It is important to note that C4 clearly states that this is not the only framework to consider when assessing a companies overall security posture, it may be beneficial for C4 to add other portions to analyze when conducting the CCSS audit. Some of these recommendations below are bundled into other themes already mentioned in the CCSS framework, but it may beneficial to clarify where it could be considered or utilized. Some examples are:
-High level code analysis of the encryption algorithm utilized in the code a SaaS company/Custodian/Fund/Exchange may be using for encrypting its private keys. There has been a couple of scenarios where our team thinks this could benefit the company aligning itself with the framework. This could also consist of a static or dynamic code analysis but that may be overkill.
-API security analysis. This is something that funds and custodians do hold and it is important to note that this information should either be encrypted or stored in some capacity that can mitigate some type of risk scenario. While this doesn't have to be a separate control, this could be used or bundled into the 'private key' portion.
-Key Ceremony Analysis. This is very hard to conduct, however, this has been beneficial in analyzing environments to ensure that all of CCSS has been conducted properly. While this may not be necessary for the CCSS audit, it is a good way to check and analyze against the CCSS framework.
-Phyiscal Security assessment. This is mentioned as part of the Penetration Test, but it may be better to clearly define it as this is critical for all companies looking to align with CCSS.
It is important to note that C4 clearly states that this is not the only framework to consider when assessing a companies overall security posture, it may be beneficial for C4 to add other portions to analyze when conducting the CCSS audit. Some of these recommendations below are bundled into other themes already mentioned in the CCSS framework, but it may beneficial to clarify where it could be considered or utilized. Some examples are:
-High level code analysis of the encryption algorithm utilized in the code a SaaS company/Custodian/Fund/Exchange may be using for encrypting its private keys. There has been a couple of scenarios where our team thinks this could benefit the company aligning itself with the framework. This could also consist of a static or dynamic code analysis but that may be overkill.
-API security analysis. This is something that funds and custodians do hold and it is important to note that this information should either be encrypted or stored in some capacity that can mitigate some type of risk scenario. While this doesn't have to be a separate control, this could be used or bundled into the 'private key' portion.
-Key Ceremony Analysis. This is very hard to conduct, however, this has been beneficial in analyzing environments to ensure that all of CCSS has been conducted properly. While this may not be necessary for the CCSS audit, it is a good way to check and analyze against the CCSS framework.
-Phyiscal Security assessment. This is mentioned as part of the Penetration Test, but it may be better to clearly define it as this is critical for all companies looking to align with CCSS.