Thomas Etzenbach has been working in the IT industry for more than 30 years and his special interest has always been in information security. So it comes as no surprise that he has been part of the ISMS team at the TÜV TRUST IT GmbH, TÜV AUSTRIA Group as a controller and auditor for four years now. Among other things, for assessments in the context of the new requirements for SWIFT users. In this interview, Thomas Etzenbach reveals what it is all about and why TÜV TRUST IT is the ideal partner for SWIFT users.
Mr Etzenbach, SWIFT is known to many people primarily in connection with secure payment transactions. What exactly is it all about?
The abbreviation SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication. This organisation operates a highly secure network, the SWIFTNet, which is used worldwide for secure payment transactions, among other things. That is why many people are familiar with SWIFT. But the network covers much more and is used not only by banks but also by trading houses, brokers and estate agents. And large industrial companies also use SWIFT as a transmission medium for transactions and information of all kinds. This includes, for example, payment transaction data such as bank confirmations and transactions, meaning everything that should enjoy a high level of security.
How can one imagine an infrastructure that offers such high security?
It depends a bit on the size of the company and how the customer uses its infrastructure, how many transactions it does, for example. The bigger the company the bigger the infrastructure, as a rule. There are different types of architecture here, which also differ in terms of costs and personnel resources. For smaller companies, so-called service offices alternatively provide the infrastructure. This means that all the hardware is then located there. Regardless of the location of the infrastructure, the hardware must meet a higher security standard. There are strong requirements for the end customers, also in terms of physical security. In companies, for example, dedicated persons are authorised to use SWIFT. The group of users is therefore restricted.
Since this year, SWIFT requires an independent assessment. What has changed for users as a result?
Until now, the customer was able to autonomously determine its compliance status with SWIFT’s requirements by means of self-attestation. However, not all customers considered their infrastructure objectively and comprehensively enough. Therefore, an independent audit was introduced in 2021, accompanied by a revised SWIFT framework that includes advisory and mandatory controls. This framework already existed, but the depth of enforcement was not transparent enough and many customers did not understand exactly what SWIFT required. An independent audit, for example by us, is therefore absolutely advisable. Because properly applied, customers have one of the most secure transmission networks in the world at their disposal. However, this can only be as secure as the individual endpoints, which should also fulfil high security requirements. These security requirements are validated by our assessment.
How is such an assessment conducted?
First of all, we create an audit plan and work out together with the customer which architecture is in place in the company. Because not all customers know that or they are not sure, so we have to validate that first. In the audit itself, we go through control by control together with the customer, looking at SWIFT’s internal requirements. The bigger the architecture, the more of these controls there are. Of course, we check the company’s compliance with the SWIFT requirements. We look at the processes and roles and then, on the basis of process documentation, we see whether the requirements are met or not. We also have the customer show us the settings on the systems themselves, for example.
What happens if this is not the case, meaning that a company is “non-compliant”?
There is not only black and white, yes or no, but an assessment in four categories: Full compliance, need for optimisation, low and serious finding. The latter means that there is a high deficit in security and clearly no compliance. Here, improvements can be made and the audit can be repeated (also in parts). The objective for the customer should be to be compliant with the requirements of SWIFT in all obligatory controls out of their own interest. Furthermore, it is possible for customers and business partners to see on request if there is no compliance, which companies naturally want to avoid.
And why is TÜV TRUST IT the right partner for SWIFT users?
There are many reasons for this. It should be mentioned that we offer this service everywhere in Europe and even worldwide, as the standard is the same everywhere. In Germany and Austria, we are even one of the few information security consultancies that carry out the assessment at all. And since we have our roots in IT security and many years of experience with audits, examinations and certifications, we are predestined for such an assessment. And last but not least, SWIFT customers have come to the right place because of our broad portfolio. Because we not only carry out the assessment, but also offer competent advice and, thanks to our expertise in consulting, pentesting, redteaming and training, we are certainly an interesting partner and also a real alternative compared to the “Big Five” from management consulting and auditing.
Mr Etzenbach, thank you very much for the interview!