Control Definition
Control Objective: Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.
In-scope components:
- jump server
- Dedicated operator PCs
- [Advisory: General-purpose operator PCs as per the optional enhancement]
- all systems hosting a SWIFT-related component (including interface, GUI, SWIFT and customer connectors)
- [Advisory: Local or remote (hosted or operated by a third party, or both) Virtualisation platform (also referred to as the hypervisor) hosting SWIFT-related VMs and their management PCs as per optional enhancement]
- [Advisory A1/A2/A3: Middleware server (such as an IBM® MQ server or similar) used for data exchange between back-office and SWIFT-related components]
- [Advisory A4: other Middleware server (such as an IBM® MQ server or similar) than customer connector used for data exchange between back-office and SWIFT-related components]
Risk Drivers:
- exploitation of known security vulnerabilities
Implementation Guidance
Control Statement:
Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions.
Control Context:
The detection of known vulnerabilities allows vulnerabilities to be analysed, treated, and mitigated. The mitigation of vulnerabilities reduces the number of pathways that a malicious actor can use during an attack. A vulnerability scanning process that is comprehensive, repeatable, and performed in a timely manner is necessary to continuously detect known vulnerabilities and to allow for further action.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
- Vulnerability scanning is performed at least annually or after any significant change to the environment (for example, introduction of new servers or components, and network design changes that modify or increase the range of in-scope components).
- Vulnerability scanning tools are from a reputable vendor and are updated with scan profiles within one month prior to scanning.
- The most appropriate type of vulnerability scanning (such as using credentials) is selected for the environment. Any administrative credentials used for scanning are appropriately protected.
- Sufficient risk-based safeguards are in place to minimise any operational impact (for example, running scans in safe mode, or omitting systems that may be negatively affected from the scan).
- Beyond vulnerability identification through scanning, all penetration tests or effective vulnerability tests on or through SWIFT-related services and products are consistent with the SWIFT Customer Testing Policy.
- The outcome of the vulnerability scanning is documented (with restricted access) and analysed for appropriate action and remediation (such as applying security updates in line with control 2.2).
- Once per quarter, month, or real-time (preferred) scanning is recommended.
Optional Enhancements:
- Vulnerability scanning includes network devices protecting the secure zone (such as routers and switches).
- Vulnerability scanning includes the general-purpose operator PCs used to connect to the local or service provider’s SWIFT infrastructure. As an alternative, security updates are regularly applied on the generalpurpose operator PCs. In the latter case, only supported and regularly patched applications are deployed on those PCs.
- Vulnerability scanning possibly includes the local or remote (hosted or operated by a third party, or both) Virtualisation platform that hosts the SWIFT-related VMs.
