What are the CCSS Aspects and Requirements?
CCSS provides a list of requirements that must be implemented to become CCSS compliant. The requirements focus directly on the people, process, and technology components of information systems which make use of cryptocurrencies.
CCSS is an open standard designed to augment standard information security practices and to complement existing standards (ISO 27001, PCI DSS, etc.) in order to protect cryptocurrency information against unauthorized data access, sensitive data loss, and data breaches.
CCSS is currently the go-to security standard for any organization that handles and manages crypto wallets as part of its business logic.
CCSS Compliance Levels
CCSS provides three levels of compliance:
Level 1 CCSS Compliance
Level 1 covers the baseline level requirements provided by CCSS and should be considered the absolute minimum-security controls to implement to meet the requirements objective.
When reviewing recent breaches of crypto-related services one can see that even implementing security controls for Level 1 CCSS compliance many attacks would have failed or have dramatically reduced the impact of a breach.
For example, with Aspect 1.03 Key Storage at Level 1 the basics of key storage are addressed in order to protect key data at-rest. How many times have we read in media reports that a major hack resulted in the theft of the private key(s) of a cryptocurrency wallet because they were stored in plain text?
Below are the CCSS Level 1 requirements for protecting key data at rest.
1.03.1.1 Cryptographic keys and/or seeds must be stored with the use of strong encryption when not in use.
1.03.2.1 A backup of the cryptographic key/seed must exist. The backup can take any form (e.g., paper, digital).
1.03.3.1 The backup must be protected against environmental risks such as fire, flood, and other acts of God.
1.03.4.1 The backup must be protected by access controls that prevent unauthorized parties from accessing it.
Level 2 CCSS Compliance
Level 2 offers a higher level of CCSS compliance by adding further rigor to each of the applicable security controls.
Considering Aspect 1.03 Key Storage at CCSS Level 2, further rigor is required by requiring a backup of each production key required to spend funds (requirement 1.03.2.2) and physical security controls such as physical separation of keys (requirement 1.03.3.2) and use of tamper-evident seals for physical copies of key data (requirement 1.03.5.1).
Level 3 CCSS Compliance
CCSS Level 3 adds even more rigor to the security controls. Aspect 1.03 Key Storage at Level 3 requires backups of keys must be encrypted at-rest with strong encryption at least equal to the encryption strength used for production keys (requirement 1.03.6.1) and “Backups are resistant to electromagnetic pulses” – requirement 1.03.3.3.
What is a CryptoCurrency Security Standard Auditor (CCSSA)?
A CryptoCurrency Security Standard Auditor is an expert in the CCSS. CCSSAs are able to apply the CCSS standard to any information system that uses cryptocurrencies, calculating a grade for the system according to the CCSS.
CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.
What are the Benefits of CCSS?
Your data will be secure. This means that your customers can confidently transact with you and your reputation in the market will be good too. Data breaches could cost companies millions every year.
Find Us immediately for the Security Assessment in Hong Kong, United Kingdom, Europe, Estonia, Singapore…
Case Reference: