Environment protection1.2 – Operating System privileged account control2.1 – Internal data flow security6.2 – Software Integrity6.3 – Database integrity
Which controls do not apply to me? and why?
accesspay.com | [email protected] | 01618 228 604
There are 16 Mandatory controls, and 5 don’t apply as I use Architecture B… what about the 11 Advisory controls listed in my SWIFT attestation?
“There are a number of advisory controls centred around security best practice. These controls are not mandatory but should be carefully considered, given some of them may be mandatory by the time your organization self attests again.”
Mandatory versus Advisory Controls
accesspay.com | [email protected] | 01618 228 604
The controls which do apply to you are split up into groups based on the primary aim or function:
1. Restrict Internet Access & Protect Critical Systems from General IT Env’t2. Reduce Attack Surface and Vulnerabilities 3. Physically Secure the Environment 4. Prevent Compromise of Credentials 5. Manage Identities and Segregate Privileges 6. Detect Anomalous Activity to Systems or Transaction Records 7. Plan for Incident Response and Information Sharing
How are the Controls Grouped?
accesspay.com | [email protected] | 01618 228 604
“How should I implement these controls so I can respond positively to the mandatory controls which apply to me?”
Implementing the Controls
accesspay.com | [email protected] | 01618 228 604
“All hardware and software inside the secure zone and on operator PCs are within the support lifecycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied.”
Actions: Ensure compliance with the above statement by seeking the help of your IT team, specifically with regard to user’s machines which access the AccessPay application.
2.2 – Security Updates
accesspay.com | [email protected] | 01618 228 604
“Ensure security hardening is conducted on all in-scope components”
Actions: Ensure compliance with the above statement by seeking the help of your IT team, specifically with regard to user’s machines which access the AccessPay application.
2.3 – System Hardening
accesspay.com | [email protected] | 01618 228 604
“Ensure Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage.”
Actions: Ensure compliance with the above statement by reviewing the physical security of your workplace environment, along with your operations / security team. How easily could an intruder access my office, use my machine, access my business applications?
3.1 – Physical Security
accesspay.com | [email protected] | 01618 228 604
“Ensure all application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed log-in attempts.”
Actions: Review max password age with AccessPay Technical Support team, suggest max age of 30 days.
N.B AccessPay only allows strong passwords.
4.1 – Password Policy
accesspay.com | [email protected] | 01618 228 604
“Ensure multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts”
Actions: Confirm you are using Multi-Factor Authentication to log in to AccessPay with the AccessPay Technical Support team.Confirm multi-factor authentication is used to log in to other business applications such as ERP and TMS.
4.2 – Multi-Factor Authentication
accesspay.com | [email protected] | 01618 228 604
“Ensure user accounts are defined according to the security principles of need-to-know access, least privilege, and segregation of duties.”
Actions: Review AccessPay User roles and permissions with your Admin User. Disable inactive users, ensure segregation of duties for all payment types, ensure
Administrators do not actively participate in payments processing.
5.1 – Logical Access Control
accesspay.com | [email protected] | 01618 228 604
“Ensure connected hardware authentication tokens are managed appropriately during issuance, revocation, use, and storage.”
N.B SWIFT Tokens are only used by AccessPay clients when exchanging RMA during bank onboarding or if connecting directly to the Alliance Lite2 web interface to manage messages directly on the SWIFT network (outside of AccessPay). These tasks are performed very infrequently, but it is important for AccessPay customers to manage their LSO/RSO & operator tokens safely.
Actions: Review current token management process.Catalogue tokens currently held for accessing SWIFT services.Ensure Security team are aware of active / inactive tokens.Ensure LSO/RSO users are re-appointed in line with Joiners/Movers/Leavers process.
5.2 – Token Management
accesspay.com | [email protected] | 01618 228 604
“Ensure anti-malware software from a reputable vendor is installed and kept up-to-date on all systems.”
Actions: Confirm with your IT/Security team that up-to-date anti-malware software is in place across the business, especially on user machines which AccessPay application and in cases of BYOD.
6.1 – Malware protection
accesspay.com | [email protected] | 01618 228 604
“Ensure capabilities to detect anomalous activity are implemented, and a process or tool is in place to frequently store and review logs.”
Actions: Ensure the implementation of a system or process to log anomalous network security events. Monitor security logs on an ongoing basis. Review bank reconciliation feeds e.g. MT940 & SWIFT Daily Validation Report.
6.4 – Logging and monitoring
accesspay.com | [email protected] | 01618 228 604
“Ensure your organisation has a defined and tested cyber incident response plan.”
Actions: Ensure the implementation of a system or process to respond to cyber incidents, with periodic testing schedule.Consider and review your organisation's approach to Information Security Management (such as ISO27001)
7.1 – Cyber Incident Response Planning
accesspay.com | [email protected] | 01618 228 604
“Ensure annual security awareness sessions are conducted for all staff members, including role-specific training for SWIFT roles with privileged access.”
Actions: Review your organization’s approach to security awareness training and Implement (at least) training for new starters and annual refresher training, where job roles involve interaction with SWIFT paymentsEnsure your organization attends AccessPay / SWIFT joint customer security program webinars
7.2 – Security Training and Awareness
accesspay.com | [email protected] | 01618 228 604
I do not or cannot comply with some of these mandatory controls before the deadline for self attestation in December 2017… what can I do?
You can answer negatively to these controls, however SWIFT requests you respond with a date by which you will comply and begin a process for ensuring compliance.
Non Compliance
accesspay.com | [email protected] | 01618 228 604
In Summary
• All AccessPay SWIFT clients must review & implement the SWIFT “Architecture B” mandatory controls.
• A SWIFT CSP Attestation must be filed in the SWIFT KYC portal by 31-Dec-2017.
• Advisory controls describe good practice and should be considered as well, in future SWIFT may make these Mandatory Controls.
• AccessPay is subject to a separate Controls Audit by SWIFT, this covers the SWIFT secure zone components managed by us.
• The AccessPay service desk team can provide further support and advice for clients who need to implement controls and attest via the KYC portal.
accesspay.com | [email protected] | 01618 228 604
AccessPay CSP Resource Website:
https://www.accesspay.com/events/swift_csp/
SWIFTSmart:
https://www.swift.com/our-solutions/services/training/swiftsmart
MySWIFT:
https://www.swift.com/myswift
Ongoing Support from SWIFT & AccessPay
Questions?