New Release CSP-Assessor Customer Security Programme (CSP) Questions

CSCF Control "1.1 SWIFT Environment Protection" aims to secure the SWIFT infrastructure by isolating it from external threats and internal risks. The "Swift Customer Security Controls Framework v2025" details its objectives. Let’s evaluate each option:

•Option A: Restrict malicious access from external sources

This applies. Control 1.1 requires isolating the SWIFT secure zone from external sources (e.g., the Internet) to prevent malicious access, such as malware or unauthorized intrusions.

•Option B: Forbids any interactive sessions towards the SWIFT infrastructure

This does not apply. Control 1.1 does not forbid all interactive sessions. It allows controlled interactive access (e.g., via jump servers) for administrative purposes, provided sessions are secured (e.g., encrypted per Control "2.1 Internal Data Transmission Security"). The "CSP_controls_matrix_and_high_test_plan_2025" permits interactive sessions with proper controls.

•Option C: Limit risks of privileged accounts compromise

This applies. Control 1.1 includes measures to secure privileged accounts (e.g., by enforcing strong authentication and role-based access control) to prevent compromise, aligning with CSCF principles.

•Option D: Limit risks of lateral movement

This applies. Control 1.1 aims to segment the SWIFT environment from the general IT environment, reducing the risk of lateral movement by attackers within the network.

Summary of Correct Answer:

Forbidding any interactive sessions (B) does not apply, as Control 1.1 allows controlled interactive access.

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Control 1.1 objectives include restricting access and limiting risks, but not banning interactive sessions.

•CSP_controls_matrix_and_high_test_plan_2025: Confirms controlled interactive sessions are permitted.

•Independent Assessment Framework: Assesses secure access controls under 1.1.

========

The "Swift Customer Security Controls Framework v2025" and "Independent Assessment Framework" define the scope of controls to be assessed based on the user’s architecture type (A1-A4). Let’s evaluate each option:

•Option A: Yes

This is incorrect. Not all controls (mandatory and advisory) must be assessed; only those applicable to the user’s architecture and attested to are required, per the "CSP Architecture Type - Decision tree."

•Option B: No, only the mandatory controls

This is incorrect. While mandatory controls must be assessed, users may also attest to advisory controls voluntarily, and these must be included in the assessment if attested, as per the "Assessment template for Mandatory controls" and "Assessment template for Advisory controls."

•Option C: No, only the attested controls (with as a minimum the mandatory ones according to the architecture type)

This is correct. The CSP requires assessment of all mandatory controls applicable to the user’s architecture type, plus any advisory controls the user chooses to attest to. The "Independent Assessment Process for Assessors Guidelines" and "Swift_CSP_Assessment_Report_Template" confirm that the assessment focuses on attested controls, ensuring minimum mandatory coverage.

•Option D: No, the controls selection is agreed upfront between the SWIFT User and the assessor

This is incorrect. Control selection is not negotiable; it is determined by the architecture type and user attestation, not an ad-hoc agreement, as per the "CSP Architecture Type - Decision tree."

Summary of Correct Answer:

Only the attested controls, with a minimum of mandatory ones per architecture type, must be assessed (C).

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Defines mandatory and advisory controls.

•Independent Assessment Framework: Focuses on attested controls.

•CSP Architecture Type - Decision tree: Guides control applicability.

This question addresses the eligibility of a SWIFT CSP Certified Assessor who leaves a listed provider to continue performing assessments independently:

Step 1: SWIFT CSP Assessor Certification Rules

The SWIFT CSP Independent Assessment Framework (IAF) specifies that assessors must be certified and affiliated with a SWIFT-approved provider listed in the Directory of CSP Assessment Providers. Certification is tied to the individual but exercised through the provider’s accreditation.

Step 2: Impact of Leaving a Provider

When an assessor leaves a listed provider, they lose the organizational backing required to conduct official CSP assessments. The IAF states that "assessments must be performed by approved providers," and independent operation without SWIFT’s formal re-approval or affiliation with another provider is not permitted, even during the certification validity period.

The "Swift Customer Security Controls Policy" and "Independent Assessment Framework" outline the consequences of non-compliance with the CSP. Let’s evaluate each option:

•Option A: To be reported to their supervisors (if applicable)

This does not apply. Non-compliance is managed by SWIFT, not internal reporting to supervisors, unless specified by the user’s internal governance (not a CSP requirement).

•Option B: To be seen as non-compliant to their counterparts in KYC-SA

This applies. Non-compliance is reflected in the KYC-SA portal, where counterparties can view the user’s status, impacting trust and business relationships, as per the "Independent Assessment Framework."

•Option C: To be contacted by SWIFT to provide the CSP assessment report and detailed information about the reason of non-compliance

This applies. SWIFT engages with non-compliant users, requesting assessment reports and remediation plans, as outlined in the "Swift_CSP_Assessment_Report_Template" and "Independent Assessment Process for Assessors Guidelines."

•Option D: To be delisted from the BIC directory

This does not apply. Delisting is an extreme measure not automatically triggered by non-compliance; it requires persistent failure to remediate after engagement, which is not guaranteed.

Summary of Correct Answers:

Possible impacts include being seen as non-compliant in KYC-SA (B) and being contacted by SWIFT for reports (C).

References to SWIFT Customer Security Programme Documents:

•Independent Assessment Framework: Details non-compliance impacts.

•Swift_CSP_Assessment_Report_Template: Supports SWIFT follow-up.

•CSP_controls_matrix_and_high_test_plan_2025: Reflects KYC-SA visibility.

========