PT-BSC Primechain Technologies BSC · PT-BSC is a work-in-progress document that prescribes...

PT-BSC(version0.4dated21stOctober,2017) 1PT-BSCversion0.3

Primechain Technologies Blockchain Security Controls

Version 0.4 dated 21st October, 2017

PT-BSC

PT-BSC(version0.4dated21stOctober,2017)

2

Blockchain technology has earned the trust of Governments and banks around theworld.There is anurgentneed foragloballyaccepted security standard/ frameworkforsecureblockchainimplementations.PT-BSCisawork-in-progressdocumentthatprescribessecuritycontrolsforblockchainimplementations.PT-BSCismaintainedby:PrimechainTechnologiesPrivateLimited http://www.primechaintech.comPleaseemailusyourcommentstoinfo@primechain.in

PT-BSC(version0.4dated21stOctober,2017) 3

TableofContentsA.Introduction.................................................................................................................................6A.1Definitions................................................................................................................................................6(a)blockchain............................................................................................................................................6(b)distributedledgersystem.............................................................................................................6(c)hashfunction.......................................................................................................................................6

B.Componentsofablockchain..................................................................................................7C.Securitycontrolsforblockchaininstances.......................................................................8C.1Primaryconsiderations.......................................................................................................................8(a)Blockchainpermissions................................................................................................................8(b)Consensusmechanisms.................................................................................................................8(c)Considerationsforproof-of-workbasedblockchaininstances....................................8(d)Considerationsfornativeblockchaincurrency(optional)............................................8(e)BlockchainSecurityProgramPlan............................................................................................8(f)Seniorblockchainsecurityofficer..............................................................................................9(g)Blockchainsecurityresources....................................................................................................9(h)Planofactionandmilestonesprocess....................................................................................9(i)Informationsysteminventory.....................................................................................................9(j)Informationsecuritymeasuresofperformance................................................................10(k)Enterprisearchitecture...............................................................................................................10(l)Criticalinfrastructureplan.........................................................................................................10(m)Riskmanagementstrategy.......................................................................................................10(n)Securityauthorizationprocess................................................................................................10(o)Mission/businessprocessdefinition....................................................................................10(p)Insiderthreatprogram...............................................................................................................11(q)Blockchainsecurityworkforce................................................................................................11(r)Testing,training,andmonitoring...........................................................................................11(s)Contactswithsecuritygroupsandassociations...............................................................11(t)Threatawarenessprogram........................................................................................................11

C.2BlockchainAccessControl..............................................................................................................12(a)BlockchainAccessControlPolicyandProcedures..........................................................12(b)BlockchainAccountManagement..........................................................................................12(c)BlockchainAccessEnforcement..............................................................................................13(d)InformationFlowEnforcement...............................................................................................13(e)LeastPrivilege.................................................................................................................................13(f)Permittedactionswithoutidentificationorauthentication........................................14(g)RemoteAccess.................................................................................................................................14(g)WirelessAccess...............................................................................................................................14(h)Accesscontrolformobiledevices..........................................................................................15(i)Useofexternalinformationsystems......................................................................................15

C.3Awareness&Training......................................................................................................................16(a)Securityawarenessandtrainingpolicyandprocedures.............................................16(b)Securityawarenesstraining.....................................................................................................16(c)Role-basedsecuritytraining.....................................................................................................16

C.4AuditandAccountability.................................................................................................................17(a)Auditandaccountabilitypolicyandprocedures.............................................................17


4

(b)Contentofauditrecords.............................................................................................................17(c)Auditreview,analysis,andreporting...................................................................................17(d)Timestamps.....................................................................................................................................17(e)Protectionofauditinformation...............................................................................................17

C.5Securityassessmentandauthorization....................................................................................18(a)Securityassessmentandauthorizationpolicyandprocedures................................18(b)Securityassessments...................................................................................................................18(c)Systeminterconnections.............................................................................................................18(d)Continuousmonitoring...............................................................................................................19(e)Penetrationtesting........................................................................................................................19(f)Internalsystemconnections......................................................................................................19

C.6Contingencyplanning.......................................................................................................................20(a)Contingencyplanningpolicyandprocedures...................................................................20(b)Contingencyplan...........................................................................................................................20(c)Contingencytraining....................................................................................................................21(d)Contingencyplantesting............................................................................................................21(e)Alternatestoragesite...................................................................................................................21(f)Alternateprocessingsite.............................................................................................................22(g)Telecommunicationsservices..................................................................................................22(h)Informationsystemrecoveryandreconstitution...........................................................22

C.7Incidentresponse...............................................................................................................................23(a)Incidentresponsepolicyandprocedures...........................................................................23(b)Incidentresponsetraining........................................................................................................23(c)Incidentresponsetesting...........................................................................................................23(d)Incidenthandling...........................................................................................................................23(e)IncidentMonitoring......................................................................................................................24(f)Incidentreporting..........................................................................................................................25(g)Incidentresponseassistance....................................................................................................25(h)Incidentresponseplan................................................................................................................25(i)Informationspillageresponse..................................................................................................26(j)Integratedinformationsecurityanalysisteam..................................................................26

C.8Maintenance..........................................................................................................................................27(a)Systemmaintenancepolicyandprocedures.....................................................................27

C.9Physicalandenvironmentalprotection....................................................................................28(a)Physicalandenvironmentalprotectionpolicyandprocedures................................28(b)Physicalaccessauthorizations................................................................................................28(c)Physicalaccesscontrol................................................................................................................28

C.10Riskassessment................................................................................................................................30(a)Riskassessmentpolicyandprocedures..............................................................................30(b)Riskassessment.............................................................................................................................30(c)Vulnerabilityscanning.................................................................................................................30(d)Insiderthreatprogram...............................................................................................................31(e)Contactswithsecuritygroupsandassociations..............................................................31(f)Threatawarenessprogram........................................................................................................31

C.11BlockchainIntegrity........................................................................................................................32(a)Blockchainintegritypolicyandprocedures......................................................................32(b)Flawremediation...........................................................................................................................32


(c)Maliciouscodeprotection..........................................................................................................32(d)Blockchainmonitoring................................................................................................................33(e)Securityalerts,advisories,anddirectives...........................................................................35(f)Securityfunctionverification....................................................................................................36(g)Software,firmware,andinformationintegrity.................................................................36

D.SecurityrecommendationsforotherBlockchaincomponents...............................38E.Referencesandcontactinformation.................................................................................39F.License.........................................................................................................................................40


6

A.IntroductionBlockchaintechnologywasannouncedthroughthepapertitled"Bitcoin:APeer-to-PeerElectronicCashSystem"bySatoshiNakamotoin2008.Interestingly,thispaperdoesnotspecificallyusetheword"blockchain".This paper talks about a "purely peer-to-peer version of electronic cash" where "thenetworktimestampstransactionsbyhashingthemintoanongoingchainofhash-basedproof-of-work, forminga record thatcannotbechangedwithoutredoing theproof-of-work".BlockchaintechnologyandsomeimplementationsofdistributedledgertechnologyhaveearnedthetrustofGovernmentsandbanksaroundtheworld.Thereisanurgentneedforanacceptedsecurityframeworkforsecureblockchainimplementations.ThePT-BSCis a work-in-progress document that prescribes security controls for blockchainimplementations.Many of the security controls are based onNISTSpecialPublication800-53Revision4andmayalsoapplytodistributedledgersystems.A.1Definitions

PT-BSCdefinesthetermsblockchain,distributedledgersystemandhashfunction.(a)blockchainAblockchainisapeer-to-peernetworkwhichtimestampsrecordsbyhashingthemintoanongoingchainofhash-basedproof-of-work,formingarecordthatcannotbechangedwithoutredoingtheproof-of-work1.(b)distributedledgersystemA distributed ledger is a peer-to-peer network, which uses a defined consensusmechanismtopreventmodificationofanorderedseriesoftime-stampedrecords2.(c)hashfunctionA hash function is an algorithm mapping or translation of one sequence of bits intoanother, generally smaller, set known as hash-result such that an electronic recordyields the same hash-result every time the algorithm is executed with the sameelectronic record as its input making it computationally infeasible to (i) to derive orreconstruct the original electronic record from the hash result produced by thealgorithm; (ii) that twoelectronic recordscanproduce thesamehashresultusing thealgorithm3.Note: Blockchains inherently involve multiple parties and organizations. In thisdocument, the term organization includes, unless repugnant to the context, allparticipating organizations that have agreed on a common security framework,frameworkrevisionprocedures,andsecuritycompliancemonitoringprocesses.

1Ablockchaincanbepermissioned,permission-lessorhybrid.2Consensusmechanismsincludeproofofstakeandfederatedbyzantineagreement.3Adaptedfromsection3oftheInformationTechnologyAct.ExamplesofhashfunctionsincludeSHA-1andSHA-2.


B.Componentsofablockchain

PT-BSCconsidersthefollowing8componentsofablockchain:

# Component Example

1 blockchainplatform bitcoin,ethereum,multichain;

2 blockchaininstance arunningimplementationofmultichainincludingtheblockdataandblockheaders;

3 blockchainnodes theserversonwhichablockchaininstanceisinstalled;

4 blockchainconnectors aMacintoshlaptopusedtoconnecttotheblockchainnodesthroughssh;

5 externalinterface anodejsbasedblockchainexplorer;

6 externaldatabase theSQLdatabasethatsitsbetweentheblockchaininstanceandtheexternalinterface;

7 blockchaindevelopmentecosystem

thetechnologicalecosystemoftheentitieswherethedesign,development,upgradeandmaintenanceoftheblockchaintakesplace;

8 blockchainuserecosystem thetechnologicalecosystemoftheend-usersoftheblockchain.


8

C.SecuritycontrolsforblockchaininstancesC.1Primaryconsiderations

(a)BlockchainpermissionsTheorganizationhassystemsinplacetodetermine:

1. restrictionsappliedtoconnectingtothenetwork2. restrictionsappliedtosigningtransactioninputs3. restrictionsappliedtoappearingintransactionoutputs4. restrictionsappliedtocreatingnewassets5. restrictionsappliedtoconfirmingtransactions6. restrictionsappliedtochangingpermissionsofotherusers

(b)ConsensusmechanismsThe organization has systems in place to determine the appropriate consensusmechanism:

1. proofofwork2. proofofstake3. federatedbyzantineagreement

(c)Considerationsforproof-of-workbasedblockchaininstancesTheorganizationhassystemsinplacetodeterminethe:

1. targetaveragetimebetweenblocks2. maximumsizeofeachblock3. lengthofinitialsetupphase4. miningdiversity5. minimum/initialproof-of-workdifficulty6. frequencyofrecalculatingproof-of-workdifficultylevel7. maximumsizeofastandardtransaction,8. maximumsizeofdataelementsinstandardtransactions.

(d)Considerationsfornativeblockchaincurrency(optional)Theorganizationhassystemsinplacetodeterminethe:

1. initialblockreward2. firstblockreward,3. rewardhalvinginterval,4. rewardspendabledelay,5. minimumquantityofnativecurrencyineverytransactionoutput6. maximumquantityofnativecurrencyineverytransactionoutput7. minimumrelayfee8. unitsperdisplayunitofthenativecurrency

(e)BlockchainSecurityProgramPlan

1. The organization develops and disseminates an organization-wide blockchainsecurityprogramplanthat:

a. Providesanoverviewoftherequirementsforthesecurityprogramandadescriptionof thesecurityprogrammanagementcontrolsandcommoncontrolsinplaceorplannedformeetingthoserequirements;

b. Includes the identification and assignment of roles, responsibilities,management commitment, coordination among organizational entities,andcompliance;


c. Reflects coordination amongorganizational entities responsible for thedifferent aspects of information security (i.e., technical, physical,personnel,cyber-physical);and

d. Isapprovedbyaseniorofficialwithresponsibilityandaccountabilityfortheriskbeing incurredtoorganizationaloperations(includingmission,functions,image,andreputation),organizationalassets,individuals,andotherorganizations.

2. The organization reviews the organization-wide blockchain security programplaneverymonth.

3. The organization updates the plan to address organizational changes and

problems identified during plan implementation or security controlassessments.

4. The organization protects the blockchain security program plan from

unauthorizeddisclosureandmodification.Note: Blockchain security program plans can be represented in single documents orcompilationsofdocumentsatthediscretionoforganizations.(f)SeniorblockchainsecurityofficerThe organization appoints a senior blockchain security officer with the mission andresources to coordinate, develop, implement, and maintain an organization-wideblockchainsecurityprogram.(g)Blockchainsecurityresources

1. The organization ensures that all capital planning and investment requestsincludetheresourcesneededtoimplementtheblockchainsecurityprogramanddocumentsallexceptionstothisrequirement.

2. The organization ensures that blockchain security resources are available for

expenditureasplanned.(h)Planofactionandmilestonesprocess

1. The organization implements a process for ensuring that plans of action andmilestones for the blockchain program and associated organizationalinformationsystemsaredevelopedandmaintained.

2. The organization documents the remedial blockchain security actions to

adequatelyrespondtorisktoorganizationaloperationsandassets, individuals,andotherorganizations.

3. Theorganizationreviewsplansofactionandmilestonesforconsistencywiththe

organizational risk management strategy and organization-wide priorities forriskresponseactions.

(i)InformationsysteminventoryTheorganizationdevelopsandmaintainsaninventoryofitsblockchainsystems.


10

(j)InformationsecuritymeasuresofperformanceTheorganizationdevelops,monitors,andreportsontheresultsofblockchainsecuritymeasuresofperformance.(k)EnterprisearchitectureTheorganizationdevelopsanenterprisearchitecturewithconsiderationforblockchainsecurity and the resulting risk to organizational operations, organizational assets,individuals,andotherorganizations.(l)CriticalinfrastructureplanThe organization addresses blockchain security issues in the development,documentation, and updating of a critical infrastructure and key resources protectionplan.(m)Riskmanagementstrategy

1. The organization develops a comprehensive strategy to manage risk toorganizational operations and assets, individuals, and other organizationsassociatedwiththeoperationanduseofblockchainsystems.

2. Theorganizationimplementstheriskmanagementstrategyconsistentlyacross

theorganization.

3. Theorganization reviewsandupdates the riskmanagement strategy regularlyto address organizational changes. An organization-wide risk managementstrategyincludes,forexample,anunambiguousexpressionoftherisktolerancefor theorganization,acceptableriskassessmentmethodologies,riskmitigationstrategies,aprocessforconsistentlyevaluatingriskacrosstheorganizationwithrespecttotheorganization’srisktolerance,andapproachesformonitoringriskovertime.

(n)Securityauthorizationprocess

1. The organization manages (i.e., documents, tracks, and reports) the securitystateoforganizationalblockchainsystemsandtheenvironmentsinwhichthosesystemsoperatethroughsecurityauthorizationprocesses;

2. The organization designates individuals to fulfil specific roles and

responsibilitieswithintheorganizationalriskmanagementprocess.

3. The organization fully integrates the security authorization processes into anorganization-wideriskmanagementprogram.

(o)Mission/businessprocessdefinition

1. The organization defines mission/business processes with consideration forblockchain security and the resulting risk to organizational operations,organizationalassets,individuals,andotherorganizations.

2. The organization determines blockchain protection needs arising from the

defined mission/business processes and revises the processes as necessary,untilachievableprotectionneedsareobtained.


(p)InsiderthreatprogramTheorganizationimplementsaninsiderthreatprogramthatincludesacross-disciplineinsiderthreatincidenthandlingteam.(q)BlockchainsecurityworkforceThe organization establishes a blockchain security workforce development andimprovementprogram.(r)Testing,training,andmonitoring

1. The organization implements a process for ensuring that organizational plansfor conducting blockchain security testing, training, and monitoring activitiesassociated with organizational information systems are developed andmaintainedandcontinuetobeexecutedinatimelymanner.

2. Theorganizationreviewstesting,training,andmonitoringplansforconsistency

with the organizational risk management strategy and organization-wideprioritiesforriskresponseactions.

(s)ContactswithsecuritygroupsandassociationsThe organization establishes and institutionalizes contact with selected groups andassociationswithinthesecuritycommunitytofacilitateongoingsecurityeducationandtrainingfororganizationalpersonnel;tomaintaincurrencywithrecommendedsecuritypractices, techniques, and technologies; and to share current security-relatedinformationincludingthreats,vulnerabilities,andincidents.(t)ThreatawarenessprogramThe organization implements a threat awareness program that includes a cross-organizationinformation-sharingcapability.


12

C.2BlockchainAccessControl

(a)BlockchainAccessControlPolicyandProcedures

1. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,a blockchain access control policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,procedures to facilitate the implementation of the blockchain access controlpolicyandassociatedaccesscontrols.

3. The organization reviews and updates the current Blockchain Access Control

PolicyandBlockchainAccessControlProcedureseverymonth.(b)BlockchainAccountManagement

1. The organization identifies and selects the following types of blockchainaccountstosupportorganizationalmissions/businessfunctions:(a)blockchainadministrator(b)blockchainmanager(c)blockchainprocessor.

2. Theorganizationassignsaccountmanagersforblockchainaccounts.

3. Theorganizationestablishesconditionsforgroupandrolemembership.

4. The organization specifies authorized users of the blockchain, group and role

membership,andaccessauthorizations(i.e.,privileges)andotherattributes(asrequired)foreachaccount.

5. The organization requires approvals by the blockchain administrator for

requeststocreateblockchainaccounts;

6. The organization creates, enables, modifies, disables, and removes blockchainaccounts in accordance with the Blockchain Access Control Policy andProcedures.

7. Theorganizationmonitorstheuseofblockchainaccounts.

8. Theorganizationnotifiestheblockchainadministrator(a)whenaccountsareno

longer required; (b) when users are terminated or transferred; and (c) whenindividualinformationsystemusageorneed-to-knowchanges;

9. Theorganizationauthorizesaccesstotheblockchainbasedon:(a)validaccess

authorization;(b)intendedsystemusage;and(c)otherattributesasrequiredbytheorganizationorassociatedmissions/businessfunctions;

10. The organization reviews accounts for compliance with blockchain account

managementrequirementsevery24hours.

11. The organization establishes a process for reissuing shared / group accountcredentials(ifdeployed)whenindividualsareremovedfromthegroup.


12. Theorganizationemploysautomatedmechanisms to support themanagementofblockchainaccounts.

13. The organization only permits the use of shared / group accounts that meet

organization-definedconditionsforestablishingshared/groupaccounts.

14. Theorganizationdisablesaccountsofusersposingasignificantriskimmediatelyondiscoveryoftherisk.

(c)BlockchainAccessEnforcement

1. The organization enforces approved authorizations for logical access to theblockchaininaccordancewithapplicableblockchainaccesscontrolpolicies.

2. Theorganizationenforcesdualauthorizationforallactions.

3. The blockchain prevents access to blockchain parameters and specifiedcryptographickeysexceptduringsecure,non-operablesystemstates.

4. Theblockchaindoesnot release informationoutsideof theestablishedsystem

boundary.(d)InformationFlowEnforcement

1. The organization enforces approved authorizations for controlling the flow ofinformationwithin the blockchain and between interconnected systems basedonorganization-definedinformationflowcontrolpolicies.

2. The blockchain prevents encrypted information from bypassing content-checkingmechanisms by decrypting the information, blocking the flow of theencrypted information and / or by terminating communications sessionsattemptingtopassencryptedinformation.

3. The blockchain enforces organization-defined limitations on embedding data

typeswithinotherdatatypes.

4. Theblockchainenforcesinformationflowcontrolbasedonorganization-definedmetadata.

5. The blockchain uniquely identifies and authenticates source and destination

pointsbyorganization,system,applicationand/orindividual]forinformationtransfer.

6. The blockchain binds security attributes to information using organization-

definedbindingtechniquestofacilitateinformationflowpolicyenforcement.

7. The blockchain provides access from a single device to computing platforms,applications, or data residing on multiple different security domains, whilepreventinganyinformationflowbetweenthedifferentsecuritydomains.

(e)LeastPrivilege

1. The organization employs the principle of least privilege, allowing only

authorizedaccessesforusers(orprocessesactingonbehalfofusers),whichare


14

necessary to accomplish assigned tasks in accordance with organizationalmissionsandbusinessfunctions.

2. The organization explicitly authorizes access to blockchain parameters,cryptographickeys.

3. The organization prohibits privileged access to the blockchain by non-

organizationalusers.

4. The organization reviews daily the privileges assigned to blockchainadministrators, managers and processors to validate the need for suchprivileges;andreassignsorremovesprivileges,ifnecessary,tocorrectlyreflectorganizationalmission/businessneeds.

(f)Permittedactionswithoutidentificationorauthentication

1. The organization identifies actions that can be performed on the blockchainwithoutidentificationorauthenticationconsistentwithorganizationalmissions/businessfunctions.

2. Theorganizationdocuments andprovides supporting rationale in the securityplan for the blockchain, user actions not requiring identification orauthentication.

(g)RemoteAccess

1. Theorganizationestablishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed.

2. The organization authorizes remote access to the information system prior toallowingsuchconnections.

3. The blockchain implements cryptographic mechanisms to protect theconfidentialityandintegrityofremoteaccesssessions.

4. The organization ensures that users protect information about remote access

mechanismsfromunauthorizeduseanddisclosure.(g)WirelessAccess

1. The organization establishes usage restrictions, configuration / connectionrequirements,andimplementationguidanceforwirelessaccess.

2. Theorganizationauthorizeswirelessaccess to the informationsystemprior toallowingsuchconnections.

3. The blockchain protects wireless access to the system using encryption and

authenticationofusers&devices.


(h)Accesscontrolformobiledevices

1. The organization establishes usage restrictions, configuration requirements,connection requirements, and implementation guidance for organization-controlledmobiledevices.

2. Theorganizationauthorizestheconnectionofmobiledevicestoorganizationalinformationsystems.

3. The organization prohibits the use of unclassified mobile devices unless

specificallypermittedbytheauthorizingofficial.

4. The organization employs container encryption to protect the confidentialityandintegrityofinformationonorganization-definedmobiledevices.

(i)Useofexternalinformationsystems

1. The organization establishes terms and conditions, consistent with any trustrelationships established with other organizations owning, operating, and/ormaintaining external information systems, allowing authorized individuals toaccesstheblockchainfromexternalinformationsystems.

2. Theorganizationpermitsauthorizedindividualstouseanexternalinformationsystem to access the blockchain only when the organization verifies theimplementationofrequiredsecuritycontrolsontheexternalsystemasspecifiedintheorganization’sinformationsecuritypolicyandsecurityplan.

3. The organization restricts / prohibits the use of portable storage devices by

authorizedindividualsonexternalinformationsystems.


16

C.3Awareness&Training

(a)Securityawarenessandtrainingpolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,a security awareness and training policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,procedures to facilitate the implementation of the security awareness andtrainingpolicyandassociatedsecurityawarenessandtrainingcontrols.

3. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,

reviews and updates the current security awareness and training policy andsecurityawarenessandtrainingproceduresevery3months.

(b)Securityawarenesstraining

1. Theorganizationprovidesbasicsecurityawarenesstrainingtoblockchainusers(a) as part of initial training for new users (b)when required by informationsystemchangesand(c)every3monthsthereafter.

2. Theorganizationincludespracticalexercisesinsecurityawarenesstrainingthatsimulateactualcyberattacks.

3. The organization includes security awareness training on recognizing and

reportingpotentialindicatorsofinsiderthreat.(c)Role-basedsecuritytrainingThe organization provides role-based security training to personnel with assignedsecurity roles and responsibilities (a) before authorizing access to the blockchain orperformingassignedduties (b)whenrequiredby informationsystemchangesand (c)every3monthsthereafter.


C.4AuditandAccountability

(a)Auditandaccountabilitypolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,an audit and accountability policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,procedures to facilitate the implementation of the audit and accountabilitypolicyandassociatedauditandaccountabilitycontrols.

3. The organization reviews and updates the current audit and accountability

policyandauditandaccountabilityproceduresevery6months.(b)ContentofauditrecordsThe blockchain generates audit records containing information that establishes whattypeofeventoccurred,whentheeventoccurred,wheretheeventoccurred,thesourceof the event, the outcomeof the event, and the identity of any individuals or subjectsassociatedwiththeevent.(c)Auditreview,analysis,andreportingTheorganizationreviewsandanalyzesinformationsystemauditrecordsinrealtimeforindications of inappropriate or unusual activity and reports findings to the relevantpersonnel.(d)TimestampsTheblockchainuses internal system clocks to generate time stamps for audit recordsandrecordstimestampsforauditrecordsthatcanbemappedtoGreenwichMeanTime(GMT).(e)ProtectionofauditinformationThe blockchain protects audit information and audit tools from unauthorized access,modification,anddeletion.


18

C.5Securityassessmentandauthorization

(a)Securityassessmentandauthorizationpolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,a security assessment and authorization policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination amongorganizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,procedures to facilitate the implementation of the security assessment andauthorization policy and associated security assessment and authorizationcontrols.

3. The organization reviews and updates the current security assessment and

authorization policy and security assessment and authorization proceduresevery6months.

(b)Securityassessments

1. Theorganizationdevelopsasecurityassessmentplanthatdescribesthescopeoftheassessmentincluding(a)Securitycontrolsandcontrolenhancementsunderassessment;(b)Assessmentprocedurestobeusedtodeterminesecuritycontroleffectiveness; and (c) Assessment environment, assessment team, andassessmentrolesandresponsibilities.

2. Theorganizationassessesthesecuritycontrolsintheinformationsystemanditsenvironment of operation every month to determine the extent to which thecontrols are implemented correctly, operating as intended, and producing thedesiredoutcomewithrespecttomeetingestablishedsecurityrequirements;

3. The organization produces a security assessment report that documents the

results of the assessment and provides the results of the security controlassessmenttorelevantpersonnel.

(c)Systeminterconnections

1. Theorganizationauthorizesconnections fromthe informationsystemtootherinformationsystemsthroughtheuseofInterconnectionSecurityAgreements.

2. The organization documents, for each interconnection, the interfacecharacteristics, security requirements, and the nature of the informationcommunicated.

3. The organization reviews and updates Interconnection Security Agreements

every6months.

4. Theorganizationprohibits thedirectconnectionofablockchaintoanexternalnetworkwithouttheuseofanapprovedboundaryprotectiondevice.

5. Theorganizationemploysallow-all/deny-by-exception/deny-all/permit-by-

exception policy for allowing a blockchain to connect to external informationsystems.


(d)Continuousmonitoring The organization develops a continuous monitoring strategy and implements acontinuousmonitoringprogram.(e)Penetrationtesting

1. Theorganizationconductsregularpenetrationtestingonallblockchains.

2. The organization employs an independent penetration agent or penetrationteamtoperformpenetrationtestingontheblockchain.

3. The organization employs exercises to simulate attempts by adversaries to

compromiseblockchains.(f)InternalsystemconnectionsTheorganizationauthorizesinternalconnectionsofinformationsystemcomponentsorclassesof components to theblockchainanddocuments, for each internal connection,the interface characteristics, security requirements, and thenature of the informationcommunicated.


20

C.6Contingencyplanning

(a)Contingencyplanningpolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,a contingency planning policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,procedures to facilitate the implementationof the contingencyplanningpolicyandassociatedcontingencyplanningcontrols.

3. Theorganizationreviewsandupdates thecurrentcontingencyplanningpolicy

andcontingencyplanningproceduresevery6months.(b)Contingencyplan

1. Theorganizationdevelopsacontingencyplanfortheinformationsystemthat:a. Identifies essential missions and business functions and associated

contingencyrequirements;b. Providesrecoveryobjectives,restorationpriorities,andmetrics;c. Addresses contingency roles, responsibilities, assigned individualswith

contactinformation;d. Addressesmaintainingessentialmissionsandbusinessfunctionsdespite

aninformationsystemdisruption,compromise,orfailure;e. Addresses eventual, full information system restoration without

deterioration of the security safeguards originally planned andimplemented;and

f. Is reviewed and approved by [Assignment: organization-definedpersonnelorroles].

2. The organization distributes copies of the contingency plan to relevant

personnel.

3. The organization coordinates contingency planning activities with incidenthandlingactivities.

4. Theorganizationreviewsthecontingencyplanfortheinformationsystemevery

month.

5. The organization updates the contingency plan to address changes to theorganization, blockchain, or environment of operation and problemsencounteredduringcontingencyplanimplementation,execution,ortesting.

6. Theorganizationcommunicatescontingencyplanchangestorelevantpersonnel.

7. The organization protects the contingency plan from unauthorized disclosure

andmodification.

8. The organization coordinates contingency plan development (BusinessContinuityPlans,DisasterRecoveryPlans,ContinuityofOperationsPlans,CrisisCommunications Plans, Critical Infrastructure Plans, Cyber Incident Response


Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans)withorganizationalelementsresponsibleforrelatedplans.

9. The organization conducts capacity planning so that necessary capacity for

informationprocessing, telecommunications,andenvironmentalsupportexistsduringcontingencyoperations.

10. The organization plans for the resumption of essential missions and business

functionswithin1hourofcontingencyplanactivation.

11. Theorganizationplansfortheresumptionofallmissionsandbusinessfunctionswithin1hourofcontingencyplanactivation.

12. The organization plans for the continuance of essentialmissions and business

functions with little or no loss of operational continuity and sustains thatcontinuity until full information system restoration at primary processingand/orstoragesites.

13. The organization plans for the transfer of essential missions and business

functions to alternate processing and/or storage siteswith little or no loss ofoperationalcontinuityandsustainsthatcontinuitythroughinformationsystemrestorationtoprimaryprocessingand/orstoragesites.

14. Theorganizationcoordinatesitscontingencyplanwiththecontingencyplansof

external service providers to ensure that contingency requirements can besatisfied.

15. The organization identifies critical information system assets supporting

essentialmissionsandbusinessfunctions.(c)ContingencytrainingTheorganizationprovidescontingencytrainingtoinformationsystemusersconsistentwithassignedrolesandresponsibilities(a)within1dayofassumingacontingencyroleor responsibility; (b) when required by information system changes and (c) everymonththereafter.(d)Contingencyplantesting

1. Theorganizationtests thecontingencyplan for the informationsystemweekly

to determine the effectiveness of the plan and the organizational readiness toexecutetheplan.

2. The organization reviews the contingency plan test results and initiatescorrectiveactions,ifneeded.

(e)Alternatestoragesite

1. The organization establishes an alternate storage site including necessaryagreements to permit the storage and retrieval of information system backupinformation.

2. The organization ensures that the alternate storage site provides informationsecuritysafeguardsequivalenttothatoftheprimarysite.


22

3. Theorganization identifiesanalternate storage site that is separated from theprimarystoragesitetoreducesusceptibilitytothesamethreats.

4. The organization configures the alternate storage site to facilitate recovery

operationsinaccordancewithrecoverytimeandrecoverypointobjectives.

5. The organization identifies potential accessibility problems to the alternatestoragesite intheeventofanarea-widedisruptionordisaster(e.g.,hurricane,regionalpoweroutage)andoutlinesexplicitmitigationactions(forexample:(i)duplicating backup information at other alternate storage sites if accessproblems occur at originally designated alternate sites; or (ii) planning forphysical access to retrievebackup information if electronic accessibility to thealternatesiteisdisrupted).

(f)Alternateprocessingsite

1. The organization establishes an alternate processing site including necessaryagreements to permit the transfer and resumption of operations for essentialmissions/business functions within the organization's specified and agreedrecoverytimeobjective.

2. Theorganizationensuresthatequipmentandsuppliesrequiredtotransferand

resumeoperationsareavailableatthealternateprocessingsiteorcontractsarein place to support delivery to the site within the organization-defined timeperiodfortransfer/resumption.

3. Theorganizationensuresthatthealternateprocessingsiteprovidesinformation

securitysafeguardsequivalenttothoseoftheprimarysite.(g)TelecommunicationsservicesTheorganizationestablishesalternatetelecommunicationsservicesincludingnecessaryagreementstopermittheresumptionofoperationsforessentialmissionsandbusinessfunctionswithintheorganization'sspecifiedandagreedrecoverytimeobjective.(h)InformationsystemrecoveryandreconstitutionTheorganizationprovidesfortherecoveryandreconstitutionoftheinformationsystemtoaknownstateafteradisruption,compromise,orfailure.


C.7Incidentresponse

(a)Incidentresponsepolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,an incident response policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,procedurestofacilitatetheimplementationoftheincidentresponsepolicyandassociatedincidentresponsecontrols.

3. TheorganizationreviewsandupdatesthecurrentIncidentresponsepolicyand

Incidentresponseproceduresevery6months.(b)Incidentresponsetraining

1. The organization provides incident response training to information systemusers consistent with assigned roles and responsibilities (a) Within 1 day ofassuming an incident response role or responsibility (b) When required byinformationsystemchangesandevery3monthsthereafter.

2. Theorganizationincorporatessimulatedeventsintoincidentresponsetraining

tofacilitateeffectiveresponsebypersonnelincrisissituations.

3. Theorganizationemploysautomatedmechanisms toprovideamore thoroughandrealisticincidentresponsetrainingenvironment.

(c)Incidentresponsetesting

1. Theorganizationteststheincidentresponsecapabilityfortheblockchaineveryweekusingdefined tests todetermine the incident response effectiveness anddocumentstheresults.

2. The organization employs automated mechanisms to more thoroughly and

effectivelytesttheincidentresponsecapability.

3. The organization coordinates incident response testing with organizationalelements responsible for related plans such as Business Continuity Plans,Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans,Crisis Communications Plans, Critical Infrastructure Plans, and OccupantEmergencyPlans.

(d)Incidenthandling

1. The organization implements an incident handling capability for securityincidents that includes preparation, detection and analysis, containment,eradication,andrecovery.

2. The organization coordinates incident handling activities with contingency

planningactivities.


24

3. Theorganization incorporates lessons learned fromongoing incident handlingactivities into incident response procedures, training, and testing, andimplementstheresultingchangesaccordingly.

4. The organization employs automated mechanisms to support the incident

handlingprocess.

5. The organization includes dynamic reconfiguration of [Assignment:organization-defined information system components] as part of the incidentresponsecapability.

6. Theorganizationidentifiesclassesofincidentsandactionstotakeinresponseto

classes of incidents to ensure continuation of organizational missions andbusinessfunctions.

7. The organization correlates incident information and individual incident

responses to achieve an organization-wide perspective on incident awarenessandresponse.

8. Theorganizationimplementsincidenthandlingcapabilityforinsiderthreats.

9. The organization coordinates incident handling capability for insider threats

acrossdefinedcomponentsorelementsoftheorganization.

10. Theorganization coordinateswith relevant external organizations to correlateand share incident information to achieve a cross-organization perspective onincidentawarenessandmoreeffectiveincidentresponses.

11. Theorganizationemploysdynamicresponsecapabilities]toeffectivelyrespond

tosecurityincidents.

12. Theorganizationcoordinatesincidenthandlingactivitiesinvolvingsupplychainsecurity events (e.g. compromises / breaches involving information systemcomponents, information technology products, development processes orpersonnel, and distribution processes or warehousing facilities.) with otherorganizations involved in the supply chain (e.g. system/product developers,integrators, manufacturers, packagers, assemblers, distributors, vendors, andresellers).

(e)IncidentMonitoring

1. Theorganization tracks anddocuments information system security incidents.Documenting information system security incidents includes, for example,maintaining records about each incident, the status of the incident, and otherpertinentinformationnecessaryforforensics,evaluatingincidentdetails,trends,and handling. Incident information can be obtained from a variety of sourcesincluding, for example, incident reports, incident response teams, auditmonitoring, network monitoring, physical access monitoring, anduser/administratorreports.

2. The organization employs automated mechanisms to assist in the tracking of

securityincidentsandinthecollectionandanalysisofincidentinformation.


(f)Incidentreporting

1. Theorganizationrequirespersonneltoreportsuspectedsecurityincidents(e.g.the receipt of suspicious email communications that can potentially containmaliciouscode.)totheorganizationalincidentresponsecapabilityinrealtime.

2. The organization reports security incident information to the blockchain

administrator.

3. Theorganization employs automatedmechanisms to assist in the reporting ofsecurityincidents.

4. The organization reports information system vulnerabilities associated with

reportedsecurityincidentstotheblockchainadministrator.

5. Theorganizationprovidessecurity incident information tootherorganizationsinvolved in the supply chain (e.g. system / product developers, integrators,manufacturers, packagers, assemblers, distributors, vendors, and resellers) forinformationsystemsorinformationsystemcomponentsrelatedtotheincident.

(g)Incidentresponseassistance

1. The organization provides an incident response support resource (e.g. helpdesks, assistance groups, and access to forensics services,), integral to theorganizational incident responsecapability thatoffersadviceandassistance tousersoftheblockchainforthehandlingandreportingofsecurityincidents.

2. Theorganizationemploysautomatedmechanismstoincreasetheavailabilityof

incidentresponse-relatedinformationandsupport.

3. The organization establishes a direct, cooperative relationship between itsincident response capability and external providers of information systemprotectioncapability.

4. The organization identifies organizational incident response teammembers to

theexternalproviders.(h)Incidentresponseplan

1. Theorganizationdevelopsanincidentresponseplanthat:a. Providestheorganizationwitharoadmapforimplementingitsincident

responsecapability;b. Describes the structure and organization of the incident response

capability;c. Providesahigh-levelapproachforhowtheincidentresponsecapability

fitsintotheoverallorganization;d. Meets the unique requirements of the organization, which relate to

mission,size,structure,andfunctions;e. Definesreportableincidents;f. Providesmetrics formeasuring the incident response capabilitywithin

theorganization;g. Defines the resources and management support needed to effectively

maintainandmatureanincidentresponsecapability;andh. Isreviewedandapprovedbyspecifiedpersonnel.


26

2. The organization distributes copies of the incident response plan to incident

responsepersonnel.

3. Theorganizationreviewstheincidentresponseplaneverymonth.

4. The organization updates the incident response plan to addresssystem/organizational changes or problems encountered during planimplementation,execution,ortesting.

5. The organization communicates incident response plan changes to incident

responsepersonnel.

6. The organization protects the incident response plan from unauthorizeddisclosureandmodification.

(i)Informationspillageresponse

1. Theorganizationrespondstoinformationspillsby:a. Identifying the specific information involved in the information system

contamination;b. Alerting relevant personnel the information spill using a method of

communicationnotassociatedwiththespill;c. Isolatingthecontaminatedinformationsystemorsystemcomponent;d. Eradicating the information from thecontaminated informationsystem

orcomponent;e. Identifying other information systems or system components thatmay

havebeensubsequentlycontaminated.

2. Theorganizationassignsrelevantpersonnelwithresponsibility forrespondingtoinformationspills.

3. Theorganizationprovidesinformationspillageresponsetrainingregularly.

4. The organization implements procedures to ensure that organizationalpersonnel impacted by information spills can continue to carry out assignedtaskswhilecontaminatedsystemsareundergoingcorrectiveactions.

(j)IntegratedinformationsecurityanalysisteamThe organization establishes an integrated team of forensic/malicious code analysts,tooldevelopers,andreal-timeoperationspersonnel.


C.8Maintenance

(a)Systemmaintenancepolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,a system maintenance policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,

procedures to facilitate the implementation of the systemmaintenance policyandassociatedsystemmaintenancecontrols;and

3. The organization reviews and updates the current Systemmaintenance policy

andSystemmaintenanceproceduresevery6months.


28

C.9Physicalandenvironmentalprotection

(a)Physicalandenvironmentalprotectionpolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,a physical and environmental protectionpolicy that addressespurpose, scope,roles, responsibilities, management commitment, coordination amongorganizationalentities,andcompliance.


procedures to facilitate the implementation of the physical and environmentalprotection policy and associated physical and environmental protectioncontrols.

3. Theorganization reviewsandupdates the currentPhysical andenvironmental

protectionpolicyandPhysicalandenvironmentalprotectionproceduresevery6months.

(b)Physicalaccessauthorizations

1. The organization develops, approves, and maintains a list of individuals withauthorizedaccesstothefacilitywheretheblockchainresides.

2. Theorganizationissuesauthorizationcredentials(e.g.forge-proofbadges,smart

cards,oridentificationcards)forblockchainfacilityaccess.

3. Theorganizationreviewstheaccesslistdetailingauthorizedblockchainfacilityaccessbyindividualseveryweek.

4. The organization removes individuals from the facility blockchain access list

whenaccessisnolongerrequired.

5. Theorganizationauthorizesphysicalaccesstothefacilitywheretheblockchainresidesbasedonpositionorrole.

6. The organization requires two forms of identification (e.g. passports, Personal

Identity Verification cards, drivers’ licenses, key cards, PINs, biometrics) forvisitoraccesstothefacilitywheretheblockchainresides.

7. Theorganizationrestrictsunescortedaccesstothefacilitywheretheblockchain

resides topersonnelwith (a) security clearances for all information containedwithin the blockchain; (b) formal access authorizations for all informationcontainedwithintheblockchain;(c)needforaccesstoallinformationcontainedwithintheblockchain.

8. Theorganizationensuresthatindividualslackingsufficientsecurityclearances,

accessapprovals,orneedtoknow,areescortedbyindividualswithappropriatecredentials.

(c)Physicalaccesscontrol

1. Theorganizationenforcesphysicalaccessauthorizationsatentry/exitpointstothe facility where the blockchain resides by verifying individual access


authorizations before granting access to the facility; and controllingingress/egresstothefacilityusingphysicalaccesscontrolsystems/devicesandguards.

2. Theorganizationmaintainsphysicalaccessauditlogsforentry/exitpoints.

3. Theorganizationprovidessecuritysafeguardstocontrolaccesstoareaswithin

thefacilityofficiallydesignatedaspubliclyaccessible.

4. The organization ensures that visitors are escorted and visitor activity ismonitored.

5. The organization ensures that keys, combinations, and other physical accessdevicesaresecured.

6. The organization ensures that combinations and keys are changedwhen keys

are lost, combinations are compromised, or individuals are transferred orterminated.

7. The organization enforces physical access authorizations to the blockchain in

additiontothephysicalaccesscontrolsforthefacility.

8. Theorganizationperformsdailysecuritychecksatthephysicalboundaryofthefacilityorblockchainforunauthorizedexfiltrationofinformationorremovalofinformationsystemcomponents.

9. The organization employs guards and/or alarms to monitor every physical

accesspointtothefacilitywheretheblockchainresides24hoursperday,7daysperweek.

10. Theorganizationuses lockablephysical casings toprotect theblockchain from

unauthorizedphysicalaccess.

11. The organization employs security safeguards to detect and prevent physicaltamperingoralterationoftheblockchain.

12. The organization employs a penetration testing process that includes daily,

unannounced attempts to bypass or circumvent security controls associatedwithphysicalaccesspointstothefacility.


30

C.10Riskassessment

(a)Riskassessmentpolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminatestorelevantpersonnel,a risk assessment policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, andcompliance.


procedures to facilitate the implementation of the risk assessment policy andassociatedriskassessmentcontrols.

3. The organization reviews andupdates the currentRisk assessment policy and

Riskassessmentproceduresevery6months.(b)Riskassessment

1. The organization conducts an assessment of risk, including the likelihood andmagnitude of harm, from the unauthorized access, use, disclosure, disruption,modification,ordestructionoftheblockchainandtheinformationitprocesses,stores,ortransmits.

2. Theorganizationdocumentsriskassessmentresults.

3. Theorganizationreviewsriskassessmentresultsregularly.

4. Theorganizationdisseminatesriskassessmentresultstorelevantpersonnel.

5. Theorganizationupdatestheriskassessmentevery1monthorwheneverthere

aresignificantchangestotheblockchainorenvironmentofoperation(includingthe identification of new threats and vulnerabilities), or other conditions thatmayimpactthesecuritystateoftheblockchain.

(c)Vulnerabilityscanning

1. Theorganizationscansforvulnerabilitiesintheblockchaine.g.(i)scanningforpatch levels; (ii) scanning for functions, ports, protocols, and services thatshouldnot be accessible tousers ordevices; and (iii) scanning for improperlyconfiguredorincorrectlyoperatinginformationflowcontrolmechanisms.

2. Theorganizationensuresthatwhennewvulnerabilitiespotentiallyaffectingthe

blockchainareidentifiedandreported,it:a. Employs vulnerability scanning tools and techniques that facilitate

interoperability among tools and automate parts of the vulnerabilitymanagementprocessbyusingstandardsfor(i)Enumeratingplatforms,software flaws, and improper configurations; (2) Formatting checklistsandtestprocedures;and(3)Measuringvulnerabilityimpact.

b. Analyzes vulnerability scan reports and results from security controlassessments;

c. Remediates legitimate vulnerabilities in accordance with anorganizationalassessmentofrisk;and


d. Sharesinformationobtainedfromthevulnerabilityscanningprocessandsecurity control assessmentswith relevant personnel to help eliminatesimilar vulnerabilities in other information systems (i.e., systemicweaknessesordeficiencies).

3. The organization employs vulnerability scanning tools that include thecapabilitytoreadilyupdatethevulnerabilitiestobescanned.

4. The organization updates the vulnerabilities scanned prior to a new scan and

whennewvulnerabilitiesareidentifiedandreported.

5. The organization employs vulnerability scanning procedures that can identifythebreadthanddepthofcoverage(i.e.,informationsystemcomponentsscannedandvulnerabilitieschecked).

6. The organization determines what information about the blockchain is

discoverablebyadversariesandsubsequentlytakescorrectiveactions.

7. The organization employs automated mechanisms to compare the results ofvulnerability scans over time to determine trends in information systemvulnerabilities.

8. The organization reviews historic audit logs to determine if a vulnerability

identifiedintheblockchainhasbeenpreviouslyexploited.

9. The organization correlates the output from vulnerability scanning tools todeterminethepresenceofmulti-vulnerability/multi-hopattackvectors.

(d)InsiderthreatprogramTheorganizationimplementsaninsiderthreatprogramthatincludesacross-disciplineinsiderthreatincidenthandlingteam.(e)ContactswithsecuritygroupsandassociationsThe organization establishes and institutionalizes contact with selected groups andassociationswithinthesecuritycommunity:(a)tofacilitateongoingsecurityeducationandtrainingfororganizationalpersonnel;(b)Tomaintaincurrencywithrecommendedsecurity practices, techniques, and technologies; and (c) To share current security-relatedinformationincludingthreats,vulnerabilities,andincidents.

Ongoing contact with security groups and associations is of paramountimportance in an environment of rapidly changing technologies and threats. Securitygroups and associations include, for example, special interest groups, forums,professionalassociations,newsgroups,and/orpeergroupsofsecurityprofessionalsinsimilar organizations. Organizations select groups and associations based onorganizationalmissions/businessfunctions.(f)ThreatawarenessprogramThe organization implements a threat awareness program that includes a cross-organization information-sharing capability. This can include, for example, sharingthreat events (i.e., tactics, techniques, and procedures) that organizations haveexperienced, mitigations that organizations have found are effective against certaintypesofthreats,threatintelligence(i.e.,indicationsandwarningsaboutthreatsthatarelikelytooccur).Threatinformationsharingmaybebilateralormultilateral.


32

C.11BlockchainIntegrity

(a)Blockchainintegritypolicyandprocedures

1. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,a blockchain integrity policy that addresses purpose, scope, roles,responsibilities,management commitment, coordination among organizationalentities,andcompliance.

2. Theorganizationdevelops,documents,anddisseminates,torelevantpersonnel,

procedures to facilitate the implementation of the blockchain integrity policyandassociatedsystemandinformationintegritycontrols.

3. The organization reviews and updates the current blockchain integrity policy

andblockchainintegrityproceduresevery3months.(b)Flawremediation

1. The organization identifies, reports, and corrects blockchain system flawsincludingthosediscoveredduringsecurityassessments,continuousmonitoring,incidentresponseactivities,andsystemerrorhandling.

2. The organization tests software and firmware updates related to flaw

remediationforeffectivenessandpotentialsideeffectsbeforeinstallation.

3. Theorganizationinstallssecurity-relevantsoftware(e.g.patches,servicepacks,hot fixes, and anti-virus signatures) and firmware updates as soon as updatesarereleased.

4. The organization incorporates flaw remediation into the organizational

configurationmanagementprocess.

5. The organization centrally manages the planning, implementing, assessing,authorizing,andmonitoringtheorganization-defined,flawremediationsecuritycontrols.

6. Theorganizationemploysautomatedmechanismsdaily todetermine the state

ofblockchaincomponentswithregardtoflawremediation.

7. The organization measures the time between flaw identification and flawremediationandestablishesbenchmarksfortakingcorrectiveactions.

8. Theorganizationinstallsrelevantsoftwareandfirmwareupdatesautomatically

toblockchaincomponents.

9. The organization removes previous versions of software and/or firmwarecomponentsafterupdatedversionshavebeeninstalled.

(c)Maliciouscodeprotection

1. Theorganizationemploysmaliciouscodeprotectionmechanismsatblockchainentryandexitpoints(e.g. firewalls,electronicmailservers,webservers,proxyservers, remote-access servers,workstations,notebook computers, andmobile


devices) to detect and eradicate malicious code (e.g. viruses, worms, Trojanhorses, and spyware; malicious code encoded in various formats such asUUENCODE,Unicode),containedwithincompressedorhiddenfiles,orhiddeninfilesusingsteganography).

2. Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernew

releases are available in accordance with organizational configurationmanagementpolicyandprocedures.

3. Theorganizationconfiguresmaliciouscodeprotectionmechanisms toperform

periodic and real-time scans of files from external sources as the files aredownloaded, opened, or executed in accordance with organizational securitypolicy.

4. Theorganizationaddressesthereceiptof falsepositivesduringmaliciouscode

detectionanderadicationandtheresultingpotential impacton theavailabilityoftheblockchain.

5. Theorganizationcentrallymanagesmaliciouscodeprotectionmechanisms.

6. The organization tests malicious code protection mechanisms regularly by

introducing a known benign, non-spreading test case into the blockchain andverifies that both detection of the test case and associated incident reportingoccur.

7. The blockchain implements non signature-based malicious code detection

mechanisms (e.g. the use of heuristics to detect, analyze, and describe thecharacteristicsorbehaviorofmaliciouscodeandtoprovidesafeguardsagainstmalicious code for which signatures do not yet exist or for which existingsignaturesmaynotbeeffective)4.

8. The blockchain detects defined unauthorized operating system commands

throughthekernelapplicationprogramminginterfaceand(a)issuesawarning;(b) audits the command execution; and (c) prevents the execution of thecommand.

9. The organization analyzes the characteristics and behavior of malicious code;

and incorporates the results frommalicious code analysis into organizationalincidentresponseandflawremediationprocesses.

(d)Blockchainmonitoring

1. The organization monitors the blockchain to detect attacks and indicators ofpotential attacks in accordance and unauthorized local, network, and remoteconnections5.

4Thisincludespolymorphicmaliciouscode(i.e.,codethatchangessignatureswhenitreplicates).Thiscontroldoesnotprecludetheuseofsignature-baseddetectionmechanisms.5Blockchainmonitoringincludesexternalandinternalmonitoring.Externalmonitoringincludestheobservationofeventsoccurringattheboundary(i.e.,partofperimeterdefenseandboundaryprotection). Internal monitoring includes the observation of events occurring within theblockchain. Blockchain monitoring capability is achieved through a variety of tools andtechniques e.g. intrusion detection systems, intrusion prevention systems, malicious code


34

2. Theorganizationidentifiesunauthorizeduseoftheblockchain.

3. Theorganizationdeploysmonitoringdevicestocollectorganization-determined

essentialinformationandtotrackspecifictypesoftransactionsofinteresttotheorganization.

4. Theorganizationprotectsinformationobtainedfromintrusion-monitoringtools

fromunauthorizedaccess,modification,anddeletion.

5. Theorganizationheightensthelevelofblockchainmonitoringactivitywheneverthereisanindicationofincreasedrisktoorganizationaloperationsandassets.

6. The organization obtains legal opinionwith regard tomonitoring activities in

accordancewithapplicablelaws.

7. The organization provides monitoring information to relevant personnel asneeded.

8. The organization connects and configures individual intrusion detection tools

intoaninformationsystem-wideintrusiondetectionsystem.

9. The organization employs automated tools (e.g. host-based, network-based,transport-based, or storage-based event monitoring tools or SecurityInformationandEventManagement(SIEM)technologiesthatproviderealtimeanalysisofalertsand/ornotificationsgeneratedbyblockchain)tosupportnearreal-timeanalysisofevents.

10. Theorganizationemploysautomatedtoolstointegrateintrusiondetectiontools

intoaccesscontrolandflowcontrolmechanismsforrapidresponsetoattacksbyenablingreconfigurationofthesemechanismsinsupportofattackisolationandelimination.

11. The blockchain monitors inbound and outbound communications traffic for

unusualorunauthorizedactivitiesorconditions.

12. Theorganizationtestsintrusion-monitoringtoolseveryday.

13. The organization analyzes outbound communications traffic at the externalboundaryoftheblockchaintodiscoveranomalies(e.g.largefiletransfers,long-timepersistentconnections,unusualprotocolsandportsinuse,andattemptedcommunicationswithsuspectedmaliciousexternaladdresses).

14. Theorganizationemploysautomatedmechanismstoalertsecuritypersonnelof

inappropriateorunusualactivitieswithsecurityimplications.

15. The organization analyzes communications traffic/event patterns for theblockchain; develops profiles representing common traffic patterns and/orevents;anduses thetraffic/eventprofiles in tuningsystem-monitoringdevicestoreducethenumberoffalsepositivesandthenumberoffalsenegatives.

protection software, scanning tools, audit record monitoring software, network monitoringsoftware.


16. The organization employs a wireless intrusion detection system to identify

rogue wireless devices and to detect attack attempts and potentialcompromises/breachestotheblockchain.

17. The organization employs an intrusion detection system to monitor wireless

communicationstrafficasthetrafficpassesfromwirelesstowirednetworks.

18. The organization correlates information from monitoring tools (e.g., hostmonitoring,networkmonitoring,anti-virussoftware)employedthroughoutthecomponentsoftheblockchain.

19. The organization correlates information frommonitoring physical, cyber, and

supply chain activities to achieve integrated, organization-wide situationalawareness.

20. The organization analyzes outbound communications traffic at the external

boundaryoftheblockchaintodetectcovertexfiltrationofinformation.

21. The organization implements additional monitoring of individuals who havebeen identified by relevant sources (such as human resource records,intelligence agencies, law enforcement organizations, and/or other crediblesources)asposinganincreasedlevelofrisk.

22. The organization implements additional monitoring of privileged users and

individualsduringprobationaryperiod.

23. The organization implements host-based monitoring mechanisms at definedblockchaincomponents.

24. The blockchain discovers, collects, distributes, and uses indicators of

compromise6.(e)Securityalerts,advisories,anddirectives

1. The organization receives security alerts, advisories, and directives fromrelevantexternalorganizationsonanongoingbasis.

2. Theorganizationgeneratesinternalsecurityalerts,advisories,anddirectivesas

deemednecessary.

3. The organization disseminates security alerts, advisories, and directives torelevantpersonnelandexternalorganizations.

6Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified onorganizational information systems (at the host or network level). IOCs for the discovery ofcompromisedhostscanincludeforexample,thecreationofregistrykeyvalues.IOCsfornetworktrafficinclude,forexample,UniversalResourceLocator(URL)orprotocolelementsthatindicatemalwarecommandandcontrolservers.TherapiddistributionandadoptionofIOCscanimproveinformation security by reducing the time that information systems and organizations arevulnerabletothesameexploitorattack.


36

4. The organization employs automated mechanisms to make security alert andadvisoryinformationavailablethroughouttheorganization.

(f)Securityfunctionverification

1. Theorganizationverifiesthecorrectoperationsofdefinedsecurityfunctionsatblockchaintransitionalstates(e.g.systemstartup,restart,shutdown,andabort)uponcommandbyuserwithappropriateprivilege.

2. Theorganizationnotifiesrelevantpersonneloffailedsecurityverificationtests.

3. The information system implements automated mechanisms to support the

managementofdistributedsecuritytesting.

4. Theorganizationreportstheresultsofsecurityfunctionverificationtorelevantpersonnel.

(g)Software,firmware,andinformationintegrity

1. The organization employs integrity verification tools to detect unauthorizedchanges to software, firmware, and information7using state-of-the-practiceintegrity-checkingmechanisms (e.g., parity checks, cyclical redundancy checks,cryptographichashes)andassociatedtools.

2. Theorganizationemploysautomatedtoolsthatprovidenotificationtorelevant

personnelupondiscoveringdiscrepanciesduringintegrityverification.

3. Theorganizationemployscentrallymanagedintegrityverificationtools.

4. The blockchain implements cryptographic mechanisms (e.g. digital signaturesand the computation and application of signed hashes using asymmetriccryptography,protectingtheconfidentialityofthekeyusedtogeneratethehash,andusingthepublickeytoverifythehashinformation).

5. The organization incorporates the detection of unauthorized security-relevant

changestotheblockchainintotheorganizationalincidentresponsecapability.

6. Theblockchainverifiestheintegrityofthebootprocessofdefineddevices.

7. Theorganizationimplementsdefinedsecuritysafeguardstoprotecttheintegrityofbootfirmwareindefineddevices.

8. The organization requires that defined user-installed software execute in a

confinedphysicalorvirtualmachineenvironmentwithlimitedprivileges.

9. The organization requires that the integrity of user-installed software beverifiedpriortoexecution.

7Software includes, for example, operating systems (with key internal components such askernels,drivers),middleware,andapplications.Firmwareincludes,forexample,theBasicInputOutputSystem(BIOS).Informationincludesmetadatasuchassecurityattributesassociatedwithinformation.


10. The organization allows execution of binary or machine-executable codeobtainedfromsourceswithlimitedornowarrantyandwithouttheprovisionofsourcecodeonlyinconfinedphysicalorvirtualmachineenvironmentsandwiththeexplicitapprovalofrelevantpersonnel.

11. The organization implements cryptographic mechanisms to authenticate

softwareorfirmwarecomponentspriortoinstallation.


38

D.SecurityrecommendationsforotherBlockchaincomponentsComponent Issue Recommended

standardsBlockchainplatform Systemandsoftwarequalitymodels ISO/IEC25010:2011

Evaluationprocess ISO/IEC25040:2011Blockchainnodes CryptoKeyTamperResistance FIPS140-2Level4

ServerVirtualization8 CommonCriteriaEAL5orhigher

Blockchainconnectors Operatingsystemhardening Pending Pending PendingExternalinterface

ConfigurationandDeploymentManagementTesting

OWASPTestingGuidev4

IdentityManagementTestingAuthenticationTestingAuthorizationTestingSessionManagementTestingInputValidationTestingTestingforErrorHandlingTestingforweakCryptographyBusinessLogicTestingClientSideTesting

Externaldatabase Accesscontrol PendingAuditing PendingAuthentication PendingEncryption PendingIntegritycontrols PendingBackups PendingApplicationsecurity Pending

Blockchaindevelopmentecosystem

End-pointSecurity PendingNetworkSecurity PendingApplicationSecurity PendingCyberIncidentResponse PendingRegulatoryCompliance PendingDataProtection PendingCyberSecurityTraining PendingCyberSecurityTesting PendingContingencyPlanning Pending

Blockchainuserecosystem

Pending Pending

8Ifsensitiveblockchainsolutioncomponentsarenotphysicallyisolated.


E.References1. Bitcoin:APeer-to-PeerElectronicCashSystembySatoshiNakamoto.2. NISTSpecialPublication800-53Revision43. OWASPTestingGuidev4


40

F.LicenseThis work is licensed under a Creative Commons Attribution-ShareAlike 4.0InternationalLicense.Youarefreeto:Share—copyandredistributethematerialinanymediumorformatAdapt — remix, transform, and build upon the material for any purpose, evencommercially.Thelicensorcannotrevokethesefreedomsaslongasyoufollowthelicenseterms.Underthefollowingterms:

Attribution — You must give appropriate credit, provide a link to the license, andindicateifchangesweremade.Youmaydosoinanyreasonablemanner,butnotinanywaythatsuggeststhelicensorendorsesyouoryouruse.

ShareAlike—Ifyouremix, transform,orbuildupon thematerial,youmustdistributeyourcontributionsunderthesamelicenseastheoriginal.

Noadditionalrestrictions—Youmaynotapply legaltermsortechnologicalmeasuresthatlegallyrestrictothersfromdoinganythingthelicensepermits.Notices:Youdonothave to complywith the license for elementsof thematerial in thepublicdomainorwhereyouruseispermittedbyanapplicableexceptionorlimitation.

Nowarrantiesaregiven.Thelicensemaynotgiveyouallofthepermissionsnecessaryfor your intended use. For example, other rights such as publicity, privacy, or moralrightsmaylimithowyouusethematerial.


ContactUsPrimechainTechnologiesPvt.Ltd.410,SupremeHeadquarters,Mumbai-BangaloreHighway,NearAudiShowroom,Baner,Pune-411045(INDIA)Web:http://www.primechaintech.comEmail:[email protected]

PT-BSC Primechain Technologies BSC · PT-BSC is a work-in-progress document that prescribes...

Documents

Transcript of PT-BSC Primechain Technologies BSC · PT-BSC is a work-in-progress document that prescribes...