2026 CSP-Assessor Premium Files Test pdf - Free Dumps Collection
Get ready to pass the CSP-Assessor Exam right now using our Customer Security Programme (CSP) Exam Package
Swift CSP-Assessor Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
NEW QUESTION # 24
Which of the following infrastructures has the smallest SWIFT footprint? (Select the correct answer)
*Connectivity
*Generic
*Products Cloud
*Products OnPrem
*Security
- A. Lite 2 or Alliance Cloud
- B. Full stack of products up to the Messaging Interface
- C. A user with a Messaging Interface behind a Service Bureau
- D. Alliance Remote Gateway
Answer: A
NEW QUESTION # 25
To verify the applicability of a CSCF control to a specific component, several actions may be considered.
Which one does not apply in this case?
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
*CSCF Assessment Completion Letter
*Swift_CSP_Assessment_Report_Template
- A. Check carefully the Introduction section of the CSCF
- B. Check appendix F of the CSCF
- C. Open a case with SWIFT support via the case manager on swift.com if further information or solution cannot be found in the documentation
- D. Check in the CSP Policy document
Answer: D
Explanation:
Verifying the applicability of a CSCF control to a specific component involves consulting relevant SWIFT documentation and processes. The "Swift Customer Security Controls Framework v2025" and associated guidelines provide the framework for this determination. Let's evaluate each option:
*Option A: Check in the CSP Policy document
This does not apply. The "Swift Customer Security Controls Policy" is a high-level document outlining the CSP's objectives and requirements but does not provide detailed guidance on control applicability to specific components. Control applicability is determined by the CSCF itself (e.g., through appendices or the control matrix), not the policy document, which is more strategic than operational.
*Option B: Check appendix F of the CSCF
This applies. Appendix F of the CSCF (or a similar appendix in the v2025 version) typically includes guidance on control applicability, mapping controls to different architecture types and components. This is a standard action for assessors, as noted in the "Independent Assessment Process for Assessors Guidelines."
*Option C: Check carefully the Introduction section of the CSCF
This applies. The Introduction section of the CSCF provides an overview of the framework's scope, objectives, and how controls apply to various components, making it a relevant resource for verification.
*Option D: Open a case with SWIFT support via the case manager on swift.com if further information or solution cannot be found in the documentation This applies. If documentation does not resolve the applicability question, SWIFT support via the case manager on swift.com is a recognized escalation path, as outlined in the "Independent Assessment Framework" and SWIFT operational guidelines.
Summary of Correct answer:
Checking the CSP Policy document (A) does not apply, as it is not the appropriate resource for verifying control applicability to specific components.
References to SWIFT Customer Security Programme Documents:
*Swift Customer Security Controls Framework v2025: Provides applicability guidance in appendices (e.g., Appendix F) and the Introduction.
*Independent Assessment Process for Assessors Guidelines: Recommends using CSCF appendices and support channels.
*CSP_controls_matrix_and_high_test_plan_2025: Supports control applicability analysis.
========
NEW QUESTION # 26
In the context of CSP, what type of component is the Alliance Access? (Select the correct answer)
*Connectivity
*Generic
*Products Cloud
*Products OnPrem
*Security
- A. A Secure Server
- B. A Communication Interface
- C. A Messaging Interface
- D. A SWIFT Connector
Answer: C
Explanation:
Alliance Access (SAA) is a SWIFT product used by financial institutions to manage the creation, processing, and transmission of SWIFT messages. In the context of the SWIFT Customer Security Programme (CSP), we need to classify its role within the SWIFT architecture:
*Option A: A Messaging Interface
This is correct. Alliance Access is classified as a messaging interface in SWIFT terminology. It allows users to create, validate, and send SWIFT messages (e.g., FIN MT messages like MT103 for payments) and receive incoming messages. It interfaces with the institution's back-office systems and connects to the SWIFT network via a communication interface like Alliance Gateway (SAG). The CSCF categorizes components like Alliance Access as messaging interfaces, as they handle the business logic of message processing, and applies specific controls (e.g., "2.1 Internal Data Transmission Security") to secure these interfaces.
*Option B: A Communication Interface
This is incorrect. A communication interface in SWIFT terminology refers to components like Alliance Gateway (SAG), which manage the network-level connectivity to SWIFTNet via SwiftNet Link (SNL).
Alliance Access does not handle network connectivity directly; it relies on SAG for this purpose. Alliance Access focuses on message creation and processing, not communication with the SWIFT network.
*Option C: A SWIFT Connector
This is incorrect. The term "SWIFT Connector" is not a standard classification in the CSP or SWIFT documentation. It might refer to integration tools like the SWIFT Integration Layer (SIL) used in cloud deployments, but Alliance Access does not fit this category. Alliance Access is a full-fledged messaging interface, not a connector.
*Option D: A Secure Server
This is incorrect. While Alliance Access operates on a server and must be secured as per CSCF controls (e.g.,
"2.3 System Hardening"), it is not classified as a "secure server." This term is too vague and does not reflect Alliance Access's specific role as a messaging interface.
Summary of Correct answer:
Alliance Access is a messaging interface (A), responsible for creating, processing, and managing SWIFT messages within the CSP framework.
References to SWIFT Customer Security Programme Documents:
*SWIFT Customer Security Controls Framework (CSCF) v2024: Classifies Alliance Access as a messaging interface (Control 2.1).
*SWIFT Alliance Access Documentation: Describes its role in message creation and processing.
*SWIFT Architecture Glossary: Distinguishes messaging interfaces (e.g., Alliance Access) from communication interfaces (e.g., Alliance Gateway).
========
NEW QUESTION # 27
Select the correct statement(s).
- A. The public and private keys of a Swift certificate are stored on the Hardware Security Module
- B. To verify the signature the SwiftNetLink uses the signing private key of the receiver
- C. The decryption operation uses the encryption private key of the receiver
- D. The certificate stored on the Swift Hardware Security Module is used during the decryption operation of a message
Answer: A,D
Explanation:
This question involves the role of the Hardware Security Module (HSM) and cryptographic operations in the Swift environment. Let's evaluate each option.
Step 1: Understand HSM and Cryptographic Operations in Swift
The HSM is a secure device used to manage cryptographic keys and perform encryption/decryption operations, as detailed inControl 2.5B: Cryptographic Key Managementof theCSCF v2024. Swift uses public key infrastructure (PKI) for secure messaging, with HSMs storing keys and certificates.
Step 2: Evaluate Each Option
* A. The public and private keys of a Swift certificate are stored on the Hardware Security Module In the Swift environment, the HSM stores both the private key (for signing/decryption) and the public key (for verification/encryption) as part of the certificate pair. This is a standard practice for secure key management, as confirmed in theSwift Security Best PracticesandControl 2.5B, which mandates secure storage of cryptographic keys in HSMs.Conclusion: This statement is correct.
* B. The certificate stored on the Swift Hardware Security Module is used during the decryption operation of a messageThe HSM uses the private key stored in the certificate to perform decryption of incoming Swift messages. This is part of the secure message handling process, as outlined inControl 2.5 Band theSwift Alliance Gateway Technical Documentation.Conclusion: This statement is correct.
* C. The decryption operation uses the encryption private key of the receiverDecryption uses the private keyof the receiver, not the "encryption private key" (a misnomer). The correct term is the receiver's private key, which corresponds to the public key used for encryption. This error makes the statement technically incorrect, despite the intended meaning.Conclusion: This statement is incorrect.
* D. To verify the signature the SwiftNetLink uses the signing private key of the receiverSignature verification requires the sender's public key, not the receiver's private key. The SwiftNetLink (SNL) uses the public key to verify the signature, as perControl 2.5BandSwift Security Best Practices. The private key is used for signing, not verification.Conclusion: This statement is incorrect.
Step 3: Conclusion and Verification
The verified statements areAandB, as they accurately describe the HSM's role in key storage and decryption, consistent with Swift CSP documentation.
References
* Swift Customer Security Controls Framework (CSCF) v2024, Control 2.5B: Cryptographic Key Management.
* Swift Security Best Practices, Section: HSM Usage.
* Swift Alliance Gateway Technical Documentation, Section: Cryptographic Operations.
NEW QUESTION # 28
Can a Swift user choose to implement the security controls (example: logging and monitoring) in systems which are not directly in scope of the CSCE?
- A. No
- B. Yes
Answer: B
Explanation:
This question asks whether a Swift user can implement security controls (e.g., logging and monitoring) in systems not directly in scope of the CSCF. Let's analyze this based on Swift CSP guidelines.
Step 1: Define CSCF Scope and Security Controls
TheSwift Customer Security Controls Framework (CSCF) v2024defines its scope as the Swift-related infrastructure, including messaging interfaces, communication interfaces, and operator systems (asdetailed in Question 4). Security controls likelogging and monitoringare mandated underControl Objective 6: Detect Anomalous Activity, specifically in controls likeControl 6.1: Security Event Logging.
Step 2: Analyze the Question
The question focuses on whether a Swift user can apply CSCF security controls (e.g., logging and monitoring) to systemsnot directly in scopeof the CSCF. Systems not in scope include back-office systems, general- purpose servers, or other infrastructure that does not directly process Swift messages or connect to the Swift network.
Step 3: Evaluate Swift CSP Guidance
* The CSCF mandates that security controls must be applied to in-scope systems to ensure the security of the Swift environment. However, Swift also encourages adefense-in-depthapproach, as outlined in the Swift Customer Security Programme - Security Best Practices. This approach recommends extending security practices beyond the minimum scope to enhance overall security.
* Control 6.1: Security Event Loggingrequires logging and monitoring for in-scope systems to detect anomalous activity. While this control is mandatory for in-scope systems, the CSCF does not prohibit applying similar controls to out-of-scope systems. In fact, theSwift CSP FAQ(available on swift.com) clarifies that users may implement additional security measures on out-of-scope systems to reduce risks to the Swift environment (e.g., monitoring back-office systems that interact with Swift middleware).
* Implementing logging and monitoring on out-of-scope systems can help detect threats that might indirectly affect the Swift environment, such as lateral movement from a compromised back-office system to a Swift-related system.
Step 4: Conclusion and Verification
A Swift usercanchoose to implement security controls like logging and monitoring on systems not directly in scope of the CSCF. This is not mandatory but is considered a best practice under Swift's defense-in-depth strategy. The CSCF does not restrict users from applying additional security measures beyond its defined scope, and such actions align with the broader goal of enhancing cybersecurity across the user's environment.
References
* Swift Customer Security Controls Framework (CSCF) v2024, Control 6.1: Security Event Logging.
* Swift Customer Security Programme - Security Best Practices, Section: Defense-in-Depth.
* Swift CSP FAQ, Section: Scope and Applicability of Security Controls.
NEW QUESTION # 29
The SWIFT user has installed its own Communication Interface on a dedicated virtual machine offered by a public cloud provider. Under which provider category does the public cloud provider fit, and what is the CSP impact? (Select the correct answer)
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
- A. The public cloud provider is considered an outsourcing agent, and therefore in scope of the CSP
- B. This type of implementation is not allowed by the CSP
- C. The public cloud provider is considered a SWIFT connectivity provider, and therefore not in scope of the CSP
- D. The public cloud provider is considered a L2BA provider, and therefore not in scope of the CSP
Answer: A
Explanation:
The "Outsourcing Agents - Security Requirements Baseline v2025" and "Swift Customer Security Controls Framework v2025" define provider categories and CSP impact. Let's evaluate each option:
*Option A: The public cloud provider is considered a L2BA provider, and therefore not in scope of the CSP This is incorrect. An L2BA (Lite2 Business Application) provider hosts the full SWIFT stack for users, but a public cloud provider offering a virtual machine is not an L2BA provider unless it provides the full service.
The CSP still applies to the provider's infrastructure.
*Option B: The public cloud provider is considered a SWIFT connectivity provider, and therefore not in scope of the CSP This is incorrect. A SWIFT connectivity provider (e.g., Alliance Connect) is a specific role, but a public cloud provider (e.g., AWS) hosting a communication interface is an outsourcing agent, subject to CSP requirements.
*Option C: The public cloud provider is considered an outsourcing agent, and therefore in scope of the CSP This is correct. The "Outsourcing Agents - Security Requirements Baseline v2025" classifies public cloud providers hosting SWIFT components (e.g., a virtual machine with Alliance Gateway) as outsourcing agents.
The CSP impacts the provider by requiring them to secure the underlying infrastructure (e.g., Control 1.1), while the user secures the communication interface.
*Option D: This type of implementation is not allowed by the CSP
This is incorrect. The CSP permits cloud-based deployments, including user-installed components on public cloud VMs, as long as security controls are met.
Summary of Correct answer:
The public cloud provider is an outsourcing agent, in scope of the CSP (C).
References to SWIFT Customer Security Programme Documents:
*Outsourcing Agents - Security Requirements Baseline v2025: Defines cloud providers as outsourcing agents.
*Swift Customer Security Controls Framework v2025: Applies controls to outsourced environments.
*CSP_controls_matrix_and_high_test_plan_2025: Includes cloud provider assessments.
========
NEW QUESTION # 30
Where is the implementation of multi-factor authentication deemed sufficient to support control 4.2 compliance? (Choose all that apply.)
- A. When accessing an outsourcing agent or an L2BA Swift-related application
- B. When login on the jump server filtering access to local Swift secure zone
- C. When logging-in on an interface, a connector, or the system running such component
- D. On the General Operator PC used to access a Swift-related component
Answer: A,B,C,D
NEW QUESTION # 31
Which authentication methods are possible on the Alliance Interfaces? (Choose all that apply.)
- A. Password
- B. Password and TOTP
- C. Radius One-time password
- D. LDAP Authentication
Answer: A,B,D
Explanation:
This question identifies the authentication methods supported by Alliance Interfaces (e.g., Alliance Access, Alliance Gateway) under theSwift Customer Security Controls Framework (CSCF) v2024.
Step 1: Understand Authentication on Alliance Interfaces
TheCSCF v2024, underControl 2.3: System Access Control, mandates strong authentication for access to Swift-related components, including Alliance Interfaces. TheSwift Alliance Gateway Technical Documentation andAlliance Access User Guidedetail supported methods.
Step 2: Evaluate Each Option
* A. PasswordAlliance Interfaces support basic password authentication as a standard method, as noted in theAlliance Access User Guide. While not the strongest alone, it is permitted with additional controls.
Conclusion: Correct.
* B. LDAP AuthenticationLDAP (Lightweight Directory Access Protocol) is supported for centralized authentication, integrating with enterprise directory services, per theSwift Security Best Practicesand Control 2.3.Conclusion: Correct.
* C. Radius One-time passwordRADIUS with one-time passwords (OTP) is not a standard authentication method for Alliance Interfaces. TheAlliance Gateway Technical Documentationdoes not list RADIUS OTP as supported, focusing instead on password, LDAP, and TOTP.Conclusion:
Incorrect.
* D. Password and TOTPTime-based One-Time Password (TOTP) combined with password (multi- factor authentication) is supported for enhanced security, as required byControl 2.3and detailed in the Swift Security Best Practicesfor privileged access.Conclusion: Correct.
Step 3: Conclusion and Verification
The correct answers areA, B, and D, as these methods are supported by Alliance Interfaces, aligning with CSCF v2024and related documentation.
References
* Swift Customer Security Controls Framework (CSCF) v2024, Control 2.3: System Access Control.
* Swift Alliance Gateway Technical Documentation, Section: Authentication Methods.
* Swift Security Best Practices, Section: Multi-Factor Authentication.
NEW QUESTION # 32
Select the supporting documents to conduct a CSP assessment. (Choose all that apply.)
- A. The Customer Security Controls Framework
- B. The CSP User Handbook
- C. The Controls Matrix and High Level Test P an
- D. The mapping to industry standards article
Answer: A
NEW QUESTION # 33
Who can connect to SWIFT? (Select all answers that apply)
*Connectivity
*Generic
*Products Cloud
*Products OnPrem
*Security
- A. Market infrastructures that provide financial institutions with centralized transaction processing
- B. Individuals who use online banking for international transfers
- C. Corporates that work with multiple banking partners
- D. Financial institutions, such as banks and securities broker-dealers
Answer: A,C,D
Explanation:
SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a global cooperative that provides a secure messaging network primarily for financial transactions. Its services are designed for entities involved in the financial ecosystem, and access is restricted to members or participants who meet SWIFT's membership criteria. Let's evaluate each option:
*Option A: Financial institutions, such as banks and securities broker-dealers This is correct. SWIFT's core users are financial institutions, including banks, broker-dealers, and other entities regulated under financial authorities. These institutions are direct members of SWIFT or connect through correspondent banking relationships. The SWIFT Customer Security Programme (CSP) and CSCF are tailored to secure the messaging environment for these entities, with controls like "1.1 SWIFT Environment Protection" designed to safeguard their operations. Membership requires adherence to SWIFT's security standards, and these institutions use SWIFTNet for payments, securities, trade, and treasury services.
*Option B: Individuals who use online banking for international transfers This is incorrect. Individuals, including those using online banking for international transfers, do not connect directly to SWIFT. Instead, they rely on their banks or financial service providers, which act as intermediaries using SWIFT's network. SWIFT is a business-to-business (B2B) network, not a consumer-facing platform.
The CSCF does not address individual users; its focus is on institutional security controls, such as those protecting the SWIFT secure zone.
*Option C: Market infrastructures that provide financial institutions with centralized transaction processing This is correct. Market infrastructures, such as clearinghouses, central securities depositories (CSDs), and payment systems (e.g., TARGET2 or CHAPS), are eligible to connect to SWIFT. These entities facilitate centralized transaction processing for financial institutions and are part of the broader financial ecosystem.
SWIFT documentation recognizes their role, and they are subject to the same security requirements under the CSP. For example, CSCF Control "1.2 Physical Security" applies to these infrastructures when they host SWIFT-related components.
*Option D: Corporates that work with multiple banking partners
This is correct. Corporates, especially large multinational corporations with complex financial operations, can connect to SWIFT through SWIFT's corporate connectivity options, such as Alliance Lite2 or SWIFT for Corporates. These services allow corporates to send and receive payment instructions directly via SWIFTNet, bypassing some intermediary steps with banks. This capability is outlined in SWIFT's corporate access documentation, and such entities must comply with CSP security controls when integrating with the SWIFT network. The CSCF extends to these participants, ensuring their environments are secure (e.g., Control "6.1 Security Awareness").
Summary of Correct Answers:
Financial institutions (A), market infrastructures (C), and corporates with multiple banking partners (D) can connect to SWIFT, either as direct members or through specific connectivity options. Individuals (B) do not have direct access.
References to SWIFT Customer Security Programme Documents:
*SWIFT Customer Security Controls Framework (CSCF) v2024: Applies to all SWIFT users, including financial institutions, market infrastructures, and corporates, with security controls tailored to their environments (Controls 1.1, 6.1).
*SWIFT Membership Guidelines: Outlines eligibility for financial institutions, market infrastructures, and corporates, excluding individuals.
*SWIFT for Corporates Documentation: Details corporate connectivity options like Alliance Lite2.
NEW QUESTION # 34
The control SWIFT Environment Protection supports several objectives. (Select the one that does not apply)
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
*CSCF Assessment Completion Letter
*Swift_CSP_Assessment_Report_Template
- A. Limit risks of privileged accounts compromise
- B. Forbids any interactive sessions towards the SWIFT infrastructure
- C. Limit risks of lateral movement
- D. Restrict malicious access from external sources
Answer: B
Explanation:
CSCF Control "1.1 SWIFT Environment Protection" aims to secure the SWIFT infrastructure by isolating it from external threats and internal risks. The "Swift Customer Security Controls Framework v2025" details its objectives. Let's evaluate each option:
*Option A: Restrict malicious access from external sources
This applies. Control 1.1 requires isolating the SWIFT secure zone from external sources (e.g., the Internet) to prevent malicious access, such as malware or unauthorized intrusions.
*Option B: Forbids any interactive sessions towards the SWIFT infrastructure This does not apply. Control 1.1 does not forbid all interactive sessions. It allows controlled interactive access (e.g., via jump servers) for administrative purposes, provided sessions are secured (e.g., encrypted per Control
"2.1 Internal Data Transmission Security"). The "CSP_controls_matrix_and_high_test_plan_2025" permits interactive sessions with proper controls.
*Option C: Limit risks of privileged accounts compromise
This applies. Control 1.1 includes measures to secure privileged accounts (e.g., by enforcing strong authentication and role-based access control) to prevent compromise, aligning with CSCF principles.
*Option D: Limit risks of lateral movement
This applies. Control 1.1 aims to segment the SWIFT environment from the general IT environment, reducing the risk of lateral movement by attackers within the network.
Forbidding any interactive sessions (B) does not apply, as Control 1.1 allows controlled interactive access.
References to SWIFT Customer Security Programme Documents:
*Swift Customer Security Controls Framework v2025: Control 1.1 objectives include restricting access and limiting risks, but not banning interactive sessions.
*CSP_controls_matrix_and_high_test_plan_2025: Confirms controlled interactive sessions are permitted.
*Independent Assessment Framework: Assesses secure access controls under 1.1.
========
NEW QUESTION # 35
For each of the following setups, the responsible party is identified to protect the virtualization or cloud underlying platform. Which one of the combinations is not correct?
*Swift Customer Security Controls Policy
*Swift Customer Security Controls Framework v2025
*Independent Assessment Framework
*Independent Assessment Process for Assessors Guidelines
*Independent Assessment Framework - High-Level Test Plan Guidelines
*Outsourcing Agents - Security Requirements Baseline v2025
*CSP Architecture Type - Decision tree
*CSP_controls_matrix_and_high_test_plan_2025
*Assessment template for Mandatory controls
*Assessment template for Advisory controls
*CSCF Assessment Completion Letter
*Swift_CSP_Assessment_Report_Template
- A. For Cloud Provider: the cloud provider
- B. For virtualization platform deployed at a third party on which user's SWIFT-related components are virtually hosted: by the third party
- C. For on-premises virtualization platform: by the platform provider
- D. For on-premises container platform: by the SWIFT user
Answer: C
Explanation:
The CSCF and "Outsourcing Agents - Security Requirements Baseline v2025" define responsibilities for securing virtualization or cloud platforms hosting SWIFT-related components. Let's evaluate each combination:
*Option A: For on-premises virtualization platform: by the platform provider This is not correct. An on-premises virtualization platform (e.g., VMware or Hyper-V hosting Alliance Gateway) is managed by the SWIFT user, not the platform provider (e.g., VMware). The "platform provider" supplies the software, but the user is responsible for securing the on-premises environment, including hardening, patching, and compliance with CSCF Control "2.3 System Hardening."
*Option B: For virtualization platform deployed at a third party on which user's SWIFT-related components are virtually hosted: by the third party This is correct. If the virtualization platform is hosted by a third party (e.g., a service provider hosting SWIFT components), the third party is responsible for securing the platform, as per the "Outsourcing Agents - Security Requirements Baseline v2025" and CSCF Control "1.1."
*Option C: For on-premises container platform: by the SWIFT user
This is correct. An on-premises container platform (e.g., Docker or Kubernetes hosting SWIFT applications) is the user's responsibility to secure, aligning with CSCF Control "1.1" and the user's ownership of on- premises infrastructure.
*Option D: For Cloud Provider: the cloud provider
This is correct. In a cloud model (e.g., IaaS like Alliance Cloud on AWS), the cloud provider (e.g., AWS) is responsible for securing the underlying platform, as outlined in the "Outsourcing Agents - Security Requirements Baseline v2025." Summary of Correct answer:
The combination that is not correct is A, as the SWIFT user, not the platform provider, is responsible for securing an on-premises virtualization platform.
References to SWIFT Customer Security Programme Documents:
*Swift Customer Security Controls Framework v2025: Control 1.1 defines responsibilities for on-premises platforms.
*Outsourcing Agents - Security Requirements Baseline v2025: Specifies third-party and cloud provider responsibilities.
*Independent Assessment Framework: Confirms user responsibility for on-premises setups.
NEW QUESTION # 36
A Treasury Management System (TMS) application is installed on the same machine as the customer connector (such as MQ server) connecting towards a Service Bureau Are these applications/systems in scope of CSCF?
- A. Only the MO server application is in scope of the CSCF> The TMS application is considered as back-office
- B. The TMS application, the MQ server and hosting system are in the scope of the CSCF and must be placed in a secure zone
- C. The TMS application, the MQ server and hosting system enters the scope of the CSCF advisory and should be placed in a secure zone
- D. The TMS application is the highest risk and must be secured appropriately. The MQ server should be secured on a best effort basis
Answer: B
NEW QUESTION # 37
Application Hardening basically applies the following principles. (Choose all that apply.)
- A. Access on a need to have
- B. Enhanced Straight Through Processing
- C. Reduced footprint for less potential vulnerabilities
- D. Least Privileges
Answer: A,C,D
NEW QUESTION # 38
What must a Swift user implement to comply with a CSCF security control?
- A. A solution that meets the control objectives and addresses the risk drivers for the in scope components)
- B. A solution that maps the implementation guidelines described for a controls in scope components
Answer: A
Explanation:
This question addresses the implementation requirements for CSCF security controls.
Step 1: Understand CSCF Compliance
TheCSCF v2024emphasizes achieving control objectives and mitigating risk drivers for in-scope components, allowing flexibility in implementation, as perControl Objectives Overview.
Step 2: Evaluate Each Option
* A. A solution that maps the implementation guidelines described for a controls in scope componentsWhile implementation guidelines exist, strict adherence is not mandatory. TheCSCF v2024 allows custom solutions if they meet objectives.Conclusion: Incorrect.
* B. A solution that meets the control objectives and addresses the risk drivers for the in scope componentsTheCSCF v2024andSwift CSP FAQrequire solutions to align with control objectives (e.g., security, detection) and mitigate identified risks, offering flexibility in approach.Conclusion: Correct.
Step 3: Conclusion and Verification
The correct answer isB, as theCSCF v2024prioritizes meeting objectives and addressing risks over rigid guideline mapping.
References
* Swift Customer Security Controls Framework (CSCF) v2024, Section: Control Objectives.
* Swift CSP FAQ, Section: Implementation Flexibility.
NEW QUESTION # 39
Can an assessor re-use an ISAE 3000 report dating back 2 years to support an independent assessment?
- A. Yes, provided there is no change to the Swift user's infrastructure
- B. Yes, there is no time limit for an iSAE 3000 report
- C. No, the SAE 3000 report is no valid surrogate as a rule
- D. No, that is too old, the maximum is 18 months
Answer: D
NEW QUESTION # 40
What is expected regarding Token Management when (physical or software-based) tokens are used? (Choose all that apply.)
- A. Similar to user accounts, individual assignment and ownership for accurate traceability and revocation in case of potential tampering, loss or in case of user role change
- B. Have in place a strict token assignment process. This avoids the need to perform g a regular review of assigned tokens
- C. All tokens must be stored in a safe when not used
- D. Individuals must not share their tokens. Tokens must remain under the control and supervision of its owner
Answer: A,D
Explanation:
This question relates to Control 5.2 - Token Management in the CSCF, which outlines requirements for managing physical or software-based tokens used for authentication or cryptographic operations in the SWIFT environment. Let's evaluate each option:
* A. Similar to user accounts, individual assignment and ownership for accurate traceability and revocation in case of potential tampering, loss or in case of user role change
* CSCF Control 5.2 mandates that tokens (e.g., HSM tokens or software tokens) be uniquely assigned to individuals to ensure traceability and accountability. This allows for revocation in cases of tampering, loss, or role changes, mirroring user account management principles under Control 5.1 - Logical Access Control.
NEW QUESTION # 41
A Swift user can only exchange FIN messages via the Swift network.
- A. TRUE
- B. FALSE
Answer: B
Explanation:
This question assesses whether SWIFT users are restricted to exchanging only FIN messages:
* Step 1: SWIFT Messaging Overview
* FIN messages are traditional SWIFT financial messages (e.g., MT messages). However, SWIFT supports additional message types, such as FileAct (file transfers) and InterAct (real-time messaging), depending on the interface and service.
NEW QUESTION # 42
......
Master 2026 Latest The Questions Customer Security Programme (CSP) and Pass CSP-Assessor Real Exam!: https://easytest.exams4collection.com/CSP-Assessor-latest-braindumps.html
