Control Definition
Control Objective: Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications.
In-scope components:
Interactive user, operator or management sessions performed from
- dedicated and general-purpose operator PC
- jump server
- Any another intermediate host accessed or used from any of the above to connect to
- Jump server or any other intermediate host accessed or used from any of the above
- systems hosting a SWIFT-related component (including interface, GUI, SWIFT and customer connectors)
- network devices protecting the secure zone
- management console (also called the hypervisor manager) of a virtualisation platform hosting SWIFT related components (including SWIFT and customer connector)
- interface applications, GUI and SWIFT or customer connector in the secure zone
- applications at the service provider
- HSM
- [Advisory A1/A2/A3: the middleware server (such as an IBM® MQ server or similar) used for data exchange between back-office and SWIFT-related components]
- [Advisory A4: other Middleware server (such as an IBM® MQ server or similar) than customer connector used for data exchange between back-office and SWIFT-related components]
Risk Drivers:
- loss of operational confidentiality
- loss of operational integrity
- password theft
Implementation Guidance
Control Statement:
The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded.
Control Context:
Operator sessions, through the jump server when used with the local or external SWIFT infrastructure, pose a unique threat because unusual or unexpected activity is more difficult to detect during interactive sessions than it is during application-to-application activity. Therefore, it is important to protect the integrity and confidentiality of
these operator sessions to reduce any opportunity for misuse or password theft. When used, access to the virtualisation layer (hypervisor manager) must be similarly protected.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
- All interactive sessions are protected by a cryptographic protocol (for example, ssh, https with one-way TLS).
- Protocols use a current, commonly accepted cryptographic algorithm (for example, AES31 or ECDHE32), with key lengths in line with the current best practices. More guidelines on cryptographic algorithms that support secure protocols can be found in SWIFT Knowledge Base article 5021566.
- Operator sessions and other session types (for example, admin or maintenance) possess an inactivity lock-out feature that limits the session to the minimal time frame necessary to perform business-as-usual duties.
- If the inactivity lock-out is not implemented at the application level, then it should be implemented at the operating system level of the application, or on the jump server.
- The communication between the jump server (when used) and the SWIFT-related components or underlying systems, is protected using a secure mechanism (for example, one-way or two-way TLS) to support the confidentiality and integrity of the user’s connection to the applications or the underlying systems.
