Audit and Assurance

Expand all | Collapse all

Managing mixed of asset classifications & compliance

  • 1.  Managing mixed of asset classifications & compliance

    Posted 20 Mar, 2020 09:09
    I recently come across my SWIFT (the messaging network that financial institutions use) Customer Security Programme auditing concern. We have centralized data consolidation systems. The centralized system has encrypted channels to receive and send data from and to various sources (both low-risk and high-risk assets) within the company.
    The recommendation I get from an auditor is to segregate the "centralized" system.
    How would you recommend to improve this process to comply with SWIFT CSP with minimum investment?

    Thanks,

    ------------------------------
    Chayan Rattanavijai
    SVP Information Security
    ------------------------------


  • 2.  RE: Managing mixed of asset classifications & compliance

    Posted 21 Mar, 2020 10:52
    Dear Chayan,

    I am assuming the recommendation relates to segregating the low from the high.  Correct?
    Are you able to share a bit more context, such as which aspects of the CSP the risk relates to, what the potential impacts are, and the benefits expected from segregation?
    If not, and it were me, I would review with Audit what they have suggested to clarify ambiguities with them and so find out what is necessary.  Only then could I asses cost/benefit for working out the budget needed to apply the recommendation.  That would allow me to define remedial options within that budget.

    ------------------------------
    Sue Milton
    Adviser
    ------------------------------



  • 3.  RE: Managing mixed of asset classifications & compliance

    Posted 22 Mar, 2020 10:00
    Hi Sue,

    "Restrict Internet Access & Protect Critical Systems from General IT Environment" control makes it difficult to run the enterprise-wide data. Many business units require data from various sources including SWIFT to perform analytics in order to gain a competitive edge over competitors.

    The potential risk is an adversary could gain access to SWIFT system via a shared system in the "general IT Environment"
    The potential impact is an adversary could gain and modify access to wiring messages and destinations.
    The benefit is to eliminate the above risk.

    Our controls of the "general IT Environment" are very secure however it's not the "same" as SWIFT environment. What the auditor is looking for is "the same" controls.

    Here is the list of SWIFT controls
    https://www.swift.com/myswift/customer-security-programme-csp_/security-controls/2019

    Best,

    ------------------------------
    Chayan Rattanavijai
    Team Head of Information Security
    CISA, CISSP, CEH, MCSE, MCSA, ITIL
    ------------------------------



  • 4.  RE: Managing mixed of asset classifications & compliance

    Posted 27 Mar, 2020 10:10
    Hi Chayan,

    Than you for the additional information.   I am finding it difficult to suggest anything useful.
    (Help please, dear Wider Community - especially if you are involved in SWIFT-related audits, security or compliance.)

    My current thoughts are:
    1. what are the worst outcomes and penalties that could arise if the decision taken is to retain the status quo?  Loss of SWIFT access/licence?  It the potential risk within senior leaders risk appetite/tolerances?  And how does this compare with other competing business priorities?
    2. assess and cost the controls needed to bring the 'general' up to the 'swift' standard.  You might be able to identify some quick wins that that are also inexpensive.  
    3. create another network that you can segregate with firewalls, IDS, etc, to sit between the 'general' and 'swift' networks, that has minimum access rights to act as a go-between both of them, with the ability to pull data from SWIFT and pass it back to the 'general'  This is only worth doing if the cost of the controls is cheaper than enhancing security on the 'general'.   But there will be additional security and other management costs.
    4. isolate the two networks and apply an old-fashioned download of SWIFT data that is then physically loaded on to the general network.  Of course, there will be other concerns related to this, from forgetting to do this to opening up possible unauthorised access/change/exfiltration to the data by internal people. 



    ------------------------------
    Sue Milton
    Adviser
    ------------------------------