The PT-BSC (Primechain Technologies - Blockchain Security Controls) prescribes security controls for blockchain implementations.
Blockchain technology has earned the trust of Governments and banks around the world.
There is an urgent need for an accepted security controls for secure blockchain implementations. The PT-BSC is a constantly evolving project that prescribes security controls for blockchain implementations. Many of the security controls are based on NIST Special Publication 800-53 Revision 4 and may also apply to distributed ledger systems.
A.1 Definitions
(a) blockchain
(b) distributed ledger system
(c) hash function
C.1 Primary considerations
(a) Blockchain permissions
(b) Consensus mechanisms
(c) Considerations for proof-of-work based blockchain instances
(d) Considerations for native blockchain currency (optional)
(e) Blockchain Security Program Plan
(f) Senior blockchain security officer
(g) Blockchain security resources
(h) Plan of action and milestones process
(i) Information system inventory
(j) Information security measures of performance
(k) Enterprise architecture
(l) Critical infrastructure plan
(m) Risk management strategy
(n) Security authorization process
(o) Mission/business process definition
(p) Insider threat program
(q) Blockchain security workforce
(r) Testing, training, and monitoring
(s) Contacts with security groups and associations
(t) Threat awareness program
C.2 Blockchain Access Control
(a) Blockchain Access Control Policy and Procedures
(b) Blockchain Account Management
(c) Blockchain Access Enforcement
(d) Information Flow Enforcement
(e) Least Privilege
(f) Permitted actions without identification or authentication
(g) Remote Access
(g) Wireless Access
(h) Access control for mobile devices
(i) Use of external information systems
C.3 Awareness & Training
(a) Security awareness and training policy and procedures
(b) Security awareness training
(c) Role-based security training
C.4 Audit and Accountability
(a) Audit and accountability policy and procedures
(b) Content of audit records
(c) Audit review, analysis, and reporting
(d) Time stamps
(e) Protection of audit information
C.5 Security assessment and authorization
(a) Security assessment and authorization policy and procedures
(b) Security assessments
(c) System interconnections
(d) Continuous monitoring
(e) Penetration testing
(f) Internal system connections
C.6 Contingency planning
(a) Contingency planning policy and procedures
(b) Contingency plan
(c) Contingency training
(d) Contingency plan testing
(e) Alternate storage site
(f) Alternate processing site
(g) Telecommunications services
(h) Information system recovery and reconstitution
C.7 Incident response
(a) Incident response policy and procedures
(b) Incident response training
(c) Incident response testing
(d) Incident handling
(e) Incident Monitoring
(f) Incident reporting
(g) Incident response assistance
(h) Incident response plan
(i) Information spillage response
(j) Integrated information security analysis team
C.8 Maintenance
(a) System maintenance policy and procedures
C.9 Physical and environmental protection
(a) Physical and environmental protection policy and procedures
(b) Physical access authorizations
(c) Physical access control
C.10 Risk assessment
(a) Risk assessment policy and procedures
(b) Risk assessment
(c) Vulnerability scanning
(d) Insider threat program
(e) Contacts with security groups and associations
(f) Threat awareness program
C.11 Blockchain Integrity
(a) Blockchain integrity policy and procedures
(b) Flaw remediation
(c) Malicious code protection
(d) Blockchain monitoring
(e) Security alerts, advisories, and directives
(f) Security function verification
(g) Software, firmware, and information integrity
A non-exhaustive list of contributors:
- Rohas Nagpal (rohas@primechain.in)
- Sudin Baraokar
- Shinam Arora
- Debasis Nayak
- Sripathi Srinivasan