Exam CSP-Assessor Topic 2 Question 95 Discussion
Actual exam question for Swift's CSP-Assessor exam
Question #: 95
Topic #: 2
Question #: 95
Topic #: 2
Is the restriction of Internet access only relevant when having SWIFT-related components in a secure zone?
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
Suggested Answer: B Vote an answer
The restriction of Internet access is a key control under the CSCF, specifically tied to Control "1.1 SWIFT Environment Protection," which mandates that SWIFT-related components in the secure zone be isolated from the general IT environment and the Internet to prevent unauthorized access and attacks. Let's evaluate the options:
*Option A: Yes, because if there is no secure zone, then the internet connectivity does not need to be restricted This is incorrect. The CSCF applies to all SWIFT users, regardless of whether they maintain a local secure zone. Even if SWIFT-related components (e.g., a customer connector or operator PC) are hosted externally (e.
g., by a service provider), the user's endpoints (e.g., operator PCs accessing the application) must still adhere to security controls, including restricting Internet access where applicable. The "Independent Assessment Framework" requires assessing all in-scope components, not just those in a secure zone.
*Option B: No, because there can be in-scope general operator PCs used to access a SWIFT-related application hosted at a service provider This is correct. General operator PCs used to access SWIFT-related applications (e.g., Alliance Lite2 Business Application hosted by a service provider) are in scope of the CSCF, as they handle sensitive SWIFT data or credentials. Control "1.1" and "6.1 Security Awareness" require these PCs to have restricted Internet access to prevent malware or unauthorized access, even if the application is hosted externally. The "CSP Architecture Type - Decision tree" includes such endpoints in the assessment scope, making Internet access restriction relevant beyond the secure zone.
Summary of Correct answer:
The restriction of Internet access is not only relevant when having SWIFT-related components in a secure zone; it applies to in-scope general operator PCs accessing hosted applications (B).
References to SWIFT Customer Security Programme Documents:
*Swift Customer Security Controls Framework v2025: Control 1.1 mandates Internet access restriction for in- scope components.
*Independent Assessment Framework: Includes operator PCs in scope, even with external hosting.
*CSP_controls_matrix_and_high_test_plan_2025: Applies controls to endpoints accessing SWIFT services.
========
*Option A: Yes, because if there is no secure zone, then the internet connectivity does not need to be restricted This is incorrect. The CSCF applies to all SWIFT users, regardless of whether they maintain a local secure zone. Even if SWIFT-related components (e.g., a customer connector or operator PC) are hosted externally (e.
g., by a service provider), the user's endpoints (e.g., operator PCs accessing the application) must still adhere to security controls, including restricting Internet access where applicable. The "Independent Assessment Framework" requires assessing all in-scope components, not just those in a secure zone.
*Option B: No, because there can be in-scope general operator PCs used to access a SWIFT-related application hosted at a service provider This is correct. General operator PCs used to access SWIFT-related applications (e.g., Alliance Lite2 Business Application hosted by a service provider) are in scope of the CSCF, as they handle sensitive SWIFT data or credentials. Control "1.1" and "6.1 Security Awareness" require these PCs to have restricted Internet access to prevent malware or unauthorized access, even if the application is hosted externally. The "CSP Architecture Type - Decision tree" includes such endpoints in the assessment scope, making Internet access restriction relevant beyond the secure zone.
Summary of Correct answer:
The restriction of Internet access is not only relevant when having SWIFT-related components in a secure zone; it applies to in-scope general operator PCs accessing hosted applications (B).
References to SWIFT Customer Security Programme Documents:
*Swift Customer Security Controls Framework v2025: Control 1.1 mandates Internet access restriction for in- scope components.
*Independent Assessment Framework: Includes operator PCs in scope, even with external hosting.
*CSP_controls_matrix_and_high_test_plan_2025: Applies controls to endpoints accessing SWIFT services.
========
by Martin at Mar 01, 2026, 07:26 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).