Standards

What is the CCSS? 

CryptoCurrency Security Standard (CCSS) is a set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions. By standardizing the techniques and methodologies used by systems around the globe, end-users will be able to easily make educated decisions about which products and services to use and with which companies they wish to align.

CCSS is designed to complement existing information security standards (i.e. ISO 27001:2013) by introducing guidance for security best practices with respect to cryptocurrencies such as Bitcoin. CCSS is not designed to substitute or replace these standards; in fact, following the CCSS to the letter while ignoring standards like ISO 27001:2013 will likely lead to compromise. CCSS is a cryptocurrency standard that augments standard information security practices. As with any standard, knowledgeable and experienced security professionals and/or auditors are necessary when implementing any information system to ensure coverage of all classes of attack as well as the appropriate handling of all potential risks.

CCSS is a standard for securing cryptocurrency systems



Documents

Standard (Matrix)
Standard (Written)
Auditor Guide
Glossary

Appendix 1

Who manages the CCSS?

The standard is maintained by the CCSS Steering Committee. The committee's mission is to ensure the standard continues to remain up-to-date with industry best practices and remain neutral. Current CCSS Steering Committee members are (in alphabetical order): S. Dirk Anderson, Petri Basson, Jameson Lopp, Joshua McDougall, Michael Perklin, and Ron Stoner.

S. Dirk Anderson

CIO at SALT Blockchain Inc.

Andreas M. Antonopoulos

Bestselling Author, Speaker, and Educator

Petri Basson

Founder - HASH consulting, CCSS Committee Chair

Noah Buxton

Partner at Armanino

Jameson Lopp

Founder and CTO - Casa

Joshua McDougall

President, Slow Ninja

Michael Perklin

C4 Chairman of the Board
CISO of ShapeShift

Ron Stoner

Head of Security at CASA

If you would like to make a donation to C4 to help support the CCSS initiative, you may send bitcoins to: 3NE4uoPiUrRycqUGeRqmswHbXFnikKpXnT

What is a CryptoCurrency Security Standard Auditor (CCSSA)?


A CryptoCurrency Security Standard Auditor is an expert in the CCSS. CCSSAs are able to apply the CCSS standard to any information system that uses cryptocurrencies, calculating a grade for the system according to the CCSS.

CCSSAs must avoid any potential conflict of interest. This may include current or previous employment, familial relationships, financial interest (such as tokens or equity held), or any other matters that may constitute a conflict of interest.

Learn how to become a CCSSA here.

How does an entity with a cryptocurrency system start the audit process?


The first step to getting audited is to select a CCSSA. You can search our currently certified CCSSAs here. Entities then contact and negotiate with the CCSSA of their choosing. Please note that while these individuals have proven their knowledge of the CCSS, C4 does not endorse specific CCSSAs. It is imperative that entities follow best practices for selecting an auditor.

All CCSS audits cover a period of time prior to audit completion and will test the operating effectiveness of the control over this period of time. Audits are designed to be performed at least annually and cover the preceding 12 month period. All audits performed by CCSSAs are reviewed by a CCSSA-Peer Reviewer before C4 certifies an entity. Any dispute arising out of the peer review process shall be arbitrated by the CCSS Steering Committee.

The CCSSA is responsible for ensuring all data related to the audit is transmitted and stored in a secure manner for the duration of the CoC and as legally required in the jurisdiction of the audit. C4 will not view documentation of evidence outside the Summary Report on Compliance. The CCSS steering committee shall review evidentiary documentation in the case of a peer review dispute.
*Text version of this image can be found in the Auditor’s Guide.

We also offer certifications for Individuals

So strongly and metaphysically did I conceive of my situation then, that while earnestly watching his motions, I seemed distinctly to perceive that my own individuality was now merged in a joint stock company of two; that my free will had received a mortal wound.

Individual Certifications

It was a humorously perilous business for both of us. For, before we proceed further, it must be said that the monkey-rope was fast at both ends; fast to Queequeg's broad canvas belt, and fast to my narrow leather one.

Learn more