Customer Testing Policy



Similar documents
Interface Certification for a FIN Interface

Connectivity. SWIFTNet Link 7.0. Functional Overview

SWIFTReady for Corporates Cash Management

Personal Token Software Installation Guide

Service Description. 3SKey. Connectivity

SWIFT Certified Specialist - Consultancy for Trade and Supply Chain Finance Track Criteria

Interface Certification for a RMA Interface

SWIFT Certified Application - Exceptions and Investigations

SWIFT Certified Application Payments

SWIFTNet Online Operations Manager

Interface Certification for a Store-andforward InterAct Messaging Interface

SWIFT Certified Application for Corporates - Trade and Supply Chain Finance

Electronic Bank Account Management - EBAM

Frequently Asked Questions

Connectivity. Alliance 7.0. Alliance Interfaces. FileAct support in SWIFTNet Release 7.0

Alliance Access Integration MQ Host Adaptor

How much do you pay for your PKI solution?

Products and Services

ING Service for SWIFTNet. 1A single gateway for your financial information!

Overview TECHIS Carry out security testing activities

Reference Data. IBAN Plus. Questions & Answers. This document contains the most frequently asked questions and answers.

Introducing Alliance Lite2. The easiest way to use SWIFT

Declaration Form for EP Online/ WP Online User Agreement

Frequently Asked Questions

Alliance Access Integration SOAP Host Adaptor

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

1-port USB 2.0 Print Server. Manual (GPSU21)

CA Nimsoft Monitor. Probe Guide for Cloud Monitoring Gateway. cuegtw v1.0 series

Cross-border CNY Transaction Guidelines for SWIFT MT messages

Alliance Access Integration Automated File Transfer

Connectivity. Alliance Access 7.0. Database Recovery. Information Paper

ESKISP Conduct security testing, under supervision

Connectivity. Alliance Access 7.0. Database Recovery. Information Paper

Skyus 3G. Quick Start Guide Verizon

ENTERPRISE PAYMENTS SOLUTIONS

Installation Guide 1-port USB 2.0 Print Server 1 GPSU21

Oracle Cloud. Creating a Business Intelligence Cloud Extract E

ESKISP Direct security testing

SWIFT Certified Application - Alliance Monitoring Add-On

Business Continuity. Middle East Conference Johan Limborgh, Support Duty manager Imran Mohsin Mirza, Senior Technical Sales Expert

RSA SecurID Software Token 1.0 for Android Administrator s Guide

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Cloud Security Who do you trust?

MySQL and Virtualization Guide

Risk Management of Outsourced Technology Services. November 28, 2000

Information paper. Best Practice for Successful Implementation of ISO for Financial Institutions

Technical Specifications

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Certificate Policy. SWIFT Qualified Certificates SWIFT

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

The Protection Mission a constant endeavor

Opinion and recommendations on challenges raised by biometric developments

Bachelor of Information Technology (Network Security)

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

The Gestamp Supplier Risk Management (SRM) system. Supplier Frequently Asked Questions (FAQ)

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

THE BLUENOSE SECURITY FRAMEWORK

BlackBerry Enterprise Server Express. Version: 5.0 Service Pack: 4. Update Guide

Oracle Banking Digital Experience

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

SPECIAL CONDITIONS FOR KIMSUFI DEDICATED SERVER RENTAL. Latest version dated 07/11/2013

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Group Member Access LCH.Clearnet Ltd Network Connectivity Guide (BT Radianz)

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

END- USER LICENSE AGREEMENT FOR Helpdesk Pilot

Third Party System Management Integration Solution

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

User Guide & Implementation Guidelines for using the Transaction Delivery Agent (TDA) 3.0

CCNA Security v1.0 Scope and Sequence

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

Support and Remote Dialup SIMATIC. Process Control System PCS 7. Support and Remote Dialup. Preface 1. Support and Remote Dialup.

The Shift to Wireless Data Communication

Use of tablet devices in NHS environments: Good Practice Guideline

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

Service Schedule for Business Lite powered by Microsoft Office 365

Strategies for assessing cloud security

Avaya Visualization Performance and Fault Manager Discovery Best Practices

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

BBM for Android. Version: 1.0. User Guide

SafeNet Authentication Service

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

Oracle Virtual Desktop Client for Android. Release Notes for Release 1.2

Procon Frostbite 1.1 and subsequent releases End User License Agreement Revised: April 7, 2015

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

8 Steps for Network Security Protection

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Transcription:

SWIFT Customer Testing Policy This document provides specific conditions for performance or vulnerability testing of SWIFT services and products and non-swift services and products. This document covers stress tests, throughput tests, intrusion tests or penetration tests, and any other types of performance testing or vulnerability testing. 24 July 2015

Table of Contents Table of Contents Preface... 3 Introduction... 4 1 Vulnerability testing... 5 1.1 SWIFT software and hardware for which customer testing is permitted... 5 1.2 SWIFT services and products for which customer testing is not permitted... 5 1.3 Customer testing of non-swift services and products... 6 1.4 SWIFT services and products for which customer testing requires SWIFT s express prior consent... 6 2 Performance testing... 7 2.1 Stress tests... 7 2.2 FIN stress tests... 7 2.3 Stress tests in CUGs managed by service administrators... 7 3 General principles for Customer testing... 8 Legal Notices... 9 SWIFT 2 24 July 2015

Preface Preface Purpose of this document This document sets out specific conditions for performance or vulnerability testing of SWIFT services and products and non-swift services and products. This document covers stress tests, throughput tests, intrusion tests or penetration tests, and any other types of performance testing or vulnerability testing. Customers must not conduct any performance or vulnerability tests on or through SWIFT services and products unless expressly permitted in this Customer Testing Policy. This Customer Testing Policy is an integral part of the contractual arrangement between SWIFT and its customers. Intended audience SWIFT intends this document for its customers. In particular, the following persons should read this document: technical experts who operate the SWIFT service security experts business decision makers who deal with security, risk management, and exposure management Related documentation SWIFT General Terms and Conditions and other terms and conditions governing the provision and use of tested SWIFT services and products. SWIFT-defined terms This document contains terms that have a specific meaning in the context of SWIFT documentation (for example, customer, user, or SWIFT services and products). The definitions of SWIFT-defined terms appear either in this document or in the SWIFT Glossary. In this document SWIFT differentiates these terms as shown in this example: First Edition SWIFT provides secure, standardised messaging services and interface software to its customers. This is the first edition of this Customer Testing Policy. SWIFT 3 24 July 2015

Introduction Introduction Performance and vulnerability testing by SWIFT and customers SWIFT conducts regular tests to probe the availability, integrity, and confidentiality of SWIFT services and products. SWIFT typically reports on such tests through SWIFT s third-party assurance framework such as SWIFT s ISAE 3402 type 2 report. SWIFT understands that, beyond SWIFT s tests, customers may also wish to conduct certain performance or vulnerability tests on or through SWIFT services and products. Because such tests might adversely affect SWIFT s operations or be indistinguishable from real threats, customers must not conduct any such test unless expressly permitted in the SWIFT Customer Testing Policy. This policy applies to stress tests, throughput tests, intrusion tests or penetration tests, and any other types of performance testing or vulnerability testing. SWIFT 4 24 July 2015

Vulnerability testing 1 Vulnerability testing 1.1 SWIFT software and hardware for which customer testing is permitted Subject to the conditions set out in this policy or elsewhere in the SWIFT Contractual Documentation, customers are permitted to perform vulnerability testing on the SWIFT software and hardware below. SWIFT software Alliance Access, including custom modules built on Alliance Developers Kit (ADK) and Alliance Access Integration platform (IPLA) Alliance Entry SWIFT Integration Layer Alliance Messaging Hub Alliance Gateway Alliance Web Platform Lite2 AutoClient SWIFTNet Link SWIFT hardware Hardware Security module (HSM) box HSM Token HSM Card and Card reader 3SKey token Without prejudice to other conditions governing the use of that SWIFT software or hardware under other SWIFT Contractual Documentation, vulnerability testing on that SWIFT software and hardware is permitted on the following supplemental conditions only: Any vulnerability testing must occur locally without any physical and logical connection to the SWIFT network. Customer must test up-to-date and currently supported versions of software and hardware only. 1.2 SWIFT services and products for which customer testing is not permitted Any testing with the intention to probe the security, reliability, and resilience of the following SWIFT services and products is not permitted: Alliance Connect products (Gold, Silver, Silver Plus and Bronze), including the VPN Boxes deployed at customer s site and the network connectivity access ports Alliance Connect Everywhere, including the wireless router deployed at customer's site but managed by SWIFT SWIFT messaging services and solutions, such as InterAct, FileAct, Browse, WebAccess, FIN and related copy services such as FINCopy and FINInform, Sanctions Screening, MIRS Business Application services, such as Accord and Trade Services Utility Alliance Lite, Alliance Lite2, Alliance Remote Gateway (ARG), SWIFT API (SWAP) SWIFT 5 24 July 2015

Vulnerability testing SWIFT web sites, such as swift.com, and Internet/web based services or applications, such as SWIFTRef or Sanctions Testing The SWIFT Certificate Centre, also known as the "3Skey Portal" SWIFT managed network infrastructure The same restriction applies to all SWIFT systems and infrastructures supporting these SWIFT services and products. 1.3 Customer testing of non-swift services and products Customers may also want to test non-swift products and services, such as services and products supplied by their selected Network Partners, internet access provider, or third-party software vendors. While any testing of non-swift products and services must be agreed upon with the vendor(s) and other third-parties (if any) concerned, customers are permitted to perform vulnerability testing on non-swift products and services on the following supplemental conditions only: Any vulnerability testing of non-swift products and services must occur without any physical or logical connection to the SWIFT network. Any vulnerability testing of the M-CPE (Managed Customer-Premises Equipment) supplied by the Network Partners is prohibited. 1.4 SWIFT services and products for which customer testing requires SWIFT s express prior consent Any vulnerability testing not expressly covered in the previous sections requires SWIFT s express prior written consent. This applies to, for example, vulnerability testing of third-party services or platforms accessible via SWIFT s Browse service, organised by the service provider itself. Any such testing may be subject to supplemental conditions including (without limitation) fees. Customers willing to perform any such vulnerability testing must seek SWIFT s consent by contacting the SWIFT Customer Support Centre. Customers willing to perform vulnerability testing of a third-party service or platform via SWIFT services and products must first agree with that third party on the conditions for any such testing before contacting SWIFT. SWIFT 6 24 July 2015

Performance testing 2 Performance testing 2.1 Stress tests Stress tests on SWIFT messaging services must be carefully planned. Except for limited FIN stress tests (see section 2.2), customers must always seek SWIFT s express approval to perform any stress tests on SWIFT messaging services. More information about the process to request such approval is available in the Knowledge Base tip 2008531. 2.2 FIN stress tests Individual and global stress testing If a customer plans to test volumes of more than 20,000 FIN messages per hour between Monday 00:01 GMT and Friday 23:59 GMT or of more than 100,000 FIN messages per hour between Saturday 00:00 GMT and Monday 00:00 GMT, then it must plan these tests beforehand and it must request approval from SWIFT following the process described in Knowledge Base tip 2008531. Important: If a customer plans to perform throughput tests using FINCopy, then all MT 096, MT 097, and MT 012 must be included in the total number of messages. 2.3 Stress tests in CUGs managed by service administrators There are two types of stress tests in CUGs managed by service administrators, as follows: Individual and global stress testing As part of its test and training qualification, a service administrator may request participants to prove that they can achieve their respective peak hour throughput. The service administrator plans and runs these tests at its best convenience. Participant stress tests must also respect the rules about peak message volumes at the service administrator level, as defined in the SWIFTNet Messaging Operations Guide. Global system stress testing This means that all participants are testing the service's peak hour throughput. Depending on the volumes, this can have a significant impact on the SWIFT network (especially at the service administrator level). In addition to SWIFT s approval (see section 2.1), participants and service administrators must agree with SWIFT before performing any stress tests in CUGs managed by service administrators. SWIFT 7 24 July 2015

General principles for Customer testing 3 General principles for Customer testing Without prejudice to any other conditions governing the provision and use of the tested SWIFT services and products under other SWIFT Contractual Documentation, any customer testing is subject to the following conditions: In the same way as the right to use SWIFT services and products, any right to test SWIFT services and products is personal to the customer duly authorised to use the SWIFT services and products to be tested; If the customer ever decides to delegate or sub-contract to a third party the exercise of its testing rights or the performance of any obligations under this Customer Testing Policy and other applicable SWIFT Contractual Documentation, it does so at its own risk and must ensure that the scope of rights granted to any such third party does not exceed those granted to it under this policy or other applicable SWIFT Contractual Documentation. The customer that delegates or sub-contracts to a third party the exercise of its testing rights or the performance of any obligations under this Customer Testing Policy and other applicable SWIFT Contractual Documentation remains fully responsible to SWIFT for the performance and observance by any such third party of any obligations applicable to it; Any customer testing is at the customer s own risk and expense; Any reverse engineering or any other attempt to access or change the software code, or any physical tampering with hardware, is not permitted; The customer must perform a full reinstallation on re-initialised systems before connecting to the SWIFT network and using SWIFT services and products; The customer must not initiate any customer testing before having successfully backed up all relevant configuration and databases; SWIFT reserves the right to suspend or terminate at any time the provision or use of SWIFT services and products to prevent or mitigate any adverse effect of customer testing on the security, reliability, or resilience of SWIFT services and products; SWIFT support does not cover customer testing activities; and If customers believe that they have identified a potential performance or vulnerability threat, then they must immediately inform SWIFT thereof and treat all related information, data, or materials as SWIFT confidential information. In order to facilitate further investigation by SWIFT, customers are expected to provide the following information: product version(s) queries sent to the application and how such queries were generated results of the queries / screenshots impact as perceived by the customer and recommendations (if any) to address such impact This information must be communicated to SWIFT via the Customer Support Centre. SWIFT 8 24 July 2015

Legal Notices Legal Notices Copyright SWIFT 2015. All rights reserved. Restricted Distribution Do not distribute this publication outside your organisation unless your subscription or order expressly grants you that right, in which case ensure you comply with any other applicable conditions. Disclaimer SWIFT supplies this publication for information purposes only. The information in this publication may change from time to time. You must always refer to the latest available version. Trademarks SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo, MyStandards, and SWIFT Institute. Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks of their respective owners. SWIFT 9 24 July 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information