How to Comply with the SWIFT Outsourcing Agent Security Baseline (OASBL)
Does your organization use the SWIFT network with some or all of your IT services outsourced to a third party? Are you one of those third-party organizations engaged by a SWIFT user for the hosting, installation, operation, and/or maintenance of components involved in your customer's SWIFT implementation?
If you answered yes to either of these two questions, you may be surprised to know that the scope of your SWIFT independent cybersecurity assessment may extend further than you thought.
To help you with that, in this video, we'll highlight key portions of the new SWIFT Outsourcing Agent Security Baseline.
I'm Jon Anderson, SWIFT Practice Leader here at Schellman. I've been conducting and managing SWIFT assessments since 2020 using the contemporaneous version of the SWIFT Customer Security Controls Framework (CSCF), and so I understand how the organizations and entities involved in the SWIFT ecosystem for financial messaging have always relied heavily on outsourcing agents for various information technology, development, and information security tasks.
As such, to ensure the security of this extended ecosystem, SWIFT enforces a robust security baseline specifically for outsourcing agents known as the SWIFT Outsourcing Agent Security Baseline or OASBL.
What is the SWIFT Outsourcing Agent Security Baseline (OASBL)?
The OASBL serves to acknowledge the shared responsibility between organizations that use SWIFT and the outsourcing agents they employ in maintaining a secure environment for financial messaging.
While the organization that uses the SWIFT network is ultimately accountable for its own data and transactions, the outsourcing agent also has a critical role in safeguarding the entrusted information and systems—hence the OASBL.
What is a SWIFT OASBL Secure Zone?
As part of its goal to ensure the security of SWIFT third parties, the OASBL places significant emphasis on secure zones, or that part(s) of an outsourcing agent's environment interacts with SWIFT data or the customer's SWIFT infrastructure. SWIFT secure zones must be designated as such and have heightened security controls compared to the rest of the outsourced agent's environment.
That being said, the OASBL does acknowledge that it may not be possible for outsourcing agents to fully isolate their SWIFT-related activities based on:
- The service that the outsourcing agent provides; and
- How it's provided.
If that's the case for your environment, the OASBL has outlined an alternate set of reduced security expectations that must be met within the outsourcing agent's secure zone. The controls described within these reduced expectations cover areas like:
- Access controls;
- Network segmentation;
- Data encryption; and
- Logging.
It's important to note that while the OASBL does outline these security requirements, it doesn't necessarily mandate independent assessments for outsourcing agents.
How Third Parties Can Support Their SWIFT Users During CSCF Assessments
But even if outsourced agents do not undergo an independent SWIFT assessment, if it's found during the scoping process that the SWIFT user has outsourced in-scope security information technology tasks to an outsourced agent, the latter will need to support their customer's CSCF assessment.
In this, outsourced agents have three options:
- First, the outsourced agent can provide a third-party assurance report such as a Type 2 SOC 2 examination that covers their controls compliance with the CSCF in-scope components they operate.
- Second, the outsourcing agent can have an independent CSCF assessment performed to validate their level of compliance against the applicable CSCF controls before providing that assessment report and completion letter to their SWIFT user customer.
- Finally, the SWIFT network user can request that their outsourced agent participate in the SWIFT network user's annual independent assessment to the extent that the outsourced agent has responsibility over the in-scope components.
Getting Compliant with the SWIFT OASBL
Whether you are a SWIFT network user or an outsourced agent supporting your SWIFT network user customers, your organization should consider its place within the SWIFT ecosystem and your responsibilities for compliance with the customer security controls program.
Here at Schellman, we can help you complete your independent assessment and support your annual attestation. If you have any questions, please reach out to us—we'd love to speak with you.
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.