SWIFT

The following components of your FTM SWIFT system reside in

secured zones: • All FTM SWIFT instances (customized and
runnable) • The necessary middleware • The communication
interface (SAG), the FTM SWIFT SAG Add-On, and the related
SWIFT components SWIFTNet Link and Hardware Security
Module (HSM) • Any applicable operator workstation dedicated to
the operation or administration of the local SWIFT infrastructure •
Systems providing a remote desktop to users outside the secure
zone (jump servers)
Your interactions with systems outside the secure zone are: •
Limited to: – Communication with back-office applications –
Logging data exchanged with outbound systems • Controlled by
transport layer firewalls, optionally in combination with access
control lists (ACLs)
Your operators can access the secure zone components only as
follows: • From a dedicated operator system within the secure
zone • From a general purpose operator system via a jump server
located within the secure zone • From a general purpose operator
system, if they only access the messaging interface services of
FTM SWIFT (FIN, MSIF, RMA) by means of a browser-based GUI.
In this case you restricted internet access by using a remote
desktop access or virtual machines, or by disabling internet access
at all.
You encapsulated invocation of utility programs in jobs or scripts
that can be executed only within a controlled scope.
You use FTM SWIFT's command-line interface (CLI) only for: •
Installation tasks • Resolution of emergency situations • Usage in
jobs or scripts that can be executed only within a controlled scope
You have: • Restricted the use of administrator-level operating
system accounts to the maximum extent possible (unless needed
to install, configure, maintain, operate and support emergency
activities) • Ensured that no other operating system accounts have
access to file system resources, database resources, IBM MQ and
IBM Integration Bus resources of FTM SWIFT
You perform regular administrative and operational tasks for FTM
SWIFT only by using the Administration & Operation browser UI
(including its console to issue CLI commands).
You use only HTTPS for the browser-based GUI applications.
Reference: Securing WebSphere MQ connection to WebSphere
Application Server
You use two-way SSL authentication for IBM MQ communications
between FTM SWIFT server components, that is, you use two-way
SSL authentication between: • IBM MQ queue managers • IBM
WebSphere® Application Server and IBM MQ queue managers •
SAG (MQHA) and IBM MQ queue managers Reference: IBM MQ
Knowledge Center

You use one-way SSL authentication for IBM MQ communications

between the Sequential Data Facility and IBM MQ queue
managers. Reference: IBM MQ Knowledge Center
You regularly ensure the following for all hardware and software
inside the secure zone and on operator workstations: • It is within
the support lifecycle • It is upgraded with mandatory software
updates • All security updates are applied immediately
You regularly implement the latest published security bulletins for
FTM SWIFT and all its prerequisite products. Reference: IBM
Security Vulnerability Management (PSIRT)
You established a security risk assessment process to determine
the treatment of security updates and patches.
You did either of the following: • You established user-defined
deployment timelines for applying patches based on criticality,
system type, and required patch testing • You use Common
Vulnerability Scoring System (CVSS) Version 3 or another de facto
standard as a guideline for criticality
You disabled all features and services that are not required for
normal system operations. In particular, you did the following for all
operator workstations, FTM SWIFT related applications, and the
infrastructure within secure zones: • You disallowed default
passwords • You disabled or removed unnecessary user accounts
• You disabled or restricted unnecessary services, ports, and
protocols • You removed unnecessary software • You disabled
unnecessary physical ports • You adjusted any default
configurations known to be vulnerable • You enabled message
broker administration security to limit access to the broker
For applications that transfer messages using SWIFTNet FIN or
SWIFTNet InterAct and for applications that need to transfer files
smaller than 100 MB using SWIFTNet FileAct: You configured IBM
MQ with two-way SSL/TLS authentication as transport layer
between back office application and MSIF. Reference: IBM MQ
Knowledge Center
For applications that transfer files larger than 100 MB using
SWIFTNet FileAct: You established a secure file transport
between the back office application and MSIF supporting the
SWIFT requirements (for example, by using IBM MQ Managed
File Transfer (MFT) or IBM Connect:Direct).
You ensure the confidentiality of data that you extract from FTM
SWIFT (for example, for off-line processing or backup purposes)
and that you transfer outside the secure zone. In particular: • You
protect files containing FIN messages that you exported from FTM
SWIFT by using the Sequential Data Facility (for example, you
protect them by encryption) • You protect trace files that you
transfer to IBM for analysis (for example, you protect them by
encryption)
You configured expiration of LTPA tokens for IBM WebSphere
Application Server applications. Reference: WebSphere
Application Server Knowledge Center

If you are using FTM SWIFT's Relationship Management

Application (RMA), you configured dual authorization for
relationship management administration using the following
values: – Number of approval steps: 1 or 2 – User restriction:
notprevious or alldifferent To check these values for all OUs: 1.
Issue the following CLI command to the system configuration
service (DNI_SYSADM) and SYSOU: list -ou % -ct
DnfRmParameters -co DnfRmParameters -attr ApprovalSteps 2.
Check the command output and ensure that, for each OU, the
value of attribute ApprovalSteps is either 1 or 2 3. Issue the
following CLI command to the system configuration service
(DNI_SYSADM) and SYSOU: list -ou % -ct DnfRmParameters -co
DnfRmParameters -attr ApprovalUserRestriction 4. Check the
command output and ensure that, for each OU, the value of
attribute ApprovalUserRestriction is either notprevious or
alldifferent Reference: Configuring the approval process for the
RMA • Otherwise, you implemented 4-eyes principle for the used
Relationship Management Application
You established additional controls based on your needs (for
example, restricted operator sign-on hours by using an adequately
configured identity provider component).
You secured the application serving environment of your IBM
WebSphere Application Server. Reference: Securing applications
and their environment
Removable equipment: • Your sensitive removable equipment (for
example, PIN Entry Device (PED), PED keys, USB Tokens) is
supervised or securely stored when not in use • Your sensitive
removable equipment required for normal continuous operations
(for example, hot swappable disks, HSM devices) is hosted in a
data center or, at a minimum, in a locked room • Your back-up
media (for example, tapes) is physically secured
Workplace environment: • Your operator workstations are located
in a secured workplace environment where access is controlled
and granted only to employees and other authorized workers and
visitors • Your printers used for SWIFT transactions are located in
a secured workplace environment, and their access is restricted •
USB and other external access points on operator PCs are
disabled to the maximum extent possible, while still supporting
operations
You established a security policy to support expected use cases
for remote workers (for example, teleworkers or "on call" duties)
where you considered the following items when establishing this
policy: • Physical security of the expected teleworking environment
• Rules for personal equipment used for SWIFT business purposes
(for example, personal workstations cannot be used to access the
SWIFT infrastructure; however, personal mobile devices can be
used as a second authentication factor) • Security during use in
public environments

Your password policy defines at least the following criteria: •

Password expiration • Password length, composition, complexity,
and other restrictions • Password reuse • Lockout after failed
authentication attempts, and remedy • Passwords for secure zone
systems are only stored within the secure zone • The password
requirements are modified as necessary for specific use cases: –
In combination with a second factor (for example, one-time
password) – Authentication target (for example, operating system,
application, mobile device, token) – Type of account (general
operator, privileged operator, application-to-application account or
local authentication keys)
Your password policy is enforced by technical means (where
possible).
Your password policy is reviewed at least annually.
You implemented multi-factor authentication for all sensitive
components of the SWIFT infrastructure like operator
workstations, jump servers and web based user interfaces of FTM
SWIFT systems. References: • Multi-factor authentication • Adapt
FTM SWIFT MER for usage with a reverse proxy
You defined your user accounts according to need-to-know access
principles, that is: • Only operators (users and administrators) who
have a continuing requirement to access the secure zone are
allowed to have accounts within the secure zone • Privileges are
only assigned to an operator with a validated need-toknow, and
access to other system functions is disabled
You defined your user accounts according to least privilege
principles, that is: • User and administrator privileges are controlled
in a way that allows all privileges to be tailored to individual needs
• Accounts are granted only the privileges that are necessary, and
additional privileges are only granted on a temporary basis
You review your user accounts at least annually, and you adjust
them as required.
You revoke privileges promptly when an employee changes roles
or leaves the organization.
You documented an emergency procedure to access privileged
accounts when authorized persons are unavailable due to
unexpected circumstances, and, in such a case, you proceed as
follows: • Operational use of the emergency procedure is logged •
The access of an emergency account is controlled • The usage of
the account is logged • The password is changed immediately
after the emergency incident

You defined your user accounts according to segregation of duties

principles, that is: • You enabled dual authorization for the system
configuration service. To check this: 1. Issue the following CLI
command to the system configuration service (DNI_SYSADM) and
SYSOU: list -ou SYSOU -ct DniSysAdm -co DniSysAdm 2. Check
the command output and ensure that the value of attribute
DniFlagDoubleAuthCfg is Yes Reference: Setting dual
authorization for the system configuration service • You enabled
dual authorization for the security administration service. To check
this for all OUs (including SYSOU and DNFSYSOU): 1. Issue the
following CLI command to the system configuration service
(DNI_SYSADM) and SYSOU: list -ou % -ct DniSecAdm -co
DniSecAdm 2. Check the command output and ensure that, for
each OU, the value of attribute DniFlagDoubleAuthSecAdm is Yes
Reference: Setting dual authorization for the security
administration service • Sensitive duties are separated. That is,
some roles cannot be represented by the same individual, for
example: – Application administrator and security officer – Network
administrator and operating system administrator – Database
administrator (who creates tables and procedures) and data user
(who selects, inserts, updates or deletes data) – IBM Integration
Bus administrator and broker started task • The user ID under
which the broker runs is only a technical user ID, but not allowed
to use interactive sessions or Web Applications
You installed and you keep up-to-date anti-malware software on
the following systems: • Operator PCs where applicable (at least
operator PCs with a Microsoft Windows operating system) • Jump
servers where applicable (at least jump servers with a Microsoft
Windows operating system) • SWIFT-related servers in secure
zones where applicable (at least SWIFT-related servers with a
Microsoft Windows operating system in secure zones)
You ensure software integrity of FTM SWIFT by either of the
following: • Using FTM SWIFT's software integrity checker (SIC) In
this case, continue with the subsequent conditions in 6.2, Software
integrity. • Using another product or method In this case, ignore
the subsequent conditions in 6.2, Software integrity.
You execute the software integrity checker (SIC) during startup of
FTM SWIFT automatically. Reference: Software Integrity Checker
You monitor syslog messages and FTM SWIFT events written by
the SIC. Reference: Monitoring software integrity
You verify the signature of the SIC JAR file regularly. Reference:
Monitoring software integrity