Control Definition
Control Objective: To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening.
In-scope components:
- All staff (such as employees, agents, consultants and contractors) with operational (maintenance or administration) access to SWIFT-related systems, SWIFT and customer connector or middleware servers and local or remote virtualisation platform hosting SWIFT-related VMs, SWIFT and customer connector VMs or middleware server VMs.
Risk Drivers:
- untrustworthy staff or system operators
Implementation Guidance
Control Statement:
Staff operating the local SWIFT infrastructure are screened prior to initial appointment in that role and periodically thereafter.
Control Context:
A staff screening process with internal or external clearance, provides additional assurance that operators or administrators of the local SWIFT infrastructure are trustworthy, and reduces the risk of insider threats.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
To the extent permitted under applicable laws and regulations 38, and considering local practices and available information, the following guidelines and specified verifications are recommended:
- All in-scope staff are screened at least every 5 years.
- For those already in the role and not yet screened, a catch-up process is gradually organised as part of the periodic screening (sometimes also referred to as re-screening)
- The screening process for initial employment includes the following verifications:
- Identity verification
- Confirmation of full details of qualifications
- Confirmation of previous employment history
- Details of any past or pending civil or criminal proceedings against the employee
- Validation of any involvement in external businesses that could result in a conflict of interest
- Financial credit verification
- The periodic screening process includes the following verifications:
- Details of any pending civil or criminal proceedings against the employee
- Validation of any involvement in external businesses that could result in a conflict of interest
- Financial credit verification
Note: in case of staff not directly employed by the SWIFT user (such as agents, contractors or consultants), the screening can fall under contractual obligation between the SWIFT user and the employer.
