Control Definition
Control Objective: Validate the operational security configuration and identify security gaps by performing penetration testing.
In-scope components:
- General-purpose operator PCs or, when used, jump servers used to access the secure zone
- Dedicated operator PCs
- Data exchange layer (the entry points to the secure zone or flows established to the secure zone components should be considered)
- SWIFT-related components (including interfaces, GUI, SWIFT and customer connectors)
- systems or virtual machines hosting SWIFT-related components
- network devices protecting the secure zone
- Remote (operated by a third party) Virtualisation Platform (also referred to as the hypervisor) hosting SWIFT-related VMs and the related management PCs
Note: Tests are performed in line with the SWIFT Customer Testing Policy. As such, SWIFT-specific applications and SWIFT-central services such as SWIFTNet InterAct, FileAct, FIN, SWIFTNet Instant or WebAccess are not to be tested.
Risk Drivers:
- Unknown security vulnerabilities or security misconfigurations
Implementation Guidance
Control Statement:
Application, host, and network penetration testing is conducted towards the secure zone and the operator PCs or, when used, the jump server.
Control Context:
Penetration testing is based on simulated attacks that use similar technologies to those deployed in real attacks. It is used to determine the pathways that attackers might use, and the depth to which the attackers may be able to access the targeted environment. Conducting these simulations is an effective tool for identifying weaknesses
in the environment which may require correction, improvement, or additional controls.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
- The organisation uses a risk-based approach to determine the preferred scope (for example, the secure zone, or a specific server including potential other services supporting the secure zone), method (for example by sharing or not the internal structure, design or implementation) and attack origin (for example, internal, from within or outside the secure zone, or external attack) for the test.
- Penetration testing is performed at least every 2 years, and ideally as well after significant changes to the environment (for example, introduction of new /different servers, new operating systems, underlying technology such as virtualisation or new network device technology, network design change).
- Penetration testing is carefully planned and performed to avoid potential availability or integrity impacts.
- Penetration testing is performed by expert staff independent from the team in charge of the SWIFT infrastructure (internal Red Team or external resources).
- Network devices and host penetration testing (for example, rule bases and configurations review) are performed in the service production environment or in a pre-production environment replicating the live environment.
- Sufficient safeguards are in place to minimise any operational impact from conducting the penetration test.
- The outcome of the penetration testing is documented (with restricted access) and used as an input for the security update process.
Note: The CSP FAQ (SWIFT Knowledge Base article 5021823) provides additional details on the scoping and the testing scenarios to consider.
Optional Enhancement:
Penetration testing is performed on SWIFT-specific applications while adhering to the SWIFT Customer Testing Policy. This SWIFT-specific application penetration testing is performed in the testing environment to avoid potential availability or integrity impacts.
