Control Definition
Control Objective: Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage.
In-scope components:
- dedicated and general-purpose operator PC, including removable equipment
- jump server
- local or remote (hosted or operated by a third party, or both) hardware hosting a SWIFT-related component (including interface, GUI, SWIFT and customer connectors)
- local or remote (hosted or operated by a third party, or both) hardware supporting virtualisation platform (also referred to as the hypervisor) and hosting SWIFT-related VMs
- [Advisory A1/A2/A3: Middleware server (such as an IBM® MQ server or similar) used for data exchange between back-office and SWIFT-related components]
- [Advisory A4: other Middleware server (such as an IBM® MQ server or similar) than customer connector used for data exchange between back-office and SWIFT-related components]
- Alliance Connect SRX VPN boxes and Alliance Connect Virtual VPN instances
Note: Alliance Connect SRX VPN boxes and Alliance Connect Virtual VPN instances (hosting systems or machines) must also be in an environment with appropriate physical controls as described below.
Risk Drivers:
- lack of traceability
- unauthorised physical access
Implementation Guidance
Control Statement:
Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage.
Control Context:
Implementing physical security controls protects against insider and external threats, and reduces opportunistic attacks enabled by access to physical systems.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
- Security of Removable Equipment
- Sensitive removable equipment, such as PIN Entry Devices (PEDs), PED keys, SWIFT-related smart cards, USB Tokens, and (time-based) one-time password ((T)OTP) Devices, is supervised or securely stored when not in use.
- Sensitive removable equipment required for normal continuous operations (for example, hot swappable disks or HSM devices) are hosted in a data centre or, at a minimum, in a locked room.
- Back-up media (for example, tapes) is physically secured.
- Security of the Workplace Environment
- Operator PCs are located in a secured workplace environment where access is controlled and granted only to employees and other authorised workers and visitors. A separate physical area for operator PCs to access SWIFT systems is not required.
- Printers used for SWIFT transactions are located in a secured workplace environment and their access is restricted.
- USB ports and other external access points on operator PCs are disabled to the maximum extent possible, while continuing to support operations (for example, when tokens are required to authenticate users or message operations).
- Security for Remote Workers (for example, teleworkers or "on call" operations staff)
- A security policy is established to support expected use cases for remote workers. The following items are considered when establishing the policy:
- physical security of the expected teleworking environment
- rules for personal equipment used for SWIFT business purposes (for example, personal PCs cannot be used to access the SWIFT infrastructure, however personal mobile devices can be used as a second authentication factor)
- security during use in public environments
- security during public and private transport
- equipment storage
- unauthorised access to equipment (for example, from family or friends)
- remote access requirements (recommended VPN with multi-factor authentication)
- protection of mobile devices used for authentication, such as (T)OTP (recommend enabling password and auto-lock features)
- compensating controls (for example, virtual desktop preventing local storage, full-disk encryption)
- reporting of security incidents (for example, theft) while working remotely
- Security of the Server Environment
- Servers are hosted in a data centre or, at a minimum, in a locked room with limited and controlled access (for example, using access control cards or biometrics).
- Ideally, servers are rack-mounted. A risk assessment is conducted to determine if a separate and exclusive rack, or the locking of the rack, is appropriate based on the existing data centre physical access controls.
- The server environment has video surveillance with movement detection and recording equipment. The implementation of video surveillance recording and retention of images comply with applicable laws and regulations 36. Ideally, images are retained for at least three months.
- No physical reference to SWIFT on servers (for example, labels).
- External ports (for example, USB, serial bus) on servers are disabled to the maximum extent possible while still supporting operations.
- Physical Access Logging and Review
- Physical access to sensitive equipment areas (for example, data centre, secured storage) is logged.
- Physical access logs are available for audit and investigations, and are retained for a minimum of 12 months and in compliance with applicable laws and regulations.
- Physical access is promptly revoked (or modified) when an employee changes roles or leaves the organisation.
- Physical access control lists are reviewed annually (at least).
