Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: CCSS 101 with Confide
Quick Take
On this week’s episode of Compliance Unfiltered, we are please to welcome friends of the show, Nicole Braun and Marc Krisjanous of Confide Ltd. Marc is the world’s very first Assessor for the new CryptoCurrency Security Standard (CCSS) and Nicole preformed the QA on Marc’s first CCSS assessment.
The Compliance Unfiltered audience is fortunate enough to get the toughest and most pressing CCSS questions answered from the frontlines of the assessment.
- What is CCSS?
- What are some of the tallest hurdles assessors and companies face when considering going up against CCSS?
- What are some of the key areas of opportunity for future iterations of CCSS?
All these answers and more on this week’s episode fo Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the conch, to your compliance shell. Mr. Adam Goslin, how the heck are you, sir? I am doing, I’m doing good today. I’m actually, I’m jazzed about today. It’s going to be, going to be fun. I think we’re going to have a, going to have a good time. It’s always fun having guests. Absolutely.
And that’s a perfect segue. I appreciate it. We’ve been kind enough to be joined today by two of our friends from Confide, I’d like y’all to meet Nicole Braun, the Associate Director of Security, and Mark Christianis, the Senior Security Consultant for Confide, based out of New Zealand. How are you today, guys? We’re doing absolutely fantastic. That’s great to hear. Thank you so much for joining us. We’re greatly appreciative of your time. And today, we get the special opportunity to learn about something brand new from the man himself.
And what I’m talking about is the cryptocurrency security standard, or CCSS, for those uninitiated. So Mark, talk us through exactly what CCSS is at a high level, and why you’re excited to be boots on the ground in the early outset of this. This standard was created around about 2014 by a selection of volunteers who were heavily involved in the cryptocurrency space. It was to provide a security standard that was focused on cryptocurrency functions, so providing cryptocurrency functions, e.g. a cryptocurrency wallet. Because even in 2014, there were major breaches in exchanges, cryptocurrency exchanges, and loads and loads of bugs, software bugs, and wallets. So the standard was first published in 2014, and then we go forward to 2020-21, where I was involved in cryptocurrency.
I was really seeing the value of cryptocurrency, but I was absolutely shocked the amount of hacks that were occurring. In fact, I think most of the world was incredibly shocked the amount of hacks that were occurring. I was looking for an information security standard for cryptocurrency because my job at the time was like a QSA, a Qualified Security Assessor for PCI DSS, which is another security standard related to. And so I was looking for a like-minded standard for cryptocurrency and lo and behold, I found CCSS and I thought, well, this is really cool. I looked at the requirements that the standard had for cryptocurrency and I thought, yep, they’re very practical, it looks like they’re being based on providing security control that will greatly reduce the impact of a security breach or a hack. So I thought, well, this is really cool and also notice on their web monitors program, so you could become an auditor for CCSS. So I contacted C4 and I said, I don’t see any kind of way to set the exam to become an auditor. I don’t see any kind of information about the auditors. People came back who, based on, they are literally just a group of enthusiasts who literally for free, they volunteer it, there’s a couple of full time employees, but they literally tear their time. So they came back and said, well, we actually haven’t had the time nor have we got the skill to create an auditors program. That’s where I suggested, well, hey. I really think the standard’s great. I think it’s got a lot of potential. Let me create the auditors program for you and They said well, that’s fantastic so It’s on it. I found out through the CCSS committee, which is the committee that actually maintains the standard To the CCSS audit process to be more like PCI DSS audit, if any of your listeners know PCI DSS is quite a rigorous audit. Absolutely, it involves, yeah It involves inspecting systems configurations reviewing descriptive standards in the in the space. We absolutely yeah, I appreciate that and that’s how they wanted CCSS to be based, on PCI methodology. So we built the auditors program and got it, got it up and running, but this exam was ready. So I set the exam and I became the kind of like the first official auditor, what they call a, well, yeah. And this doesn’t work for people with, it’s really, it’s quite annoying. Sometimes it’s CCSA and it’s quite a stumbling block sometimes.
You’re the first one, right? Yeah. How did that process work? How did the process work, you have to obviously have a background in auditing and you sit the exam, some scenarios on like there’s a scenario about an exchange, there’s a scenario about a service provider and you go through the exam, it’s quite an intensive exam and it’s quite, it’s based on time and even after spending nine months deeply immersed in the standard, I found it quite, I just made it till the end. I didn’t even have time to revise, but yeah, it’s quite a good exam. So past the exam and then literally the first entity or the first organization that wanted to be certified, which is Fireblocks, they were really, really keen on going through the audit process. And so we started the audit process with Fireblocks and it took about, I’d say about three months, it was about a hundred hours of audit to go through and we interviewed loads of people in there, looked at all their policy standards, procedures, looked at their penetration testing reports, bloody scan reports, pretty much exactly like PCI DSS. And yeah, they passed, and CCSS has three levels of certification. You have level one, which is kind of like, you’re doing okay, you know, you’ve got the basics, but you’re also able to consistently ensure that those controls are working. And then three, which is you got everything down pat, you can mature a system, we trust you emphatically, so to speak. So you have the three levels, and then you have different designations. So for CCSS, you have a full system designation, designation is basically a system, such as an exchange that manages and controls all the sign-in keys in cryptocurrency. Their class is a full system. If there is an entity which only has partial custody or one of the keys, used for signing a transaction, then they become a service provider. Exactly like PCI and merchants, you have service providers. And then there’s a third designation where you have self custody, which is pretty much aimed at the, you know, who accept cryptocurrency for payment of their goods and services, for example and eCommerce site.
Hmm. Well, you know what, as you’re sitting here sharing this with us, Mark, I had a question. Like now that you’ve cleared through this first assessment, what are some of the bigger challenges that you noticed here? Outside of the kind of lack of structure initially. Right now is that CCSS was written in 2014. When a lot of the different protocols were not even around or they existed, but they hadn’t been used in cryptocurrency. For example, MPC, which is a form of key management, multi-party computation on the stand for this one, MPC. Yeah, so MPC really wasn’t in cryptocurrency world stage. And it was more about multi-signature wallets. So what we had to do with Fireblocks, because they had to see, we had to interpret the standard in such a way that it would fit MPC. And we got there with the help of the CCSS committee and the requirements were flexible enough statements to actually allow MPC in. But even now we’ve noticed that some of the requirements would probably need an update in regards to how they’re worded. But at the same time, we faced this audit and we found that the requirements were broad enough that you could put in an interpretation of a new technology in there.
But it would just be nicer if you didn’t have to do that and the requirement, just like PCI DSS where a lot of the requirements are high level where it gives the auditor or the assessor scope to apply many different types of technologies each are present, previous, into the standard. So that’s what we’re focusing on now with the requirements, a few more audits under our belts is to gain some feedback from the entities that did the audit and get them to reword the requirements.
That’s a great shout. Now, speaking of kind of getting an alternate perspective, Nicole, I know that you were deeply involved in this process as well. I’m sorry, Adam, did you want to share something? Yeah, I was going to jump in before we before we pass to Nicole, because I actually had a couple I had a couple of questions for Mark about, you know, as he was kind of going through going through that first assessment and, you know, thoughts on the standard, etc. So one of the questions I’ve got, as I looked at the at the CCSS, you know, and heavily structured to, you know, key handling, key usage, and, you know, security around the keys, etc. And then they basically have a couple of other arenas talking about, you know, security testing, data sanitation, you know, proof of reserve and audit logs. But you’re kind of in a in an atypical season, you know, security compliance, you know, standard that you’re directing at a particular organization. It struck me that there’s realms of security and compliance that aren’t directly hit by CCSS. So I’ll just give you an easy one, like, you know, user authentication as an example. Yeah, it’s covered in the, you know, the keys and things on those lines. But, you know, you know, that, you know, HR activities for the organization that is, you know, that is running the system, you know, secure, secure coding approaches, things along those lines. How, how do you see the CCSS being leveraged by the crypto platforms? Is, you know, is do you kind of see CCSS expanding? Or is there an intention that CCSS is kind of really used in conjunction with a more broad scope security compliance style of standard? Yeah, I mean, that’s a, it’s a very, very good question. And incredibly correct in that CCSS does not look at baseline security controls, doesn’t look at PacMan, change management, vulnerability management, user account management and so forth. What the C4 and the CCSS committee recommend, in fact strongly recommend, is that before you do a CCSS audit is that you’ve already established baseline security controls and you have proof of that, e.g. ISO 27001, a SOC 2 type 2, a PCI DSS assessments. So yeah CCSS never states that baseline, it covers baseline security controls. It in fact is a bolt-on to an existing baseline security certification.
So with the first two audits that we’ve conducted, the first two audits in the world, They both had SOC type 2 reports and also one of them was, or both of them, sorry, were ISO 27000 on the flight as well. So the difficulty, and again, this is another challenge that comes to us, is if we face an entity that has any kind of certification evidence to state that they’ve got their baseline security controls in place, how does the CCS continue with the audit with being completely unsure that, well, what about patch management? I mean, you can say that the key is in place, but if you’re not patching the wallet software, where’s that going to lead you? And again, that’s another challenge. And it comes where the CCSSA, the auditor, has to really gain assurance for themselves since they’re signing this off. The entity knows how to do baseline security controls. And if they don’t have a certification like ISO 27000 ,or PCI, or SOC 2 type 2, then more than likely, the auditor will have to seek assurance before they sign off on that CCS audit. Sure. And I had a related question to that, which is, yeah, I was just doing a quick look at some of the big crypto hacks of 2022. And I don’t know, the top five were closing in on the $1.5 billion mark. And with some of those, as you look at some of those, is your thought that, and I don’t know how much research you did on those or what your level of knowledge is on them, but is it more, is your sense it’s more a lack of these organizations didn’t even, you know, weren’t even complying with the baseline, you know, PCI, ISO, you know, SOC 2, you know, type of a standard and actually adhering to it, you know, and or do you think it had they, you know, gone through CCSS audit, you know, what would that have helped, you know, negate these possibilities? Yeah, I mean, absolutely. The, the issue that we’re finding because we’re also organizations that are interested in sitting or becoming CCSS compliant is that in cryptocurrency, it’s very young. It’s not like we’re in the finance world or the retail world where organizations have such systems and information systems like 10, 20, 30 years old, I haven’t had decades to perfect the whole information management systems. It’s not like that in the cryptocurrency world. You’re either dealing with startups or you’re dealing with entities who are maybe one or two years, four years outside of startup phase and are still to this day, trying to bolt on information security. I’m not saying this is right throughout the whole cryptocurrency space, but clearly you can see some of the hacks involved at one time where someone uploaded the private keys to a wallet, to a GitHub repository that was publicly accessible.
Well, none of the developers have any kind of idea of what security coding techniques are, right? Sure. It’s astounding, it is astounding, but you’ve got some of these developers who build systems fly with VC funding and stuff and the first critical thing is to get as many users in there as possible, right? Think about, let’s think about information security, but the problem is that some of these funds in the bull market were holding the dollars or fear of people’s money and they were writing on the fly all this code and this is why you’re seeing an enormous, I heard in 21 and 22. Yeah. Yeah, and I was gonna say that I’ve seen that over the years, I’ve really seen that be prevalent, especially with those organizations that are startup, or near startup, where their focus is on turning it from proof of concept to something that is kind of monetizable. I think part of the problem in this particular arena is just that crypto over the last several years has blown up so quickly that I can imagine, imagine for some of those organizations, it’s been extremely tough to switch from, okay, this is now a thing. And now we actually need to go and bolt on all of this compendium of kind of security and compliance oversight and coordination operation into the organization. That’s gotta be a tough juggle when basically the firehose is open at your organization with money streaming at you, you know? Yeah, oh, no, that’s what they’re finding. I mean, and to answer your question about if they see CSS order or if they even attempted to align themselves to the standard, then yes, I am 100% that 90, 95% of the hacks that I’ve learned about would have been prevented or greatly reduced their impact if they had even implemented. like level, level one CCS security controls. Right. I mean, some of the hacks are the most basic things you could have ever imagined. And like, if your bank was hacked you know, there was a massive security vulnerability in the code, will you let your bank get away with it. But though, it’s kind of like, oh, never mind, the developer, all the developers are enormous. You contact them as on a, on a, and I’ve just called that chat. And now they’ve moved the code to another system. And now they’re calling themselves something else. And right, oh, millions of dollars of fears are pouring into the new, into the new venture, or the new platform. And it’s the same code base. Yep. Yep. Yes. Just, just waiting for a hack, right? It’s incredible. And you know, you can understand why there’s an SCC and they’re going, you know, what, what is going on here? Right. It needs to be, you know, there needs to be some form of regulation. But with national security, the other thing that we’re looking at and see for looking at is really getting the VCs and the investors to look at, make it mandatory that at some stage, if they provide funding, that this platform will be CCS is certified.
Right. You see a lot of these ones, they say, Oh, we’re SOC 2 type 2, or we’re either ISO 27001. And a lot of that’s coming from the investors stating that just to provide assurance or reduce the risk. And we want CCS to be in there as well. And in fact, prevalent than what it is currently. Gotcha. Well, speaking about the ups and downs, that come along with a new standard, I can imagine from a QA perspective that there were your fair share of roller coaster moments.
Nicole, talk us through that. Yeah, absolutely. So I think what was really with our first QA of a CCSS audit was that, well, honestly it was the first time that anybody had done. So what that actually meant was that during the QA process, we were not just doing our normal QA, QA of the template and how the reporting should actually be shown to people as well. So you can imagine that that was quite an interesting process. Sure, challenging. To actually, yeah, well, and to add to that challenge, here’s where it gets even more interesting. So you’d expect with a normal QA process, it’s the auditor and somebody internal to your organization who’s doing the QA.
Well, here’s the thing with CCSS. The… There might be an internal QA project, but there’s an official external peer review process by a CCAPR. Yeah, those letters are great for people with dyslexia, right? That PR person, the peer reviewer, has to be from an external third-party organization. So when he reaches out to C4 and C4 provides a list of other CCSSAs who can process. So now you’ve got another organization involved. So you’ve got your organization being audited, you’ve got your CCSSAPR. And if that wasn’t enough, at the end of the audit, C4 actually reviews the work that might as well. So it’s quite a role. Oh my goodness. Exactly. And so during our first QA process, Mark mentioned how there’s a couple of different designations for audited entities. Well, it was actually during our first QA process that the CCSSAPR asked us to add another designation into our reporting. So in the middle of an audit, yeah, we had to revise our template again and make it so that somebody could actually see it was a qualified service provider and what level they were assessed at as a qualified service provider and how that actually fed into using them as a service provider. And you can probably guess that PCA came in really handy for this because we already, how to talk about those relationships. But, oh, that was an interesting QA session, really. Yeah, I just see those.
I was gonna say, Nicole, that it’s exciting enough and you’re, I mean, I remember 15 years ago starting to head into the security and compliance arena and it kind of, it felt very kind of Wild West-ish, you know, you’re breaking fresh ground, etc. I mean, there’s nothing that better defines breaking new ground than being the first organization going through a, brand new certification for the very first QA process. Holy moly. I didn’t realize the, I didn’t realize those extra levels of, you know, kind of, of review. You know, not only having to go through internal QA, but the, what’d you say? CCSS APR and the seaport? Only, only. And as you can probably imagine, that actually adds a whole other layer to who’s allowed to see what. So before Mark actually sends his report off to CCSS APR, he has to make sure that only certain information is going to be revealed to them because of those contractual relationships between us non-disclosure agreements and everything else.
Man, well, I have to ask, cause I’m listening to this and my head is spinning. I can only imagine what it was like for you to go through it. What type of procedural changes can you see coming for your approach to CCSS? And what are you screaming from the rooftops to make sure that C4 knows for the next time around? Oh gosh. So I think really what we’re really trying to do in our processes is make something that is a lot more repeatable. See, it’s something that we’re always striving for in PCI DSS. And that’s something that we need to make sure that we build into our DSS auditing processes. But of course, because the standard is so young, we know that where we can make it more structured. Mark’s having regular conversations with C4 about the standard itself. But then we’re looking at, at how we can use those same sort of tools that we’re using for PCI DSS, which is portal, to actually give us a nice framework for how we do the audit, how we collect our evidence, and how we can build it through our QA process.
One of the features that I think is going to be absolutely vital as we move into the portal that you guys already have are those stub files, because a lot of our cryptocurrency customers, they don’t want us to hold their evidence. That makes a ton of sense. Yeah, so I think that’s something that we’re going to be using extensively as we look at how we build up a really nice process and start moving into TCT for it. Well, Adam, do you want to share the TCT perspective on that? Yeah, I mean, as we were listening to the, I’m so glad that I got the acronym correct. I was thinking to myself, all these freaking standards, right, they’ve all got to have their, you know, battalion list of acronyms and, you know, secret codes and handshakes and whatnot. But I was pretty impressed with myself, they got the CCSS APR correct. But, you know, one of the things that I wanted to mention to you guys, Nicole and Mark, as you were kind of talking this through. And one of the things that I want to follow up, we’ll follow up on this, you know, post, you know, post this podcast, is the ability to integrate that CCSS APR review and the C4 review. Those are things that we could quite honestly integrate right into the workflow. So, you know, as, you know, if it’s possible, if people are amenable, etc, I’m just saying the TCT portal could, you know, could handle that. That way items are migrating up and into, you know, kind of into these guys, these guys’ hands and doing it, again, systematically in an automated fashion, and all that fun stuff. That’s something that I’d like to explore because I think, I think especially with, you know, it’s one of the, one of the material benefits of TCT is that because we built the system, you know, I named the company appropriately, right? I named it Total Compliance Tracking. It wasn’t intended to be a PCI portal or a HIPAA portal, but it was intended literally to handle any standard known to man. And I just, I just think this is so cool to, you know, to be involved with, you know, one of the, you know, the, the organization that had the very first assessor on a brand new standard, you know, I just think it’s really cool watching, you know, watching this unfold and being able to, you know, being able to work with. you guys to kind of standardize that structured approach, especially as this platform kind of morphs and changes as it grows.
Now, you guys, as you’re looking ahead here, Nicole and Mark, anything you’d like to see integrated into the future iterations of the CCS standard based off of what you’ve learned to this point? Mark, I’ll throw that over to you to start. Okay, you have no problem. Yeah, so basically, I’m not… I understand how CCS is a bolt-on to the baseline security standards, but I probably would like to… When we go for a few more audits and we audit against different entities with different forms, different services, approaches and so forth is that some of the baseline security controls are presented in DSS, for example, patch management or secure coding techniques, something around the fact that it’s not so just 100% purely focused on cryptocurrency functions but also provide some ability for organizations who are not SOC 2 type 2 compliant or who aren’t in 2700, or PCI DSS, that the auditor can use the standard and if their auditors or an entity that doesn’t have these types of base level certifications that the standard provides some guidance or some requirements to say, hey, if they’re not baseline security, I’d look at patch management and look at change management, look at configuration management, look at vulnerability management and so that will help give the auditor some assurance or some comfort that when they’re signing off on this thing, that the organization doesn’t patch their wallet software but hey, they have great key management. So where does that leave the auditor? So I do want to have some more protection for the auditors who are actually signing off, and this is something we haven’t encountered yet, obviously, because there’s only been two audits in the entire world so far, but both of them have mature processes in place and both of them are SOC 2 type 2 and ISO 27000 certified. I was gonna say what it sounds like is what they what C4 almost needs is a level zero level one for CCSS it’s almost a level zero set of baseline controls. Yeah if the organization can’t provide that even instead they are they have certifications in the baselines then yeah that those CCSS level zero requirements kick in. Yeah as you guys were talking this through I mean you know I like that notion that it you know that CCSS is envisioned as a bolt-on to some type of a prescriptive standard. I mean, you know, it’s part of the challenges. And again, this is all new ground, right? You know, part of the challenges here would be that if they, you know, let’s say that, you know, I don’t know, I decided to go get compliant with, you know, diamond security level 14, you know, or something and nobody has any clue what the hell diamond, you know, security level 14 is, you know, I think in some ways, shapes and forms, it would be a good idea for C4 to say, all right, out of the gate in order to play in the CCSS sandbox, you must be one of these, you know, and whatever, you know, three, five, eight, whatever many standards, but, you know, something that’s going to have enough, you know, kind of enough prescriptive, you know, requirements around the controls so that the assessor has some, you know, some idea or some notion of the maturity of the organization, you know, kind of going in, you know, yeah, you could go level zero and, you know, and then need to go and, you know, add a whole bunch of other, you know, whole bunch of other elements, but then I can imagine that the complexity on the C4 side is going to go up by just absolute leaps and bounds, because now they’re having to, you know, basically cover, you know, all these other, you know, control arenas, you know? Yeah, and you’ve also got to balance that with the fact that CCSS was designed in 2014 before the likes of DeFi, you know, before the likes of DeFi in some of these fast, rapid platforms in level two for even considered, I mean, they were not even thought about when CCSS was first created.
So, what’s in place today, is so leading edge that if CCI, please get them thinking about security and getting them certified to some level, then that’s a good thing for everyone. So, it’s about, okay, so they can’t do, they’re not ready yet for SOC 2, type 2, they’re not ready for ISO, they’re not ready for PCI, whatever, but at the same time they can at least align to it and hopefully become audited by a third party auditor, which will gain some kind of, it’s just a fine balance between not scaring these young, dynamic platforms away from CCS, ISO 27001 certified for you, because the thing is, is the amount of money that’s pouring. Fresh new platforms that no one ever thought about and like I’d saying like they were to bridging in there there’s still Millions of dollars worth of fear being poured into these things and say, you know when the next bull market kicks off It’s gonna happen again. So yeah, it’s a fine balance and I understand you if you put in the likes of user account management, change management, all that kind of stuff Then you’ve got a it’s just gonna be for and always remember They’re volunteer organization at the heart of it, right? Yeah understood.
Nicole How about on your side, any additional things you you’re thinking you like see integrated. Oh So really the main things that I’m focusing on from the CCSS side of things are how do we start making it look all good and well, if we’ve got a good repeatable process for us at confide, but what we want to make sure is that the standard itself is going to hit a good consistent baseline level of auditing and maturity so once your CCSS certified that you can actually rely on that certification. So one of the things that Mark has actually gotten me involved with is looking at some of those flows, question flows and how we actually interface with the wider industry to really help elevate that level of security assurance that CCSS is going to give to organizations, that’s the part of it that I’m getting really interested in because that gives us an amazing spot to actually start looking at how the Security standard from the actual outset of the auditing program and that’s going to be exciting.
Yeah, it’s as you guys were kind of talking through these topics either a couple of, a couple of things that were dawning on me with the whole you know where do they go from here type of thing you know? What are some cool, you know some cool things that could be could be surrounding CCSS as you were talking it through. Nicole with the with the notion of hey now we’ve got to go share this information with the CCSS a PR and we have to go share it off with C4. Yeah, it was it was sounding to me like if C4 were to develop some type of already executed NDA or something that was in place between the various assessors and all the folks that do PR and C4 right out of the gate, then now the client, if you will, can now depend on that structure being there. That sounded like one opportunity for improvement for them. But the other thing that was striking me is we’re talking through this notion of, oh, I’ve got my ISO or I’ve got my SOC or I’ve got my PCI, and now we’re going to go ahead and leverage those. As I was looking at the CCSS standard, it struck me that if the client happened to use TCT Portal for managing their PCI, managing their ISO, managing their SOC engagement, that we’d have an opportunity to be able to kind of live link in the appropriate evidentiary elements off of that secondary PCI ,ISO, SOC track and draw that into the CCSS so that the assessor has the access to be able to see the ones which are direct one-for-one kind of match-ups, if you will, and be able to gain access to some of that assurance that, Mark, you were talking about it before wanting to understand. Because even if you’re referring to a SOC 2, there are n number of ways for them to generate controls to meet the criteria. The important part is being able to go in, kind of see how, well, that’s great that you’re SOC 2, but how did you do it? What are the relative maturity of those controls, etc? How are they working and functioning? Do you see holes there, etc? That would all be kind of insightful. So that was another thought that I had as I was going through and listening to you guys going through that.
Absolutely. I mean, just even off the top of my head. The key management requirements in PCI have a lot of really good mapping You’re doing some of the key management in CCSS. So being able to live link those in TCT is incredibly valuable Cool. Absolutely. Yeah, and any party, party Sorry, go ahead Mark I’m just quickly gonna say the, the CCSS reporting template which all due credit to Nicole who does the CCSS auditing template the ROC, actually, actually provides evidence for the auditor to say that you know this requirement was met in the last or the SOC 2 type 2 report or the latest PCI DSS ROC. So the provisions there already for That type of linking within the CCSS rock template.
All right well any important thoughts and shots we want to share for the folks here guys? Yeah hey I just want to talk about the NDA as well. Yeah so just quickly so the whole thing about the NDA is that at this stage because the auditors is so young and we are literally adapting it, configuring it with every order, that we do we find needs to be done or we find something that needs to be altered. The whole premise around what the peer reviewer has was to reduce the risk to the entity that another third party has access to their IP. So what the peer reviewer does is they review the report and see whether the evidence gathering to form their opinion that they did. That’s all they, that’s all the peer reviewer does, they make sure that the auditors look at evidence they don’t look at any kind of IP from the assessed entity and we and like I said we did that because we’re so young pre-req for a person to become a CC SSA. Not like PCI has to have multiple certifications and a number of years in the environment none of that SSA currently right so any man in his dog can become an officer. Well and if you start if you start putting like length of time requirements on so how long have you been involved with CCSS well I mean I think a pool will be pretty small. So I mean we’ve got we’ve got ways to track that we’ve got way like you know some is a smart contract auditor you know thinking that the CCSS will follow the same methodology when in fact a lot of the smart contract auditors don’t interview anyone whereas CCSS just like everything else you must interview people. We’ve gone before to capture that and to make sure that the auditor who won the contract with the CCSS entity actually knows what they’re doing, but it was all about just ensuring that the assessed entity was only sharing the information with the people possible and the only person that actually or the only entity that actually looks at the assessed entity’s IP is the auditor doing the audit and that’s critical right now.
And thank you for that extra additional clarity. And actually, as you were describing that, and again, we’ll follow along with this afterwards with kind of my thoughts and whatnot, but that being the case, we can, TCT4 can still handle that exact scenario where the only thing that the CCSA, SSAPR and C4 are able to see is the actual report that you generated.
That’s something that we can certainly leverage the capabilities of the portal to handle. So Todd, you’ve been trying to jump in for a bit, so I’m gonna hand the baton to you, sir. Well, it’s gonna come right back at you.
We’re just looking for some parting thoughts and shots for the folks this week, Adam. All right, very good. So yeah, honestly, this was so cool to sit, talk with you guys, learn about CCSS. I mean, honestly, I learned a ton, just sitting here and chatting it through, thinking about things and whatnot. I think it’s gonna be really exciting to see things unfold between Confide and CCSS. The other thought I had was that that notion that the assessor starts with a premise of another certification, PCI SOC 2, ISO 27001, if they did that up front, man, that should be a solid move. And I actually really like the idea of the, in case they don’t, type of deal, that you can go to a level zero type of thing, these are the entry items you need to have in place across the organization. I think that would be brilliant as well. So yeah, no, those are my parting thoughts and shots, but Nicole, Mark, how about you guys? Looking forward to seeing how we go. I’m looking forward to seeing the new template work its way. into TCT looking at how CCSS continues to evolve over time. Yeah, I actually really like and am excited about and because I continue to get deeply involved with working with C4 to improve the auditors program, consultation and all that kind of stuff is that it’s really great working with a standards body that you can make a difference immediately. So, for example, as Nicole mentioned, halfway through the audit report, the peer reviewer decided that we needed a new status of, you know, qualified in place for a service provider. That was literally decided upon by the CCSS committee. I mean, that’s how agile and fast C4 is. Whereas if you can imagine that done in such mature standards as PCI, and ISO, all that, it can take years. So that’s the really exciting thing now is being able to make a positive change, but almost instantly.
I love that. Well, I want to thank Nicole and Mark very much for their time today. We greatly appreciate Confide for allowing them to join us.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
