This guide has been created to assist CCSSAs in the performance of audits. Any concerns or questions may be directed to info@cryptoconsortium.org.
All CryptoCurrency Security Standard (CCSS) audit agreements must be written between the CCSSA and the entity and include the scope of the audit. Agreements must not include the CCSS Steering Committee or CryptoCurrency Certification Consortium (C4) and are directly between the CCSSA, CryptoCurrency Security Standard Auditor Peer Reviewer (CCSSA-PR), and the entity. As such, Appendix 1 must be signed by the CCSSA, the CCSSA-PR, and the entity in order for the audit to be recognized by C4. Appendix 1 must be included with the Summary Report on Compliance (SRoC).
Additional details about selecting a CCSSA-PR can be found in section 1.3.1 Peer Review Process.
Audit fees will be determined between the CCSSA and the entity. It is the responsibility of the CCSSA to ensure sufficient time to complete the audit is reflected in the agreed upon fees.
Audit fees must also include the CCSSA-PR’s fee and C4's Listing Fee. The CCSSA-PR’s fee will be forwarded to the CCSSA-PR by the CCSSA. C4 will send an invoice for the Listing Fee to the CCSSA after approving the SRoC.
The listing fee, paid by the audited system’s entity to the CCSSA, is based on Table 1.
When multiple systems (up to 3) are covered in the same audit, C4 only charges the listing fee of the most expensive system. When auditing 4-6 systems, C4 only charges the listing fee of the two most expensive systems, and so on.
Systems that maintain a Certificate of Compliance without letting it lapse receive a 25% discount on the listing fee.
The CCSSA is responsible for ensuring that all agreements include a confidentiality clause in compliance with the requirements of the jurisdiction in which the audit is being performed.
All CCSS audits cover a period of time prior to audit completion and will test the operating effectiveness of the control over this period of time. Audits are designed to be performed at least annually and cover the preceding 12 month period.
When a first time audit is performed the period covered may be 6 to 18 months prior to the audit, as determined by the CCSSA. It is recommended that first time audits are preceded by an Audit Readiness Assessment.
The CCSSA is responsible for obtaining sufficient evidence pertaining to the completeness and accuracy of all information obtained in the performance of the CCSS audit.
This evidence and the procedures performed should also be documented in the Audit Documentation for a CCSSA-PR to be able to inspect and verify the accuracy and completeness of information.
The CCSSA is expected to inform the entity that significant changes to security practices and procedures between the audit and Summary Report on Compliance submission could invalidate the audit and must be disclosed to the CCSSA.
Audit Documentation consists of the records maintained by the CCSSA performing the audit to support the basis for the CCSSA's conclusions over the effectiveness of controls and CCSS Level obtained.
The audit documentation should, at a minimum, detail the following.
A comparable control is a control put in place by the entity that provides equivalent or comparable protection to the control defined in the CCSS. The CCSSA can use their professional judgment where organizational controls do not meet CCSS controls descriptions but provide a similar level of protection.
A requirement can be marked as Not Applicable if a requirement does not apply to the assessed entity’s environment. CCSSA’s must provide evidence that testing was undertaken to confirm that the assessed entity’s environment does not support or provide a facility that would meet the requirements intent when marking a control as Not Applicable.
Example 1
1.01.2.2 In cases where keys or seeds are created without the use of software (e.g., dice, a deck of cards, or other non-digital source of entropy), the creation methodology must be validated to ensure determinism is not present (e.g., there are no weighted dice, each card in the deck is unique).
If the information system being audited uses software to generate the entropy when creating keys or seeds then this requirement is Not Applicable
The following are examples of information/evidence that should be retained for IPE purposes:
If the CCSSA is observing a process, then they should record the following:
If the CCSSA is reviewing records such as reports then record the following:
If the CCSSA is inspecting configuration data and data at rest, then record the following:
Note that reperformance as an evidence gathering technique will not frequently be utilized. Reperformance can be substituted by observation, inspection, and interviews
There may be an action that can be performed by the CCSSA where the risk of impacting the availability, confidentiality or integrity of the system and/or information is negligible. In that instance record the following:
For each interview conducted record the following:
Ensure that notes are taken during the interview or if possible and with prior authorisation voice or video record the interview
CCSSAs should also consider the nature of the report generated. For standard and canned system reports, little additional testing would be required. For custom reports of ad-hoc queries, the CCSSA should consider additional procedures such as inspecting the query parameters or database query to ensure data produced is accurate and complete.
These considerations should take into account input, processing, and output risks around the report.
Example:
Where a CCSSA is testing controls such as new users added to the system, the CCSSA should obtain a list of all new users appointed or transfers between departments during the period directly from the entity’s HR system. The CCSSA may inspect the parameters used while pulling this listing to ensure no data was excluded and the period covered is correct. Screenshots of the query and resulting output can be used as evidence of IPE procedures.
Where an entity has privacy concerns over this data, the CCSSA may observe them pulling the listing via a video call, noting the number of records and spots checks on the data. The entity can then anonymize data, leaving unique identifiers to be able to identify items, before sending the listing to the CCSSA.
The CCSSA can then use this listing and unique identifiers to select the sample for testing the control.
Where a CCSSA is testing the operating effectiveness of a control over a period of time, a sampling approach should be followed. For a control with a high frequency of occurrence it is not practical to test all occurrences.
Audit sampling enables the CCSSA to obtain and evaluate audit evidence about some characteristic of the items selected in order to form or assist in forming a conclusion concerning the population from which the sample is drawn.
Sample size
The sample size can be determined by the application of a statistically based formula or through the exercise of professional judgment.
The CCSSA must document their rationale behind the sample size selected and consider the following factors:
Example:
An example of a testing approach would be the following (this is only a guide and should not be used as your testing methodology)
Population Size | Low risk of failure / Low Importance | High risk of failure / High Importance |
1(Annual) | 1 | 1 |
4(Quarterly) | 2 | 3 |
12(Monthly) | 3 | 6 |
1-25(Occurrences) | 5 | 10 |
26-50(Occurrences) | 10 | 20 |
51-100(Occurrences) | 20 | 30 |
101-X(Occurrences) | 30 | CCSSA judgment used |
Items selected for testing
When identifying the items to be tested, the CCSSA can use professional judgment, random selection, or a combination of the two techniques.
When identifying items to test using professional judgment the CCSSA should consider factors such as the following:
When identifying items using random selection the CCSSA should make use of a randomized sampling technique such as the following:
The CCSSA is responsible for ensuring all data related to the audit is transmitted and stored in a secure manner for the duration of the Certificate of Compliance and as legally required in the jurisdiction of the audit. In the event that an entity will not allow evidence storage outside of the entity’s environment, the CCSSA should record the meta-data of the documentation reviewed such as file name, location of file within assessed entities environment, version number of documentation, summary of document content, etc.
The CCSSA is also responsible for ensuring all data protection requirements (General Data Protection Regulation (GDPR) or equivalent) are met for the jurisdiction the audit is being performed in.
Entities will be certified at the lowest level of any Aspect, regardless of other Aspect’s Compliance Status. In the example below, CCSS Level 1 would be granted.
All CCSS audits will be subject to a peer review process after the CCSSA has completed their evidence gathering and documentation. CCSSAs must follow the CCSSA-PR selection process as explained below. CCSSAs will securely submit their Audit Documentation as well as conclusion on the CCSS Level certification obtained to a CCSSA-PR.
The CCSSA-PR must be copied on final submission of the audit to C4 in order for the certification to be issued.
Prior to signing the audit agreement with the entity, the CCSSA must complete the Intent to Audit form found here: https://cryptoconsortium.org/intent-to-audit/. C4 will then email the CCSSA a list of randomly selected CCSSAs. This list is randomized to prevent conflicts of interest & collusion. The CCSSA must select from the Peer Reviewer Options List (PROL) to perform the peer review. Contacting a CCSSA-PR, negotiating payment, and verifying that the Peer Reviewer’s certification will be valid for the duration of the audit is the CCSSAs responsibility.
The CCSSA-PR’s fee will be included in the CCSSA’s audit agreement with the entity.
In the case of sufficient evidence a CCSSA-PR has a material conflict of interest or another reason to not perform the review, the CCSSA must contact another CCSSA-PR on the PROL.
In the case of sufficient evidence that attempts to engage all potential CCSSA-PRs from a PROL have been unsuccessful, an additional PROL may be requested. Once an additional PROL is sent, all prior PROLs are no longer valid. The Peer Reviewer must be selected from the most recent PROL.
Once the peer review is completed, the CCSSA-PR will submit any queries to the CCSSA and the CCSSA will have the opportunity to respond to these queries.
The Peer Review of the first audit conducted by a CCSSA is required to be completed by a current member of the CCSS Steering Committee. This ensures that the audit is conducted with the requisite rigor to uphold the standard. The CCSSA must still complete the Intent to Audit form and will receive contact information for the CCSS Steering Committee Member from C4.
After connecting with another CCSSA and forming a contractual arrangement with them to be the CCSSA-PR, a kickoff meeting between the CCSSA and the CCSSA-PR should occur, and a communication plan should be established. This plan should:
Before submitting audit documentation to the CCSSA-PR the CCSSA will make a copy of the Report on Compliance (RoC) audit report and from that copy, redact all sensitive information and personal identifiable information (PII) of the audited entity’s environment, information systems being audited, and personnel interviewed as part of the audit process. The output of this process will be the Redacted RoC.
Note that in most cases the CCSSA-PR will not have a NDA or other permissions with the entity under audit to view the audit evidence collected by the CCSSA. Due to this reason the RoC is redacted for the peer review process.
Once the CCSSA has created the Redacted RoC it is recommended that the CCSSA submits the Redacted RoC to the entity under audit to seek approval to release the Redacted RoC to the CCSSA-PR. This is to ensure that no sensitive information or PII remains within the redacted RoC.
The CCSSA will not share or make available any of the evidence collected during the audit to the CCSSA-PR.
During the kickoff meeting, an Access Control Plan should also be established. Even though the redacted RoC should have no confidential information remaining, there is still a risk that information that should not be made public may remain in the redacted RoC.
The redacted RoC must be treated as a confidential document by the CCSSA and CCSSA-PR. Appropriate access controls must be implemented for the redacted RoC before the CCSSA-PR has access to the redacted RoC. The access controls that will be implemented must be agreed upon by both the CCSSA and CCSSA-PR in writing. This is called an Access Control Plan.
Access to the redacted RoC should be via access controls that require a password or another authentication factor. The password or other authentication token that grants access to the redacted RoC should be sent to the CCSSA-PR via another communication channel. For example, the redacted RoC could be zipped with a password and emailed to the CCSSA-PR. The password to the zip file is then sent via text.
Important note! The CCSSA and CCSSA-PR MUST NOT share any evidence collected from the audited entity.
Based on previous CCSS Redacted RoC peer reviews, the estimated effort to conduct a Peer Review is approximately 10-15 hours, and varies depending on the system or systems being audited.
Note that the CCSSA-PR should consider an additional allowance of 1-2 hours to take into account additional reviews of the changed sections of the Redacted RoC if the CCSSA-PR requires changes. The CCSSA-PR reviews statements made in the Redacted RoC, an example of which is on the resources page available only to CCSSAs.
If more in depth remediation is required, then the CCSSA and CCSSA-PR will need to enter into negotiations for additional billable hours.
The peer review process does NOT include the review of audit evidence collected by the CCSSA during the audit in order for the CCSSA-PR to reach the same audit findings opinion as the CCSSA conducting the audit.
The CCSSA-PR is instead required to review the evidence gathering techniques (interviews, inspection, observation, review) undertaken by the CCSSA during the audit and documented in the Redacted RoC. The goal is to ensure that the CCSSA collected a broad range of evidence in order to have the ability to form a correct opinion on whether applicable CCSS requirements were met.
For example, it would be expected that a general auditing process would be undertaken for the bulk of the applicable CCSS requirements. This would be done by first reviewing policy/standards/procedures to understand the entity's goals and intent for the information system. Secondly, reviewing interviews of personnel who use the policy/standards/procedures in order to complete their assigned tasks. And thirdly, inspecting outputs of the processes undertaken such as configurations of devices, BAU reports, and change requests to ensure that the policy/standards/procedures are being followed.
Once the peer review is completed, the CCSSA-PR will submit any queries to the CCSSA and the CCSSA will have the opportunity to respond to these queries.
Note that the peer review process may involve remediation of the RoC due to feedback provided by the CCSSA-PR. Any remediation undertaken by the CCSSA due to CCSSA-PR feedback must be reviewed by the CCSSA-PR and confirmed as completed.
The CCSSA-PR must provide written confirmation to the CCSSA that the peer review process is complete and no further remediation is required so that the CCSSA can continue with the audit process.
CCSSA-PR must provide written confirmation to the CCSSA that the peer review process is complete. If any changes are made during the peer review process, then CCSS must update the RoC with those changes, and the CCSSA-PR must then re-review the Redacted RoC and approve. After this, the SRoC is created by the CCSSA and must be signed by both the CCSSA and the CCSSA-PR.
The Redacted RoC must be retained as part of the stored audit documentation for the required retention period.
Procedure | RecommendedTimeframe |
Peer review | 10 working days |
Resolution of queries | 10 working days |
The CCSSA is responsible for negotiating directly with the CCSSA-PR. While C4 cannot recommend any specific fees, we do recommend considering the scope of the audit when choosing the Peer Review Fee.
All CCSSAs will be required to make themselves available to perform one Peer Review for every audit they complete.
Any dispute arising out of the peer review process shall be arbitrated by the CCSS Steering Committee. The committee’s decision will be final and binding. Audit Documentation for the disputed aspect will be securely submitted to the committee at CCSS_Submissions@cryptoconsortium.org. This means using encrypted, password protected, Zipped files or something comparable. The committee shall review the evidence and provide a decision within 15 business days.
After CCSSA-PR completes Peer Review, CCSSA must send the following to CCSS_Submissions@cryptoconsortium.org & copy the CCSSA-PR:
C4 will then send an invoice for the Listing Fee to the CCSSA.Once paid, C4 will provide CCSSA with CoC and Badge for CCSSA to provide to the entity.
Certificates of Completion can be viewed and verified at the following link: https://cryptoconsortium.org/completed-ccss-audits/
CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.
Failure to recuse oneself due to any conflicts of interest will result in disciplinary action, up to and including loss of CCSSA certification.
CCSSA-PR must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.
Failure to recuse oneself due to any conflicts of interest will result in disciplinary action up to and including loss of CCSSA certification.
This Code of Professional Responsibility defines the expectations for professional and ethical conduct of all CCSSAs. All CCSSAs must advocate, adhere to, and support the following principles:
CCSSAs who violate any of the foregoing principles will be subject to disciplinary action by C4, including but not limited to revocation of certification.
Acronym List:
CCSSA= CryptoCurrency Security Standard Auditor
CCSSA-PR= CryptoCurrency Security Standard Auditor - Peer Reviewer
SRoC= Summary Report on Compliance
CoC= Certificate of Compliance
PROL= Peer Reviewer Options List