The diagram shows a SWIFT user environment with an outsourcing agent and next service provider(s). Components are labeled as follows:
•A: Middleware connector (customer connector) - Part of the SWIFT user premises.
•B: Operator GUI - Part of the SWIFT user premises, used for operator interaction.
•C: SWIFT-related application, Admin users, client - Part of the outsourcing agent’s environment.
•D: Connectors or interfaces - Part of the outsourcing agent’s environment, connecting to SWIFT.
•E: Application PC, Admin PC - Part of the outsourcing agent’s environment.
•Next Service Provider(s), SWIFT, SWIFT network - External entities.
CSCF Control "1.1 SWIFT Environment Protection" requires that all SWIFT-related components handling sensitive data or connectivity within the user’s control be placed in a secure zone. The "Outsourcing Agents - Security Requirements Baseline v2025" extends this to components managed by outsourcing agents. Let’s analyze:
•SWIFT User premises (A, B): The middleware connector (A) must be in a secure zone as it handles SWIFT data. The Operator GUI (B) is typically outside the secure zone unless it directly processes SWIFT data, but best practice includes securing it.
•Outsourcing Agent(s) (C, D, E): The SWIFT-related application and connectors/interfaces (C, D) must be in a secure zone, as they process SWIFT transactions. Application/Admin PCs (E) are support systems and may not require secure zone placement unless directly involved.
•External entities (Next Service Provider(s), SWIFT, SWIFT network): These are out of the user’s control and not placed in the user’s secure zone.
The question asks for components in the SWIFT user premises and outsourcing agent environment. Per CSCF, the secure zone includes:
•A (Middleware connector): Must be in the secure zone.
•C (SWIFT-related application): Must be in the secure zone (outsourcing agent’s responsibility).
•D (Connectors/interfaces): Must be in the secure zone (outsourcing agent’s responsibility).
•B (Operator GUI) and E (Application/Admin PCs): Typically outside unless integrated into the secure zone.
Option D (Components A, C, D) aligns with the mandatory secure zone components (middleware connector, SWIFT application, and connectors/interfaces), excluding non-essential support systems.
Summary of Correct Answer:
Components A, C, and D must be placed in a secure zone (D).
References to SWIFT Customer Security Programme Documents:
•Swift Customer Security Controls Framework v2025: Control 1.1 defines secure zone requirements.
•Outsourcing Agents - Security Requirements Baseline v2025: Extends secure zone to outsourced components.
•CSP_controls_matrix_and_high_test_plan_2025: Specifies secure zone placement.
========
