bfc csp alliance7.2_presentation_2017
TRANSCRIPT
SWIFT Business Forum Canada 2017
BUILDING THE FUTURE
SWIFT Business Forum
Canada 2017
Pat Antonacci
SWIFT Customer Security
Programme
3
The traditional model is undergoing rapid change, driven by innovation,
cyber security and regulation
Regulation Cyber
Security
Innovation
4
SWIFT is leading 3 initiatives, that combined take correspondent banking to the next level
CSP
gpi
Customer Security Programme
global payments innovation initiative
Compliance Cyber
Security
Payments
Innovation
FCC
Financial Crime Compliance
Transforming correspondent banking – 10 February 2017 5
Customer Security Programme
Compliance
Innovation
Reinforcing security of the
global banking system by
supporting customers to:
Strengthen the security of their
local SWIFT related infrastructure
Prevent and detect fraud in their
counterparty relationships
Share community-wide information
to prevent future attacks
Cyber
Security
CSP
Customer security programme
CSP Update | Modus Operandi
6
Step 1 Step 2
Attackers
compromise
customer's
environment
Attackers
obtain valid
operator
credentials
Step 3
Attackers
submit
fraudulent
messages
Step 4
Attackers hide
the evidence
• Attackers are well-organised and sophisticated
• Common starting point has been a security breach in a
customer’s local environment
• There is (still) no evidence that SWIFT’s network and core
messaging services have been compromised
CSP Update | Programme Overview
7
SWIFT Tools
Security Guidelines and Assurance
Transaction Pattern Detection -
RMA and DVR
Intelligence Sharing
You
Your
Counterparts
Your
Community
Secure
and
Protect
Share
and
Prepare
Prevent
and
Detect
Launched on May 27th 2016, CSP
supports all customer segments,
whether directly or indirectly
connected, in reinforcing the security
of their SWIFT-related infrastructure
Board Governance:
• IR 744 CSP Launch
• ER 1150 CSP Actions
• ER 1154 Security Assurance
• ER 1155 Security Controls
• IR 756 CSP Update
8
• Applicable to all customers and to the whole end-to-end
transaction chain beyond the SWIFT local infrastructure
• Mapped against recognised international standards – NIST, PCI-
DSS and ISO 27002
• 16 controls are mandatory, 11 are advisory
3
Objectives
8
Principles
27
Controls
CSP Security Controls Framework
Secure Your
Environment
1. Restrict Internet access
2. Segregate critical systems from general IT
environment
3. Reduce attack surface and vulnerabilities
4. Physically secure the environment
Know and
Limit Access
5. Prevent compromise of credentials
6. Manage identities and segregate privileges
Detect and
Respond
7. Detect anomalous activity to system or transaction
records
8. Plan for incident response and information sharing
Security Controls
CSP Update | You > Security Guidelines and Assurance
9
3
Objectives
8
Principles
27
Controls
CSP Security Controls Framework
Secure Your
Environment
1. Restrict Internet access
2. Segregate critical systems from general IT
environment
3. Reduce attack surface and vulnerabilities
4. Physically secure the environment
Know and
Limit Access
5. Prevent compromise of credentials
6. Manage identities and segregate privileges
Detect and
Respond
7. Detect anomalous activity to system or transaction
records
8. Plan for incident response and information sharing
Security Controls
CSP Update | You > Security Guidelines and Assurance
• V0 Controls / Assurance Q3 16
• Customer Engagement Q4 16
• V1 Controls / Assurance Q1 17
• Self Attestation Q2 2017, and renewal on annual
basis
Customer Security Attestation Process (CSAP): Foundational Principles
Drives real-world improvement
Relies on transparency
Ensures customer remains in control
Thoughtful and practical handling of
data
Allows for evolution
10
1. Submission of self-attestation
2. Grant access to counterparties
3. Follow-up activities to drive compliance and
improve security
4. Quality checks through sample
requests for internal or external inspection
Customer Security Attestation Process (CSAP): Four Main Steps
11
12
Sample Third-Party
Inspect ion Third-Party Inspection (randomly selected
customers)
• For an external party that provides independent
validation that the customer meets the security
requirements
• Risk based sample of customers with an
interface, executed by third-party auditors
Sample Self Inspect
Self Attestation Self-Inspection (randomly selected customers)
• Where customer’s Internal Audit asserts that the
customer meets the security requirements
• Third-line of defence - provided by IA function
• Risk based sample of customers with no or
small local footprint
Self-Attestation (all customers submit annually)
• Where customer asserts their compliance
against the security requirements
• First- and second-line of defence – provided by
CISO or related function
• All customers Assurance Framework
• V0 Controls / Assurance Q3 16
• Customer Engagement Q4 16
• V1 Controls / Assurance Q1 17
• Self Attestation Q2 2017, and renewal
on annual basis
• Inspection (internal or external) 2018
CSP Update | You > Security Guidelines and Assurance
All connected BIC8s, including focus on small & medium clients engagement
Information sharing on security controls and attestation, awareness raising & support
In-country workshops, localised webinars, leveraging local events
April – December 2017 (pilots in March)
SWIFT in conjunction with NMGs, Central Banks & Industry Associations
Who
What
How
When
Whom
Community Support > Roadshow approach
200+ Countries
137 In-Country
Roadshows
Covering
~10,500 BICs
7+ pilots
− Customers will be invited to attend
− Schedule information on CSP section of
swift.com (to come)
13
mySWIFT – Evolution of self-
service on-demand support
24/7 Customer Support – CSP
specialists & local experts
SWIFTSmart Interactive training
Documentation – Security Controls
Framework, Attestation Policy,
FAQs
3rd Party Security Consultants – an
ecosystem of vendors
Additional Community Support > via SWIFT and Third Party providers
Third party providers Via SWIFT
14 002_Board_Mar2017_NMG_Briefing_Material_V2
Q2 2016 Q3 2016 Q4 2016 H1 2017 H2 2017 2018
Additional sample information requests Eg -internal/external audit reports Samples
Self-Attestation Via security folder on KYC platform Initial Self-
Attestation
Security Controls
Framework
Community
Engagement Validation
Collateral
Bilateral
Consultation
Timeline
V0 for
Validation V1
Formally
published
Alliance
R7.2
Pilot
Pilot
Informing
local
supervisors
Community Roadshows
Local supervisors informed Of any supervised institution that has failed to
submit an attestation
On-going
15
Secure the Future
16
CSP Update | Transaction Pattern Detection - DVR
Secure the Future
17
CSP Update |Transaction Pattern Detection - DVR
Activity Reports | Aggregate Daily Activity
• Message type
• Currency
• Country
• Counterparties
• Daily volume total
• Daily value total
• Maximum value of single
transactions
• Comparisons to daily volume and
value averages
Risk Reports | Large or Unusual Message Flows Based
on Ordered Lists
• Largest single transactions
• Largest aggregate transactions for counterparties
• New counterparty relationships
Secure the Future You
Your
Counterparts
Your
Community
• Secure your local environment
• Sign up to our Security Notification Service
• Stay up to date with SWIFT’s latest security updates
• Get ready to adopt our new security requirements
• ‘Clean-up’ your RMA relationships
• Put in place fraud detection measures
• Engage with us on market practice
• Inform SWIFT if you suspect that you
have been compromised
• Provide contact details of your
company’s CISO for incident escalation
Actions for
Customers
CSP | Your Community > Customer Engagement and Communications
Dan Moran
Deep dive: Infrastructure
and Alliance 7.2
GSC 2017: Alliance 7.2 for Large customers – February 2017 – Confidentiality: SWIFT community 20
30 September 2018 Making the journey together
31 March 2017 – Alliance Gateway / SWIFTNet Link 7.0.50
Customer Security Framework
30 June 2017 Release 7.2
Release Policy
21
Mandatory
Technology Refresh
+
Security
+
Product Evolution
+
Supportability
Reduction of number of releases Cost Reduction for the maintenance
Faster Go to market with new functionalities
Technology Refresh AIX 7.2
RHEL 7.2 / 6.7 (2020)
Solaris 11.3
Window 2016
Move to 64 bit
Security Adoption of a common security baseline by all our customers / common baseline
Retired Software SWIFT Alliance Workstation
SWIFT Alliance WebStation
SWIFT Alliance Gateway – WSHA / SOAP Proxy
SWIFT Alliance Access - CAS / MQSA
Alliance Gateway FTA/FTI (target 2020)
KEY DRIVERS
22
What about new features?
• FileAct Enhancements • support file sizes up to 2 GB for both real-time and store-and-forward
• automatically resume any file transfers that were interrupted
• Elimination of Unknown status
• Enhanced transfer efficiency (Bandwidth usage)
• Dynamic control of concurrent file transfers
• Strengthen Password policies further • Ability to mandate special characters
• Customizable list of disallowed password
• Password must be significantly different from previous one
• Security Best Practice Check Tool • Assist your internal auditor to collect the data he needs
• Links system setup with Security Guidance controls
See Final Release Overview
23
Key messages to migrate successfully
Verify / Create swift.com Accounts
Study 7.2 Final release overview
Assess impact – IPLA – Rebuilding can be required
Budget / Plan
Online training: “Release 7.2: Plan your project”
Migration deadline (September 2018) approaches fast
SWIFT will reach out to get planned migration dates
SWIFT provides Migration Services
Release 7.2 : Timeline and Services portfolio
2015 2016 2017 2018
Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D
Preliminary Release
overview
Final Release
overview
General distribution
of Release 7.2 End of support for
Release prior to 7.2
R7.2 Migration Packages!
Technical Advice
Architecture reviews
Operational Excellence
TCO Analysis
Sourcing Study
Implementation Services
Interfaces
Field Services
System Care – Custom Code for IPLA
Linux migration
Training Services
SWIFTSmart
Tailored Training
Support Services
Health Check
Support Packages
Support Options
Remote Support
24 24
Dan Moran
SWIFTSmart:
A training solution for everyone
A changing world and workforce influence delivery of training
New working practices
New technologies
Flexible working patterns
Multi generation teams
Spread geographical teams
Reduced training budgets
Source: Prediction 2016, A Bold New World of Talent, Learning, Leadership, and HR Technology
Ahead - Bersin by Deloitte
70/20/10
A need for a different response
Top trends
− Mobile learning
− Gamification
− Personalisation
− Cloud
− Dynamic multi media content
− Social learning
− Analytics
Learning rule
88 % Learn more by finding info themselves
200+ Countries and territories
THINK 2020
ACT NOW
Global Sales Convention
SWIFT embrace Training evolution trends
From Instructor based training to self-paced learning
New customer expectations
Time & accessibility
Content
Price
Strategic requirements
Reduce operational risks
Improved operational
efficiency
Reduce onboarding time
Time to market
On-demand
• On-site
• Web
• Syndicated
• Customised
Public • SWIFT Institute
Exception! • Security bootcamp
SWIFTSmart,
Cornerstone of our new blended learning strategy
SWIFTSmart
• Self-paced learning
• Available through SWIFT.com
• Online/offline
• Automatic subscription
• Unlimited user access
Complemented by:
• On-demand training
• Public training
• Bootcamp
Community
training
Main features
Access Select Interact Practice
..and multiple benefits for your institution
Enjoy Understand
30
31
eLearning by categories
• About SWIFT
• Customer Security Programme
• Messages in the Payment
Industry
• Messages in the Securities
Industry
• Messages in the Trade Industry
• Products and Services
Information
• Deploying and Managing SWIFT
Software Solutions
• Working with Messages in
Alliance Access
• Messaging Services and
Standards
Curricula in the Academy
• Getting started with SWIFTSmart
• New to SWIFT (SWIFT Basics)
• Working with messages
• With payments messages
• With securities messages
• With trade finance messages
• With messages in Alliance
Access
• Securing your operations
• Security officers tasks
• RMA operators tasks
• Alliance Access System
administration
For each learning track there are three
levels: associate, professional and expert,
each associated with a badge.
eLearning languages
• English
• Spanish
• French
• Russian
• Chinese
• Japanese
• German
• Italian
• Portuguese
Content organised for easy searching and smart learning paths
SWIFTSmart impact on Customer business
P&L / TCO
Lower Total Cost of Ownership
Operational efficiency
Faster on-boarding of newcomers
Learning experience and efficiency
Improved accessibility
Digital Learning
The bank has now unlimited access to
all content for an unlimited number of
users for 500€/year!
Average price for 1 day course (incl.
Travel) for 1 single user: 1,000€ each
time.
Classroom
Average time to follow all needed
courses is ~3 months!
(reduced by 75%, sometimes more)
Digital Learning
Classroom
Average time to follow all needed
courses is ~12 months
Digital Learning
Anytime, anywhere.
Classroom
Only when scheduled & it was needed
to travel
10,000
EUR
500
EUR
Average cost 12
months
3
months
Onboarding time 3 to 6
months
0
months
Registration to
delivery time
SWIFTSmart live users
Already a success after 3 months !
Nov 14 Dec 2
3109
4654
91
Launch
1518
6002
Jan 2 Feb 2 Mar 2 33
Enjoy!
Learn
Experiment
34
https://swiftsmart.swift.com
SWIFT Business Forum Canada 2017
BUILDING THE FUTURE
SWIFT Business Forum
Canada 2017