CryptoCurrency Security Standard (CCSS) - Selecting a CCSS Auditor (CCSSA)

[Article Updated August 2023 for CCSS Version 8.1]?

Marc Krisjanous is one of the first CCSS Auditors, assisted C4 in developing their auditors program and is a member of the CCSS Steering Committee.

**** Free CCSS Implementation Guide! ****

Marc also co-authored the CCSS Implementation Guide for a Full System - click here to download - it's free!

C4 provides a certification program to allow entities to certify against the CryptoCurrency Security Standard (CCSS). The certification process requires an audit by a registered CryptoCurrency Security Standard (CCSS) auditor, known as a CCSSA. The CCSSA must be independent of the assessed entity, and any current or prior relationship between the CCSSA and the assessed entity must be declared to C4 before the audit commences.

An entity cannot self-assess against CCSS and be registered by C4 as a CCSS-certified entity for any CCSS certification level.

Caveat Emptor when Selecting a CCSSA

It is also important to note that C4 does not require any prerequisites such as relevant qualifications or auditing experience for a person to take the CCSSA exam, pass and be registered with C4 as a CCSSA. For this reason, it is vital for an entity considering certifying against CCSS that the entity conducts in-depth research on any CCSSA before contractual arrangements are undertaken with the selected CCSSA.

This article suggests what the entity should consider when selecting a CCSSA.

Purpose of the CCSSA

The purpose of the CCSSA is to ensure that the assessed entities systems, which provide cryptocurrency functions, meet the requirements of the CryptoCurrency Security Standard. This is achieved by the CCSSA applying evidence-gathering techniques such as interviews, inspections, reviews and observations of the people, processes and technology that support the cryptocurrency functions.

For this reason, a CCSSA should have significant experience in auditing information systems and the information security controls protecting the information systems.

The CCSSA will determine the CCSS Level achieved by the assessed entity based on the evidence gathered and reviewed during the audit. Once the CCSS Level is defined and the audit completed successfully, the CCSSA will submit audit documentation to C4 for review. C4 will record the certification status of the assessed entity and issue the assessed entity with the CCSS certificate of compliance.

Note: CCSS certification must be undertaken annually to remain certified with the standard.

Recommended Auditing Experience

CCSS is an information security management systems (ISMS) standard focused on cryptocurrency systems. Therefore, it would be expected of a CCSSA to have experience in auditing ISMS controls. This also means that the CCSSA must have sufficient experience in the evidence-gathering techniques described below:

1.???Inspects the configurations of information security controls and cryptocurrency system configurations. The CCSSA must be able to inspect configurations of security controls such as access controls, network filtering controls, application security controls, encryption controls, key management systems. The CCSSA should have experience in interpreting different hardware and software vendor's configuration implementations and have knowledge regarding the industry accepted standards for the configuration items.

2.???Conduct interviews with personnel in numerous roles, such as key custodians, system administrators, system operators, security operations, service desk, human resources and executive management. The CCSSA must have experience in interviewing people who may have different views or approaches to audits and come from different cultures and life experiences. This could be classified as "people skills".

3.???Review documentation such as policy, standards, procedures and BAU records to ensure the documentation meets CCSS requirements and be able to discern if the documentation would be effective and implement industry best practices.

4.???Observe processes, for example, a key ceremony and be able to record in writing key aspects of the process as evidence.

Finally, the CCSSA should have excellent writing skills and be able to provide detailed interview notes that will be part of the audit evidence artifacts. The CCSSA will also ensure that the report is easily understood during the peer review. This means that a poorly written report can cost you more than you expect if the writing quality is sub-standard and requires further work from the peer reviewer to understand if the audit has been undertaken in a way that provides sufficient assurance of the security of the systems.

Recommended Experienced and Qualifications

The CCSSA should be able to provide qualifications that provide more than enough assurance to the entity that the person can carry out an audit of an information management system's controls to a high level of professionalism. The financial and brand risk to the assessed entity, allowing a third party to access highly confidential information and possibly retain and record the information, which could be leaked to the public through the auditor's inability to protect the evidence, is exceptionally high. Therefore, the auditor must be trustworthy and demonstrate a high degree of professionalism, skill and experience.

Since the CCSS auditors' program was officially released in 2022 with no requirement for prerequisites for CCSSAs, we assume that existing auditors in information security would become CCSSAs. Therefore, the entity should ensure that the CCSSA has an easily provable history of prior auditing experience of information management system's controls. We would also expect that the auditor is registered with an industry-recognized legal body that records qualified and trusted auditors within that domain. For example, a PCI DSS Qualified Security Assessors (QSA) certificate to operate can be located on the official PCI Security Standards Council's (PCI SSC) website #1.

Many auditing bodies certifying and endorsing auditors require prerequisites before the person can be accepted as a certified auditor within their body. To continue with our example, the PCI SSC requires several prerequisites such as one or more professional certifications such as CISSP, CISM, Certified ISO 27001 Lead Implementer, for proficiency in information security management and one or more certifications in auditing information security management systems such as CISA, GSNA, Certified ISO 27001 Lead Auditor as well as several years experience in information security and auditing information security systems. #2 Many of these professional certifications also require a minimum number of years of experience to become certified.

Professional Insurance

Unlike other auditing standards, CCSS does not require their auditors to hold any professional indemnity insurance. As a contrasting example, the PCI SSC requires that all Qualified Security Assessor Companies be able to demonstrate annually that they hold a minimum level of insurance that includes worker's compensation, employer liability, general liability, crime/fidelity bond, technology errors and omissions, cyber risk, and privacy liability.

If your auditor cannot demonstrate that they hold a required minimum level of insurance, what happens if they make a mistake in their professional capacity and, due to this mistake, you suffer a financial loss? This is a financial risk that you need to be aware of when picking a CCSSA.

Summary

The risks of engaging a CCSSA are completely with the entity seeking to become CCSS certified. C4, which manages CCSS, requires no prerequisites to become a CCSS auditor (CCSSA). Therefore, the entity should conduct in-depth research on every CCSSA candidate who will conduct the CCSS audit. This article suggested what an entity should look for within a CCSSA.

#1 - https://listings.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

#2 - https://www.pcisecuritystandards.org/program_training_and_qualification/qsa_certification/