Defining the Trusted Environment
To define the CCSS Trusted Environment for the CCSSA-PR which is considered as the “in-scope” environment for audit or the “audit boundaries” an example is provided below.
Scope of the Trusted Environment
The assessed entity’s Trusted Environment definition which includes the people, process and technology components that transmit, process and store private keys used for cryptocurrencies was provided to the CCSSA at the beginning of the current audit. The CCSSA compared the Trusted Environment component definitions with the evidence provided during the current audit.
Examples of Evidence Gathering
To define what evidence gathering techniques were applied for a CCSS Aspect Control by the CCSA, an example is provided below. This example Aspect Control only as one requirement which is for CCSS Level 1: 1.04.2.1 All keys/seeds are only used in trusted environments.
Example 1: Aspect Control: 1.04.2 Keys are only used in a trusted environment
CCSSA evidence gathering techniques applied:
The entities Information Security policy and Trusted Environment policy were reviewed to ensure statements are provided that require all private keys and seed phrases to only be transmitted, processed and stored within the trusted environment.
Standards and procedure documents covering all key management activities including key creation, key distribution, key retirement and key destruction were reviewed by the CCSSA.
The CCSSA conducted 3 interviews of current key custodians. Each interview was between the CCSSA and one of the key custodians in a private room. Interview topics discussed covered: the tasks each key custodian undertook in the last key ceremony, the location of the key ceremony, discussion around the key management policy and procedures they are required to read and acknowledge in writing that the documentation was reviewed.
The CCSSA conducted 2 interviews with the security operations team to ensure that all private keys are transmitted, processed and stored within the CCSS Trusted Environment and sufficient monitoring of access to the keys is implemented.
The CCSSA conducted a combined interview with a network administrator and a system architect. The interview topics covered: the review of the network diagrams to identify all systems that transmit, process and store key data to confirm that the Trusted Environment has been correctly defined by the assessed entity, that all systems which transmit, process or store key data has been correctly defined by the assessed entity.
The CCSSA inspected the key management server which stores all of the assessed entities private keys and is the only system that provides access to the keys, to identify all systems which access the key management server to perform key functions. The list of systems which connected to the key management server were compared with the evidence provided to confirm that all systems that transmit, process and store key data were identified and contained within the Trusted Environment.
Example 2: Aspect Control: 2.01.1 Security Audit
NOTE: this example Aspect Control has a requirement for each CCSS Level. For our example the assessed entity is aiming for CCSS Level 2 certification, so the evidence gathered was to cover all requirements in CCSS Level 1 and 2, namely: 2.01.1.1 and 2.01.1.2
The entities Information Security policy, Trusted Environment policy, Software Development standards, and Vulnerability Management policy were reviewed to ensure the following principles are addressed:
- A security assessment is required at least annually.
- All components within the Trusted Environment have been included in internal and third-party security assessments.
- A developer is to be assigned to each project that requires custom code which provides cryptocurrency functions or implements a third-party provided solution that provides cryptocurrency functions.
- An internal assessment must be conducted for each project that requires custom code for any system that provides cryptocurrency functions or implements a third-party provided solution that provides cryptocurrency functions.
- The developer involved with security assessment activities is knowledgeable in secure coding techniques for the software languages used by the assessed entity.
Standards and procedure documents covering all security assessment activities including standards to be used for reference during assessment activities, secure coding techniques, configuration management and deployment management where reviewed by the CCSSA.
A total of 1 internal assessment was conducted during the assessed period. The assessment findings report was reviewed and found to be complete. No remediation was required.
A total of 2 third-party security assessments were conducted during the assessed period. Both reports were reviewed and found to be complete. Remediation activities for the first third-party security assessment were documented and a remediation plan was created by the assessed entity. The second third-party security assessment required no remediation activities.
Only one project was implemented within the Trusted Environment within the assessed period – referred to as “Project A” for this assessment.
The CCSSA conducted an interview with the sole developer that was involved in the development, design and implementation of Project A, that provided custom code software that included functions that use cryptocurrencies. Interview topics with the developer covered: secure coding techniques applied in the development of the custom code used by the project, secure coding techniques training undertaken by the developer during the assessed period, the functions within the software that make use of cryptocurrencies. Change management, software development life-cycle management, testing and deployment management were also discussed.
An interview was conducted with a senior systems architect who was responsible for the design of Project A. The interview topics included: the discussion of the internal assessment activity, the methodology used for the assessment, the assessment findings and the scope of the assessment which only covered Project A components.
The CCSSA conducted an interview with a member of the assessed entities security operations team who was responsible for the completion of the annual security assessment which covers the entire Trusted Environment, conducted by a third-party service provider. The interview topics covered: the suitability of the third-party service provider to conduct the security assessment, the report findings, the scope of the security assessment.
The CCSSA inspected the outputs of the remediation activities from the internal security assessment to ensure that remediation was undertaken and completed. At the time of the audit activity all remediation activities had been completed.