Swift Customer Security Programme Assessor Certification(CSPAC) CSP-Assessor Question # 32 Topic 4 Discussion

CSP-Assessor Exam Topic 4 Question 32 Discussion:

Question #: 32

Topic #: 4

The SWIFT user has installed its own Communication Interface on a dedicated virtual machine offered by a public cloud provider. Under which provider category does the public cloud provider fit, and what is the CSP impact? (Select the correct answer)
•Swift Customer Security Controls Policy
•Swift Customer Security Controls Framework v2025
•Independent Assessment Framework
•Independent Assessment Process for Assessors Guidelines
•Independent Assessment Framework - High-Level Test Plan Guidelines
•Outsourcing Agents - Security Requirements Baseline v2025
•CSP Architecture Type - Decision tree
•CSP_controls_matrix_and_high_test_plan_2025
•Assessment template for Mandatory controls
•Assessment template for Advisory controls

The public cloud provider is considered a L2BA provider, and therefore not in scope of the CSP

The public cloud provider is considered a SWIFT connectivity provider, and therefore not in scope of the CSP

The public cloud provider is considered an outsourcing agent, and therefore in scope of the CSP

This type of implementation is not allowed by the CSP

Get Premium CSP-Assessor Questions

Explanation

The "Outsourcing Agents - Security Requirements Baseline v2025" and "Swift Customer Security Controls Framework v2025" define provider categories and CSP impact. Let’s evaluate each option:

•Option A: The public cloud provider is considered a L2BA provider, and therefore not in scope of the CSP

This is incorrect. An L2BA (Lite2 Business Application) provider hosts the full SWIFT stack for users, but a public cloud provider offering a virtual machine is not an L2BA provider unless it provides the full service. The CSP still applies to the provider’s infrastructure.

•Option B: The public cloud provider is considered a SWIFT connectivity provider, and therefore not in scope of the CSP

This is incorrect. A SWIFT connectivity provider (e.g., Alliance Connect) is a specific role, but a public cloud provider (e.g., AWS) hosting a communication interface is an outsourcing agent, subject to CSP requirements.

•Option C: The public cloud provider is considered an outsourcing agent, and therefore in scope of the CSP

This is correct. The "Outsourcing Agents - Security Requirements Baseline v2025" classifies public cloud providers hosting SWIFT components (e.g., a virtual machine with Alliance Gateway) as outsourcing agents. The CSP impacts the provider by requiring them to secure the underlying infrastructure (e.g., Control 1.1), while the user secures the communication interface.

•Option D: This type of implementation is not allowed by the CSP

This is incorrect. The CSP permits cloud-based deployments, including user-installed components on public cloud VMs, as long as security controls are met.

Summary of Correct Answer:

The public cloud provider is an outsourcing agent, in scope of the CSP (C).

References to SWIFT Customer Security Programme Documents:

•Outsourcing Agents - Security Requirements Baseline v2025: Defines cloud providers as outsourcing agents.

•Swift Customer Security Controls Framework v2025: Applies controls to outsourced environments.

•CSP_controls_matrix_and_high_test_plan_2025: Includes cloud provider assessments.

========

Actual exam question for Swift CSP-Assessor exam by Rael6307 at Aug 3, 2025, 12:00:00 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Swift Customer Security Programme Assessor Certification(CSPAC) CSP-Assessor Question # 32 Topic 4 Discussion

Swift Customer Security Programme Assessor Certification(CSPAC) CSP-Assessor Question # 32 Topic 4 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval