A draft of the CryptoCurrency Security Standard (CCSS) was made available on Wednesday for public discussion.
The CCSS draft is the result of a collaboration between the CryptoCurrency Certification Consortium (C4), a Canada-based not-for-profit organization that establishes cryptocurrency standards, and Bitcoin security platform BitGo.
Cryptocurrencies, particularly Bitcoin, have become increasingly popular over the past years. However, several security incidents, such as the ones involving Mt. Gox and more recently Bitstamp, have had a negative impact on the industry.
C4 and BitGo believe security standards can help address many of the current challenges. The CCSS is designed to encourage the cryptocurrency industry to take steps toward the adoption of security best practices.
C4 has noted that a cryptocurrency security standard will be beneficial for both service providers and consumers.
“Established organizations will be more open to joining the space as the risk of missing key aspects due to misunderstandings are less likely to occur. Insurance companies will now have that measuring stick to verify operations looking for financial protection for themselves and their clients. Investors will have the ability to understand the readiness and maturity of the projects they choose to back,” Joshua McDougall, C4’s director of operations, explained in a blog post.
The standard covers a total of 10 key security aspects focusing on the storage and usage of cryptocurrencies within an organizations. The list consists of key/seed generation, wallet creation, key storage, key usage, key compromise policy, keyholder grant/revoke policies and procedures, third-party security audits/pentests, data sanitation policy, proof of reserves, and audit logs.
An organization that meets these requirements at a minimum will achieve “Level 1” security, which indicates that they have “proven by way of audit that they protect their information assets with strong levels of security.” There are three levels of security defined in the CCSS and while Level 1 is the lowest, it still indicates a strong level of security.
“With a standard, companies will no longer need to ‘go it alone’ and hope they've covered everything; they'll have a checklist to follow that will help prevent them from being ‘goxed’,” said McDougall.