What is expected regarding Token Management when (physical or software-based) tokens are used?

[Reference: CSCF v2024, Control 5.2 – Token Management; Implementation Guidelines., Correct., B. Have in place a strict token assignment process. This avoids the need to perform a regular review of assigned tokens, While a strict token assignment process is required (Control 5.2), it does not eliminate the need for regular reviews. The CSCF and SWIFT security best practices mandate periodic reviews of token assignments to ensure ongoing compliance and detect misuse or anomalies, similar to user account reviews (Control 5.1)., Reference: CSCF v2024, Control 5.2; SWIFT Security Best Practices., Incorrect., C. Individuals must not share their tokens. Tokens must remain under the control and supervision of its owner, Control 5.2 explicitly prohibits token sharing to prevent unauthorized access and ensure individual accountability. Tokens must remain under the owner’s control, aligning with secure authentication principles (Control 4.2 – Multi-Factor Authentication)., Reference: CSCF v2024, Control 5.2; SWIFT PKI Certificate Policy., Correct., D. All tokens must be stored in a safe when not used, While secure storage of tokens is recommended, the CSCF does not universally mandate that all tokens (e.g., software-based or portable HSM tokens) be stored in a physical safe when not in use. The requirement varies by token type and environment; for instance, HSM boxes are rack-mounted, not stored in safes. Control 5.2 emphasizes "secure storage" but leaves implementation flexible., Reference: CSCF v2024, Control 5.2 Implementation Notes; HSM User Guide., Incorrect., Conclusion: A and C are correct, as they align with CSCF Control 5.2’s requirements for individual assignment, non-sharing, and owner control of tokens., ]