Last Attempt CSP-Assessor Questions

The "Outsourcing Agents - Security Requirements Baseline v2025" and "Swift Customer Security Controls Framework v2025" define provider categories and CSP impact. Let’s evaluate each option:

•Option A: The public cloud provider is considered a L2BA provider, and therefore not in scope of the CSP

This is incorrect. An L2BA (Lite2 Business Application) provider hosts the full SWIFT stack for users, but a public cloud provider offering a virtual machine is not an L2BA provider unless it provides the full service. The CSP still applies to the provider’s infrastructure.

•Option B: The public cloud provider is considered a SWIFT connectivity provider, and therefore not in scope of the CSP

This is incorrect. A SWIFT connectivity provider (e.g., Alliance Connect) is a specific role, but a public cloud provider (e.g., AWS) hosting a communication interface is an outsourcing agent, subject to CSP requirements.

•Option C: The public cloud provider is considered an outsourcing agent, and therefore in scope of the CSP

This is correct. The "Outsourcing Agents - Security Requirements Baseline v2025" classifies public cloud providers hosting SWIFT components (e.g., a virtual machine with Alliance Gateway) as outsourcing agents. The CSP impacts the provider by requiring them to secure the underlying infrastructure (e.g., Control 1.1), while the user secures the communication interface.

•Option D: This type of implementation is not allowed by the CSP

This is incorrect. The CSP permits cloud-based deployments, including user-installed components on public cloud VMs, as long as security controls are met.

Summary of Correct Answer:

The public cloud provider is an outsourcing agent, in scope of the CSP (C).

References to SWIFT Customer Security Programme Documents:

•Outsourcing Agents - Security Requirements Baseline v2025: Defines cloud providers as outsourcing agents.

•Swift Customer Security Controls Framework v2025: Applies controls to outsourced environments.

•CSP_controls_matrix_and_high_test_plan_2025: Includes cloud provider assessments.

========

The Customer Security Controls Framework (CSCF), part of the SWIFT Customer Security Programme, aims to enhance the security of the SWIFT ecosystem by defining mandatory and advisory security controls for users. The three main objectives are explicitly outlined in the CSCF documentation and reflect a holistic approach to security. Let’s evaluate each option:

•Option A: 1. Secure your environment, 2. Know and Limit Access, 3. Detect and Respond

This is correct. These three objectives align directly with the core principles of the CSCF:

oSecure your environment: This involves implementing controls to protect the SWIFT-related infrastructure (e.g., CSCF Control 1.1 SWIFT Environment Protection, 1.2 Physical Security) against unauthorized access and threats.

oKnow and Limit Access: This focuses on managing access controls and authentication (e.g., CSCF Control 2.2 External Transmission Security, 6.1 Security Awareness) to ensure only authorized personnel can interact with the SWIFT environment.

oDetect and Respond: This emphasizes monitoring and incident response (e.g., CSCF Control 4.1 Logging and 5.1 Operational Incident Response) to identify and mitigate security incidents. These objectives are explicitly stated in the "Swift Customer Security Controls Framework v2025" and reinforced across related documents like the "CSP_controls_matrix_and_high_test_plan_2025."

•Option B: 1. Restrict Internet Access and Protect Critical Systems from General IT Environment, 2. Reduce Attack Surface and Vulnerabilities, 3. Physically Secure the Environment

This is incorrect. While these are specific controls within the CSCF (e.g., Control 1.1, 2.3 System Hardening, 1.2), they are not the overarching objectives. They are implementation details rather than the high-level goals of the framework.

•Option C: 1. Secure and Protect, 2. Prevent and Detect, 3. Share and Prepare

This is incorrect. These terms are vague and do not match the official CSCF objectives. "Share and Prepare" is not a recognized objective, and the phrasing does not align with SWIFT documentation.

•Option D: 1. Raise pragmatically the security bar, 2. Maintain appropriate cyber-security hygiene, 3. React promptly

This is incorrect. While these concepts are related to security improvement, they are not the specific objectives outlined in the CSCF. The language is more general and lacks the structured focus of the official objectives.

Summary of Correct Answer:

The three main objectives of the CSCF are to Secure your environment, Know and Limit Access, and Detect and Respond (A), as defined in the framework’s core principles.

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Outlines the three main objectives (Secure, Know and Limit, Detect and Respond).

•CSP_controls_matrix_and_high_test_plan_2025: Aligns controls with these objectives.

•Independent Assessment Framework: Supports the assessment of these objectives.

========

This question examines the applicability of internet access restrictions under theSwift Customer Security Controls Framework (CSCF) v2024.

Step 1: Understand Internet Access Restrictions

Control 2.6: Internet Accessibility Restrictionof theCSCF v2024requires restricting internet access for Swift-related components to minimize exposure, applicable to both secure zones and other in-scope systems.

Step 2: Analyze the Statement

The question asks if the restriction is only relevant when Swift-related components are in a secure zone, implying a scope limitation.

Step 3: Evaluate Each Option

A. Yes, because if there is no secure zone then the internet connectivity does not need to be restrictedIncorrect.Control 2.6applies to all in-scope components, not just those in secure zones. For example, operator PCs accessing hosted applications (e.g., via A3 architecture) must have restricted internet access, per theSwift Security Best Practices.Conclusion: Incorrect.

B. No, because there can be in-scope general operator PCs used to access a Swift-related application hosted at a service providerCorrect. General operator PCs (e.g., Component B in the diagram) are in scope when accessing Swift applications (e.g., hosted by a service provider in A3 architecture).Control 2.6requires internet restriction for these systems, even outside a secure zone, as confirmed in theCSCF v2024andSwift Outsourcing Guidelines.Conclusion: Correct.

Step 4: Conclusion and Verification

The correct answer isB, asControl 2.6mandates internet access restrictions for all in-scope components, including operator PCs accessing hosted Swift applications, not just those in secure zones.

References

Swift Customer Security Controls Framework (CSCF) v2024, Control 2.6: Internet Accessibility Restriction.

Swift Security Best Practices, Section: Internet Access Controls.

Swift Outsourcing Guidelines, Section: Operator PC Security.