How Does an Entity Certify Against CCSS?

C4 provides a certification program to allow entities to certify against the CryptoCurrency Security Standard (CCSS). The certification process requires an audit to be undertaken by a registered CryptoCurrency Security Standard (CCSS) auditor, known as a CCSSA. The CCSSA must be independent from the assessed entity and any current or prior relationship between the CCSSA and the assessed entity must be declared to C4 before the audit commences.

There is no ability for an entity to self-assess against CCSS and be registered by C4 as a CCSS certified entity for any of the CCSS certification levels.

Caveat Emptor when Selecting a CCSSA

It is also important to note that C4 does not require any prerequisites such as relevant qualifications or auditing experience, for a person to take the CCSSA exam, pass and be registered with C4 as a CCSSA. For this reason, it is vital for an entity considering certifying against CCSS that the entity conducts in-depth research on any CCSSA before contractual arrangements are undertaken with the selected CCSSA.

This article provides suggestions as to what the entity should consider when selecting a CCSSA.

Purpose of the CCSSA

The purpose of the CCSSA is to ensure the assessed entities systems, which provide cryptocurrency functions, meet the requirements of the CryptoCurrency Security Standard. This is achieved by the CCSSA applying evidence gathering techniques such as interviews, inspections, review and observations of the people, processes and technology that support the cryptocurrency functions.

For this reason, a CCSSA should have a significant amount of experience in auditing information systems as well as the information security controls protecting the information systems.

The CCSSA will determine the CCSS Level achieved by the assessed entity based on the evidence gathered and reviewed during the audit. Once the CCSS Level is defined and the audit completed successfully the CCSSA will submit audit documentation to C4 for review. C4 will record the certification status of the assessed entity and issue the assessed entity with the CCSS certificate of compliance.

Recommended Auditing Experience

CCSS is an information security management systems (ISMS) standard focused on cryptocurrency systems. Therefore, it would be expected of a CCSSA to have experience in auditing ISMS controls. This also means that the CCSSA must have sufficient experience in the evidence gathering techniques described below:

  1. Inspect the configurations of information security controls as well as cryptocurrency system configurations. The CCSSA must be able to inspect configurations of security controls such as access controls, network filtering controls, application security controls, encryption controls, key management systems to name a few. The CCSSA should have experience in interpreting different hardware and software vendors configuration implementations and have knowledge regarding the industry accepted standards for the configuration items.
  2. Conduct interviews with personnel in numerous roles such as key custodians, system administrators, system operators, security operations, service desk, human resources and executive management. The CCSSA must have experience in interviewing people who may have different views or approaches to audits and come from different cultures and life experiences. This could be classified as “people skills”.
  3. Review documentation such as policy, standards, procedures and BAU records to ensure the documentation meets CCSS requirements and be able to discern if the documentation would be effective and implement industry best-practice.
  4. Observe processes, for example, a key ceremony and be able to record in writing key aspects of the process as evidence.

Finally, the CCSSA should have excellent audit report writing skills and be able to provide detailed interview notes that will be part of the audit evidence artefacts. Good writing skills and good audit report writing skills can be two very separate things. So a CCSSA who has been involved in many audits should understand how to evaluate evidence and explain how they reached their conclusions.

The CCSSA will also be responsible for ensuring that the report is easily understood as part of the Peer Review process. This means that a poorly written report can end up costing you more than you expect if the writing quality is sub-standard and requires further work from the peer reviewer to be able to understand if the audit has been undertaken in a way that provides sufficient assurance on the security of the systems.

Recommended Experienced and Qualifications

The CCSSA should be able to provide qualifications that provide more than enough assurance to the entity that the person has the ability to carry out an audit of an information management system’s controls to a high-level of professionalism. The financial and brand risk to the assessed entity allowing a third-party to have access to highly confidential information and possibly retain and record the information which could be leaked to the public through the auditor’s inability to protect the evidence is extremely high. Therefore, the auditor must be trustworthy and demonstrate a high degree of professionalism, skill and experience.

Since the CCSS auditors’ program was officially released in 2022 with no requirement for pre-requisites for CCSSAs we would assume that existing auditors in information security would become CCSSAs. Therefore, the entity should ensure that the CCSSA has an easily provable history of prior auditing experience of information management system’s controls. We would also expect that the auditor is registered with an industry recognized legal body that records qualified and trusted auditors within that domain. For example, a PCI DSS Qualified Security Assessors (QSA) certificate to operate can be located on the official PCI Security Standards Council’s (PCI SSC) website.

Many auditing bodies certifying and endorsing auditors require pre-requisites before the person can be accepted as a certified auditor within their body. To continue with our example, the PCI SSC requires a number of pre-requisites such as one or more professional certifications such as CISSP, CISM, Certified ISO 27001 Lead Implementer, for proficiency in information security management and one or more certifications in auditing information security management systems such as CISA, GSNA, Certified ISO 27001, Lead Auditor as well as a number of years’ experience in information security and auditing information security systems. Many of these professional certifications also requires a minimum number of years of experience (usually 5 years in relevant knowledge domains) to become certified.

Professional Insurance

Unlike other auditing standards, CCSS does not require their auditors to hold any professional indemnity insurance. As a contrasting example, the PCI SSC requires that all Qualified Security Assessor Companies be able to demonstrate annually that they hold a minimum level of insurance that includes workers compensation, employer liability, general liability, crime / fidelity bond, technology errors & omissions, cyber risk, and privacy liability.

If your auditor is not able to demonstrate that they hold a required minimum level of insurance what happens if they make a mistake in their professional capacity and due to this mistake you suffer a financial loss? This is a financial risk that you need to be aware of when picking a CCSSA.

Summary

The risks of engaging a CCSSA are completely with the entity seeking to become CCSS certified. C4, which manages CCSS requires no pre-requisites to become a CCSS auditor (CCSSA). Therefore, the entity should conduct in-depth research and due diligence on every CCSSA candidate that they are considering for conducting the CCSS audit. This article provided suggestions as to what an entity should look for within a CCSSA.