Control Definition
Control Objective: Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios.
In-scope components:
- Organisational control (people, processes, and infrastructure) to be also met by a third party operating a remote virtualisation platform (also known as hypervisor) that hosts SWIFT-related VMs.
Risk Drivers:
- excess harm from deficient cyber readiness
- unidentified sensitivity to cyber exposure
Implementation Guidance
Control Statement:
Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme.
Control Context:
Scenario-based risk assessments, including cyber wargames, test attacks on existing systems and processes targeting the hosted SWIFT infrastructure. Scenario-based risk assessments include technical and business driven exercises performed as part of institution risk management.
These assessments include the following threats: end-user impersonation, message tampering, message eavesdropping, third-party software weaknesses, compromising systems or Denial of Service (DoS) attacks affecting service availability. Results of the assessment and existing mitigations help identify areas of risks that may require future actions, risk mitigations or an update of the cyber-incident response plan.
Identified actions, mitigations, or updates must be reported and closed according to their criticality as per the Information Security Risk Management (ISRM) process.
Several ISRM frameworks exist and can be consulted41 to define the user's proper ISRM and resources (such as CIS-Critical Security Controls). These frameworks can be used to start implementing a basic risk management process to be further enhanced to address user's specific risks.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
- A scenario-based risk assessment and planning activity is conducted to:
- identify possible methods for adversaries to gain unauthorised access to local SWIFT infrastructure based upon observed adversary techniques or plausible adversary techniques inferred from adversaries' motivations and capabilities
- analyse the effectiveness of existing prevention and detection controls to mitigate anticipated adversary techniques to gain unauthorised access to the environment
- analyse the probability and impact of significant and plausible attack vectors given existing controls
- analyse the effectiveness of existing response controls to limit impact of significant and plausible attack vectors given existing controls
- Identify the need for additional preventive or detective controls
- Assessment and planning activity is conducted at least annually, and updated through ongoing risk management activities, when significant technology changes occur, or when threat intelligence indicates relevant changes in an applicable adversary’s capabilities or motivations.
- Current threat intelligence and observed or likely attacks (vectors, techniques, actors,) are used as the basis for scenarios.
- Each asset class (end-user devices, servers, network devices) is assessed against threats on a regular basis and when changes are introduced or when new threats are identified.
