CryptoCurrency Security Standard (CCSS) – Certification Process in Detail
[Article Updated August 2023 for CCSS Version 8.1]?
Marc Krisjanous is one of the first CCSS Auditors, assisted C4 in the development of their auditors program and is a member of the CCSS Steering Committee.
**** Free CCSS Implementation Guide! ****
Marc also co-authored the CCSS Implementation Guide for a Full System - click here to download - it's free!
The Certification Process
In this article, I will go into detail for each step in the certification process and provide any tips or recommendations I learned based on my experience conducting the first CCSS audit in the world.
The diagram below is extracted from the CCSS auditors guide and provides a high-level overview of the certification process for CCSS certification.
Step 1 – Entity Selects and Contacts CCSSA
The first step in the process is that the entity selects and contacts a CCSSA. The most important task in this step is to ensure the CCSSA you are considering engaging has enough skill and experience in auditing information systems.
C4 does not require any prerequisites such as relevant qualifications or auditing experience for a person to take the CCSSA exam, pass and be registered with C4 as a CCSSA. For this reason, it is vital for an entity considering certifying against CCSS that the entity conducts in-depth research on any CCSSA before contractual arrangements are undertaken with the selected CCSSA. To read more about what to look for in a CCSSA, read this article here.
Step 2 - CCSSA and Entity determine the scope and negotiate the agreement
The next step after selecting a CCSSA is to “determine the scope and negotiate an agreement”. By “determine scope”, C4 refers to defining at a high level what products and services are in scope for the audit and, from there, defining at a high level the systems that will be audited. The in-scope people, process and technology components may change as the CCSSA progresses through the audit but defining even at a high level the scope as part of the contractual arrangements is a good idea and assists with estimates on audit effort. I wrote an article on defining the CCSS Trusted Environment (CCSS refers to the in-scope environment as the "Trusted Environment") here.
Step 3 - CCSSA fills out the Intent to Audit form
Before any contract between the assessed entity and the CCSSA is signed, the CCSSA must complete C4’s “Intent to Audit” form. The form captures the CCSSA details, the entity undertaking a CCSS audit, and the systems being audited – the systems identified at a high level in the previous step of defining scope.
Step 4 - C4 sends PROL to CCSSA
C4 will then send the CCSSA a random list of other CCSSAs that are authorized by C4 to conduct a peer review of the audit documentation. The random list of CCSSAs is called a “Peer Reviewer Options List”, or PROL. It's very important when selecting a CCSSA from the PROL is to ensure that the CCSSA is still certified during the peer review process. CCSSA certification is an annual event and the worst thing to do is engage a CCSSA for the peer review only to find out that their certification has expired right before or during the peer review process.
Once the CCSSA selects another CCSSA to conduct the peer review (the CCSSA conducting the peer review is now referred to as the CCSSA-PR), both the CCSSA and CCSSA-PR must declare to C4 any current or previous relationships with the assessed entity.?
The CCSS auditors guide – section 2.1 CCSSA and section 2.2 CCSSA-PR states that the CCSSA and the CCSSA-PR must avoid any potential conflicts of interest with the assessed entity. This is in regard to protecting the independence of the CCSSA and CCSSA-PR from the assessed entity. It stops the ability for a CCSSA to audit their own business, their current employer or previous employer's business and any other forms of benefits the CCSSA or CCSSA-PR may receive from the assessed entity.
It’s important to note that the CCSSA-PRs fees must be negotiated with the CCSSA and the assessed entity. C4 is not involved in the negotiation process. C4 may offer some guidance in the future on how much a peer review should take, but right now, there have not been enough audits to identify an average time for peer review. The CCSSA-PRs fee for peer review is added to the CCSSA's audit agreement with the assessed entity.
The CCSSA will also need to help the assessed entity work out the C4 listing fee. based on the designation of the audited system (Full System, QSP or self-custody). The CCSS auditors guide provides information regarding the three CCSS certification designations and the associated listing fee for each. I wrote an article detailing the three different designations for CCSS certification here.
Based on the high-level scope defined in the initial steps, the CCSSA should be able to confirm with the entity which C4 listing fee applies to them. The C4 listing fee is the charge C4 applies to an entity that has successfully completed the CCSS audit process for listing and managing the entity's details on the C4 website.
Note: CCSS certification requires an annual audit and certification review for the entity to remain CCSS certified.
The CCSSA must collect the C4 listing fee from the entity and pass the listing fee onto C4. C4 will only release the Certificate of Compliance (CoC) once they have received the listing fee (among other documentation we will cover later in this article). I highly recommend that the entity contacts C4 and asks C4 to confirm the listing fee in writing to avoid any confusion later in the audit process.
The tricky part is that the CCSSA must collect the C4 listing fee from the entity and pass it on to C4. So, three parties are involved in this process, with the CCSSA being the “middle-man” who will need to add the C4 listing fee and the CCSSA-PR’s peer review fee to the audit SOW for the entity. This may lead to mistakes or misunderstandings on the C4 listing fee if there is no written confirmation from C4 the CCSSA can refer to.
C4’s preference for the listing fee payment is in cryptocurrency, so it's essential that the CCSSA and entity plan for how the funds will be transferred to C4. C4 may accept fiat - make sure to double-check with C4 ASAP.
To recap so far - the following should be completed:
Step 5 - CCSSA contacts CCSSA-PR, parties negotiate, and sign Appendix 1
The next step is for the CCSSA, the entity that will be audited and the CCSSA-PR to all sign the Appendix 1 form. This form is a legal waiver by C4 where the CCSSA, the entity that will be audited, and CCSSA-PR acknowledge that C4 is not involved in the audit process.
Appendix 1 is only required to be sent to C4 after completing a successful audit and peer review. However, I think that all parties should sign this document sooner rather than later, or it may become an administrative hassle when the assessed entity wants the CoC.
Step 6 - CCSSA performs the audit
The next stage is that the CCSSA conducts the audit. I have written articles covering every CCSS requirement, focusing on what I believe to be the intent of each requirement and what evidence I would collect to gain assurance that the requirement is in place. The list of my articles is at the bottom of this article. C4 does not officially endorse the articles. However, there is no official guidance on CCSS requirements, expected evidence and example scenarios provided by C4 for the CCSSA, so you can choose to review my articles or not. They are my opinions only.
Once the audit is complete and the assessed entity has met the applicable CCSS requirements, the CCSSA will inform the assessed entity of the CCSS Level reached and confirm the CCSS certification designation. If the assessed entity agrees with the findings, the CCSSA prepares a copy of the audit report for peer review.
Step 7 - CCSSA-PR reviews Audit Documentation, provides feedback to CCSSA
The copy of the audit report will need to be redacted of all personal identifiable information (PII) of the assessed entities personnel involved in the audit. Also, all sensitive information about the assessed entity must be redacted, including:
The CCSSA must make the redacted copy of the audit report available to the assessed entity before being sent to the CCSSA-PR so the assessed entity can check if all sensitive information has been redacted.
Once the assessed entity has approved in writing the release of the redacted audit report for peer review, the CCSSA will make the redacted audit report available to the CCSSA-PR. It is important to note that the CCSSA-PR is not peer-reviewing the audit evidence. The CCSSA-PR is reviewing the evidence-gathering techniques the CCSSA applied during the audit so that the CCSSA-PR can have assurance that enough evidence-gathering techniques were applied for the CCSSA to reach an opinion for each requirement. The CCSS auditors guide has a section on recommended evidence-gathering techniques. I have also written in detail regarding the recommended evidence-gathering techniques here.
The C4 peer review process for a CCSS audit may sound different to the standard audit peer review process, and it is. However, as noted before, C4 requires that the CCSSA-PR is independent of the CCSSA. This means that the two auditors will likely have different audit training and audit methodologies, which could clash if the CCSSA-PR has to peer review the evidence. Further, the CCSSA-PR would not have signed an NDA with the assessed entity to see the evidence collected.
C4 offers a mediation and dispute process for the CCSSA and CCSSA-PR if issues arise.
Once the CCSSA-PR has confirmed in writing that the CCSSA conducted sufficient evidence-gathering techniques to form the opinions presented, the CCSSA will move to the next step in the certification process. I wrote a detailed article on the peer review process here.
领英推荐
Note: A CCSS Audit is NOT a “Checkbox” Audit
An important note I would like to make is that the CCSS audit is not a “checkbox” audit. C4 requires the CCSSA to conduct a rigorous audit of the in-scope environment's people, process and technology components. If the reader knows how a PCI DSS audit is conducted then the CCSSA audit follows the same level of rigor. If the CCSSA does not perform the required level of audit rigour, then the audit report will fail the peer review process.
Step 8 - CCSSA sends SRoC, Appendix 1, and listing info to C4
Once the peer review process has been completed, the CCSSA is required to provide the following listing information pack to C4:
The listing information pack is then sent to the C4 CCSS submission email address by the CCSSA, which is documented in the CCSS auditor guide.
Step 9 - C4 reviews SRoC and signed Appendix 1 / Step 10 - C4 sends CCSSA Listing Fee Invoice / Step 11 - CCSSA pays Listing Fee
Once C4 is happy with the listing information pack, C4 will send an invoice for the C4 listing fee to the CCSSA. The CCSSA will then send the C4 listing fee to C4 via whatever arrangements C4 has stipulated.
Step 12 - C4 sends CoC and badge to CCSSA. CoC is listed on C4’s website / Step 13 - Entity receives CoC badge from CCSSA
Once C4 receives the C4 listing fee payment, C4 will issue the CoC to the CCSSA, who will then check that the CoC is correct. If the CoC is correct, the CCSSA will then send the CoC to the certified entity. C4 will add the certified entity's details to the C4 online CCSS-certified entity register.
That’s it!
If you have any questions about the audit and certification process, please don’t hesitate to contact me.
Further Reading on CCSS
1.01 Key/Seed Generation
1.02 Wallet Creation
1.03 Key Storage
1.04 Key Usage
1.05 Key Compromise Policy
1.06 Keyholder Grant/Revoke Policies & Procedures
2.01 Security Tests/ Audits
2.02 Data Sanitization Policy
2.03 Proof of Reserve
https://www.dhirubhai.net/pulse/cryptocurrency-security-standard-ccss-proof-reserve-marc-krisjanous/
Cybersecurity
2 年Thank you, Marc. This is the main article everyone interested in CCSS should start with.