Demo Swift CSP-Assessor Exam Questions

Answer: B, D 

Answer: A, B, C 

SWIFT Public Key Infrastructure (PKI) certificates are cryptographic credentials used to secure communications over the SWIFT network. Let’s evaluate each option:
• Option A: Asymmetric signing and encryption end to end
This is correct. SWIFT PKI certificates utilize asymmetric cryptography (public and private key pairs) for both signing and encryption. Signing ensures the authenticity and integrity of messages (e.g., verifying the sender), while encryption provides confidentiality end to end—from the sender’s environment to the receiver’s environment across the SWIFT network. This end-to-end security is achieved using PKI certificates managed by Hardware Security Modules (HSMs), as mandated by CSCF Control "1.3 Cryptographic Failover." SWIFT documentation confirms that PKI supports full message security throughout the transmission process.
• Option B: Asymmetric signing and encryption end to SWIFT only
This is incorrect. The security provided by PKI certificates extends beyond just the connection to SWIFT (e.g., to the SWIFT Secure IP Network). It covers the entire message journey, including the recipient’s environment, ensuring end-to-end protection rather than stopping at SWIFT’s boundary.
• Option C: Symmetric encryption only
This is incorrect. SWIFT PKI relies on asymmetric cryptography for key exchange and signing, not symmetric encryption alone. While symmetric encryption may be used internally (e.g., for session keys derived from asymmetric key exchange), the PKI certificates themselves are based on asymmetric algorithms (e.g., RSA), as outlined in SWIFT’s security guidelines.
• Option D: Asymmetric signing only
This is incorrect. PKI certificates are used for both asymmetric signing (for authenticity and integrity) and encryption (for confidentiality), not just signing. The dual purpose is essential for the secure transmission of SWIFT messages.
Summary of Correct Answer:
SWIFT PKI certificates are used for asymmetric signing and encryption end to end (A), ensuring comprehensive security.
References to SWIFT Customer Security Programme Documents:
• SWIFT Customer Security Controls Framework (CSCF) v2024: Control 1.3 specifies the use of PKI for end-to-end security.
• SWIFT Security Guidelines: Details PKI usage for asymmetric signing and encryption.
• SWIFT PKI Documentation: Confirms end-to-end cryptographic protection using PKI certificates.

SWIFT Alliance Cloud is a managed cloud service provided by SWIFT to deliver a fully hosted SWIFT infrastructure, reducing the local footprint for users. Let’s evaluate each option:
• Option A: Alliance Cloud is a SWIFT cloud-based solution. It provides a universal channel to the financial community and to SWIFT Value Added services and initiatives
This is partially correct but incomplete. Alliance Cloud is indeed a SWIFT-managed cloud solution, and it facilitates connectivity to the financial community and SWIFT Value Added Services (e.g., SWIFT gpi, Sanctions Screening). However, the term "universal channel" is vague and not a precise description of Alliance Cloud’s functionality, which is more accurately defined as a hosted messaging and connectivity platform. This option lacks specificity about the deployment model.
• Option B: Alliance Cloud is a cloud-based solution. It is offered by the 3 official public cloud providers. This allows customers the choice to select their preferred cloud provider
This is incorrect. Alliance Cloud is a SWIFT-managed service deployed on specific public cloud providers approved by SWIFT, not a solution where customers can choose any of the "3 official public cloud providers." SWIFT partners with select providers (e.g., AWS, Microsoft Azure, Google Cloud) but controls the deployment and configuration, limiting customer choice to SWIFT-approved instances.
• Option C: Alliance Cloud is a cloud-based solution. It is offered by any public cloud provider that subscribed to the digital connectivity initiative
This is incorrect. Alliance Cloud is not available on any public cloud provider that subscribes to a "digital connectivity initiative." It is hosted exclusively on SWIFT-approved public cloud providers, ensuring compliance with SWIFT’s security and operational standards. The term "digital connectivity initiative" is not a recognized framework in SWIFT documentation for Alliance Cloud.
• Option D: Alliance Cloud is a SWIFT cloud-based solution. It consists of an Alliance Access instance deployed at one of the three SWIFT-approved public cloud providers
This is correct. Alliance Cloud is a SWIFT-managed cloud solution that includes a hosted Alliance Access instance (a messaging interface) deployed on one of the three SWIFT-approved public cloud providers (e.g., AWS, Microsoft Azure, Google Cloud). This setup provides a fully managed environment for SWIFT connectivity, reducing the user’s local infrastructure needs. The CSCF applies to this cloud deployment, with SWIFT managing many security controls (e.g., "1.1 SWIFT Environment Protection"). SWIFT documentation confirms this model, emphasizing the use of approved providers.
Summary of Correct Answer:
The correct statement is D, accurately describing Alliance Cloud as a SWIFT-managed solution with an Alliance Access instance on SWIFT-approved public cloud providers.
References to SWIFT Customer Security Programme Documents:
• SWIFT Customer Security Controls Framework (CSCF) v2024: Supports cloud deployments on approved providers (Control 1.1).
• SWIFT Alliance Cloud Documentation: Details the deployment on SWIFT-approved public cloud providers with Alliance Access.
• SWIFT Cloud Partnership Guidelines: Lists approved providers like AWS, Azure, and Google Cloud.

The CSCF, under Control "6.1 Security Awareness" and related security controls, mandates the definition and implementation of a Password/PIN Policy for components requiring user authentication to protect the SWIFT environment. Let’s evaluate each option:
• Option A: Operator PCs, (physical or virtual) systems running SWIFT-related components, network devices protecting the secure zone(s), bridging servers
This requires a Password/PIN Policy. Operator PCs, systems running SWIFT components (e.g., Alliance Access), network devices (e.g., VPN boxes), and bridging servers need authentication policies to secure access, as per CSCF Control "2.3 System Hardening" and "6.1."
• Option B: Jump server(s), SWIFT-related components at application level
This requires a Password/PIN Policy. Jump servers and application-level components (e.g., Alliance Gateway) must have authentication mechanisms to protect the secure zone, aligning with CSCF Control "1.1 SWIFT Environment Protection."
• Option C: Personal tokens or mobile devices used as a possession factor
This does not require a Password/PIN Policy. Personal tokens or mobile devices (e.g., secure code cards or soft tokens) are possession factors used in multi-factor authentication (MFA), typically alongside a password or PIN. However, the CSCF does not mandate defining a Password/PIN Policy for the tokens/devices themselves, as their security relies on physical possession and manufacturer hardening, not user-defined policies. The "Outsourcing Agents - Security Requirements Baseline v2025" supports this by focusing policy requirements on systems, not possession factors.
• Option D: All equipment within the user environment
This requires a Password/PIN Policy. The CSCF applies policies to all in-scope equipment to ensure comprehensive security, contradicting the question’s intent to identify an exception.
Summary of Correct Answer:
A Password/PIN Policy must not be defined and implemented for personal tokens or mobile devices used as a possession factor (C).
References to SWIFT Customer Security Programme Documents:
• Swift Customer Security Controls Framework v2025: Control 6.1 and 2.3 mandate password policies for systems.
• Outsourcing Agents - Security Requirements Baseline v2025: Excludes possession factors from policy requirements.
• Assessment template for Mandatory controls: Focuses on system authentication policies.