Introducing CCSS – The Cryptocurrency Security Standard
In 1999, NASA lost a $125 million Mars orbiter because Lockheed Martin engineers used the English measurement system, whereas the NASA team used the metric system. The mismatch in units caused navigation errors leading to the loss of the said orbiter.
Such an example highlights why implementing standards is essential in any industry, including crypto, where hundreds of millions of dollars worth of digital assets are transacted and traded on exchanges daily.
Different trading platforms and crypto wallets have ways of keeping digital assets secure. However, having a Cryptocurrency Security Standard allows for unified methodologies that users and institutions can trust and make more educated decisions about what products and services to use.
What is the Cryptocurrency Security Standard?
The Cryptocurrency Security Standard (CCSS) is an open standard that provides guidance on securely managing cryptocurrencies. It focuses on the storage and usage of cryptocurrencies within an organization. It standardizes the techniques and methodologies used within the systems of these crypto-based organizations.
CCSS is a complimentary standard of existing information security standards such as ISO 27001:2013. It outlines security best practices when handling digital assets like Bitcoin, and Ethereum, just to name a few. CCSS is not designed to replace known standards.
It focuses on ten controls of cryptographic asset management.
- Key/seed generation
- Wallet creation
- Key storage
- Key usage
- Key compromise policy
- Keyholder grant/revoke policies and procedures
- Security tests and audits
- Data sanitization policy
- Proof of reserve
- Audit logs
Who Manages the Crypto Security Standard?
The CCSS Steering Committee is tasked with maintaining the standard by ensuring that it remains up-to-date with the industry’s best practices while simultaneously striving to maintain neutrality. Current CCSS Steering committee members include S. Dirk Anderson, Petri Basson, Jameson Lopp, Joshua McDougall, Michael Perklin, and Ron Stoner.
Why is CCSS Important, and what are its benefits?
The proper implementation of any standard guarantees smooth functionality of any process or organization and reduces the chances of expensive errors, as was the case with the Mars orbiter. In the case of the CCSS, a crypto service provider can have a standardized methodology for maintaining its security systems and being up-to-date with industry best practices and potential threats.
For the crypto end user, the CCSS allows them to make educated decisions about which products and services to use and which companies to trust with their digital assets.
Entities that the CCSS Applies To
The Cryptocurrency Security Standard (CCSS) applies to any entity that handles and manages crypto assets as part of its business model. They include:
- Crypto exchanges
- Marketplaces that have adopted cryptocurrencies as a form of payment
- Crypto payment processors that act as middlemen when payments are made using crypto and referenced to fiat currencies
- Crypto gaming platforms such as those that provide gambling services
- Crypto wallet, storage, and custody service providers
- Any other business entity or information system that handles cryptocurrencies as part of its operations
The Three Levels of the CCSS
The CCSS has three levels depending on how secure a system is. Level one is the least secure, with level three being the most secure.
Level 1 means that the information system is functioning as expected by protecting its information assets and has met industry standards. Although it is the lowest level of the CCSS, it still affirms that the security system is robust and has undergone relevant auditing.
A Level 2 system is one whereby a company has enhanced controls, has worked hard on improving crypto security, and even implemented other decentralized security technology, for example, multiple signatures. The company also has redundancy measures in the event a key or signatory gets compromised or is unavailable.
Lastly, an information system labeled with a CCSS Level 3 has achieved the highest level of security for protecting its information assets. It has proven during auditing that it has enhanced controls, advanced authorization, and authentication techniques. Assets are also distributed geographically for safekeeping and retrieval.
What is a Cryptocurrency Security Standard Auditor?
The CCSS requires experts to be able to apply the standard. The experts are known as Cryptocurrency Security Standard Auditors or CCSSAs.
CCSSAs must avoid conflict of interest when performing their duties. Potential conflicts of interest include current or previous employment, family relationships, equity held, tokens invested, significant trading positions, and any other matter that would classify as such.
Final Thoughts
The security systems implemented by crypto asset providers are one of the pillars that will drive the adoption of digital assets. Standardizing storage and handling of digital assets and auditing such systems provide a means for crypto users and institutions to gauge the robustness of the processes and operations used to handle their investments.
The team at C4 (CryptoConsortium.org) has provided the foundation for the standardization of crypto storage and security through their openness, guidelines, the CCSS, and professional certifications for interested parties.
