The requirements rationale provides guidance on what is acceptable in regards to “multiple organizational entities/business units”. The requirements rationale is below.
“By giving keys to separate business units and legal entities (such as lawyers, accountants, or other businesses), legal risks that can disrupt your business will not necessarily disrupt your funds. Note that this does not violate the Key/Seed Generation Level I requirement, as the separate organizations fail to meet the definition of an actor.“
The rationale allows for assessed entities who may be based in only one location to utilize third-party entities to stored private keys. We would also include as an acceptable third-party entity organizations that are qualified to provide safes or other secure storage facilities.
The CCSSA should review the policy(s), standards and procedures to ensure that private keys must be stored by multiple entities/business units.
The CCSSA should ensure that there are policy(s), standards and procedures that defined a procurement process for third-party organizations that will store private keys that ensures the organization is suitably qualified to provide this service.
The CCSSA should interview a sample of personnel who are responsible for the distribution of private keys to ensure the policy(s), standards and procedures are adhered to.
The CCSSA should review the key inventory to ensure that private keys are dispersed to multiple locations to ensure the policy(s), standards and procedures are adhered to.
In this article we reviewed the CCSS Aspect 1.02 Wallet Creation. The Aspect covers requirements for the people, process and technology components that interact with wallet creation processes.