Online CSP-Assessor Questions Video

In an Infrastructure as a Service (IaaS) cloud model, such as SWIFT’s Alliance Cloud, the cloud provider is responsible for the underlying infrastructure (e.g., hardware, virtualization layer, network) while the customer manages the applications and data. The SWIFT CSP, particularly the "Outsourcing Agents - Security Requirements Baseline v2025" and "Swift Customer Security Controls Framework v2025," outlines the responsibilities of cloud providers. Let’s evaluate each option:

•Option A: The cloud provider must cover all CSCF controls applicable to the related in-scope components for which the cloud provider is responsible (such as the underlying infrastructure in line with appendix G)

This is correct. In an IaaS model, the cloud provider is responsible for securing the underlying infrastructure (e.g., physical servers, network, virtualization layer) that hosts the SWIFT components. Appendix G of the CSCF (or related outsourcing guidelines) specifies the controls the provider must implement, such as those under CSCF Control "1.1 SWIFT Environment Protection" and "2.3 System Hardening." The provider must ensure these controls are met for the infrastructure it manages.

•Option B: The cloud provider must give comfort of control implementation effectiveness on the virtualization layer hosting the SWIFT users' components

This is correct. The virtualization layer (e.g., hypervisors) is part of the IaaS provider’s responsibility, and the provider must provide assurance (e.g., through audits or reports) that security controls are effectively implemented. This aligns with CSCF requirements for outsourcing agents, ensuring the virtualization layer supports the SWIFT secure zone, as noted in the "Independent Assessment Framework."

•Option C: The cloud provider must give full assurance on the change management process of the SWIFT-users' components/applications deployed by the user

This is incorrect. Change management for the SWIFT-users' components (e.g., Alliance Access configurations) is the customer’s responsibility in an IaaS model. The cloud provider is not accountable for the applications deployed by the user, only for the underlying infrastructure. The "Outsourcing Agents - Security Requirements Baseline v2025" clarifies this boundary.

•Option D: The cloud provider must give comfort regarding the resiliency put in place to ensure continuity of SWIFT connectivity service

This is incorrect as a primary key element. While resiliency is important (e.g., CSCF Control 1.1), it is a broader operational concern rather than a specific IaaS responsibility. The provider ensures infrastructure availability, but continuity of SWIFT connectivity is a shared responsibility, with the customer managing the communication interface (e.g., Alliance Gateway).

Summary of Correct Answers:

The key elements for a cloud provider in an IaaS model are covering applicable CSCF controls for the infrastructure (A) and providing comfort on the effectiveness of controls on the virtualization layer (B).

References to SWIFT Customer Security Programme Documents:

•Swift Customer Security Controls Framework v2025: Defines responsibilities in cloud models (Control 1.1, Appendix G).

•Outsourcing Agents - Security Requirements Baseline v2025: Outlines provider responsibilities in IaaS.

•Independent Assessment Framework: Requires assurance on virtualization layer security.

========

This question addresses the obligations of Swift users regarding the submission of assessment-related documents to Swift under the Customer Security Programme (CSP).

Step 1: Understand CSP Assessment Submission Requirements

TheSwift Customer Security Controls Framework (CSCF) v2024and theIndependent Assessment Frameworkoutline the process for CSP assessments, including what must be submitted to Swift. The focus is on ensuring compliance through attestation, with specific deliverables defined.

Step 2: Evaluate Each Option

A. Yes, all documents produced from the assessment must be provided proactively to SwiftThis is incorrect. TheIndependent Assessment Frameworkdoes not require proactive submission of all assessment documents (e.g., detailed reports, working papers). Only the completion letter and attestation are typically submitted unless otherwise requested by Swift.Conclusion: Incorrect.

B. No, it is not required to provide Swift with any documents by default. However, Swift can request a copy of the Assessment completion letterTheCSCF v2024andIndependent Assessment Frameworkstate that users are not required to proactively submit the full assessment report or other documents. However, Swift retains the right to request the completion letter (certifying assessment completion) or additional evidence during quality assurance reviews. This aligns with theSwift CSP Compliance Guidelines.Conclusion: Correct.

C. Yes, a copy of (only) the assessment report must be provided to Swift, no other documentsThis is incorrect. The full assessment report is not mandated for proactive submission; only the completion letter is typically required unless requested. TheIndependent Assessment Frameworkemphasizes the completion letter as the key deliverable.Conclusion: Incorrect.

D. Yes, in cases where a customer performs an Independent assessment rather than an audit then a copy of the assessment report must be provided. However, it is not required for the Swift user to provide any forms when an Internal/External Audit is performedThis is partially misleading. TheIndependent Assessment Frameworkdoes not distinguish between independent assessments and audits in terms of mandatory report submission. For both, the completion letter is the default submission, with reports requested only if needed. The differentiation based on assessment type is not supported byCSCF v2024guidelines.Conclusion: Incorrect.

Step 3: Conclusion and Verification

The correct answer isB, as theCSCF v2024andIndependent Assessment Frameworkdo not require proactive submission of the full assessment report, but Swift can request the completion letter as part of its oversight process.

References

Swift Customer Security Controls Framework (CSCF) v2024, Section: Independent Assessment Requirements.

Swift Independent Assessment Framework, Section: Deliverables and Submission.

Swift CSP Compliance Guidelines, Section: Document Submission Rules.

=========================

This question identifies which operator session flows must be protected for confidentiality and integrity under theSwift Customer Security Controls Framework (CSCF) v2024.

Step 1: Understand Session Protection Requirements

TheCSCF v2024, underControl 2.4: Secure Session Management, mandates that all sessions involving access to Swift-related components or secure zones must be protected using strong encryption (e.g., TLS) and integrity controls to prevent unauthorized access or data tampering. This applies to operator and administrator sessions interacting with the Swift environment.

Step 2: Evaluate Each Option

A. System administrator sessions towards a host running a Swift related componentAdministrator sessions to hosts running Swift components (e.g., Alliance Access, Gateway) are in scope, as they require protection perControl 2.4to ensure confidentiality and integrity of administrative actions.Conclusion: Correct.

B. All sessions to and from a jump server used to access a component in a secure zoneJump servers are used to access secure zones (perControl 1.1: Swift Environment Protection), and all sessions to and from them must be encrypted and integrity-protected, as specified inControl 2.4.Conclusion: Correct.

C. All sessions towards a secure zone (on-premises or hosted by a third-party or a Cloud Provider)Secure zones, whether on-premises or hosted (e.g., by outsourcing agents or cloud providers), contain Swift components and must have all incoming sessions protected perControl 2.4andControl 1.1.Conclusion: Correct.

D. All sessions towards a Swift related application run by an Outsourcing Agent, a Service Bureau or an L2BA ProviderSessions to Swift-related applications managed by outsourcing agents or service bureaus (e.g., Components C, D, E in the diagram) are in scope, as they handle Swift traffic and must be secured perControl 2.4and theSwift Outsourcing Guidelines.Conclusion: Correct.

Step 3: Conclusion and Verification

All options (A, B, C, D) are correct, asControl 2.4of theCSCF v2024requires protection of all listed session types to ensure confidentiality and integrity across the Swift ecosystem, including secure zones, hosted environments, and outsourced applications.

References

Swift Customer Security Controls Framework (CSCF) v2024, Control 2.4: Secure Session Management, Control 1.1: Swift Environment Protection.

Swift Security Best Practices, Section: Session Security.

Swift Outsourcing Guidelines, Section: Session Protection.