C.1 Primary considerations.MD

C.1 Primary considerations

(a) Blockchain permissions

The organization has systems in place to determine:

1. restrictions applied to connecting to the network
2. restrictions applied to signing transaction inputs
3. restrictions applied to appearing in transaction outputs
4. restrictions applied to creating new assets
5. restrictions applied to confirming transactions
6. restrictions applied to changing permissions of other users

(b) Consensus mechanisms

The organization has systems in place to determine the appropriate consensus mechanism:

1. proof of work
2. proof of stake
3. federated byzantine agreement

(c) Considerations for proof-of-work based blockchain instances

The organization has systems in place to determine the:

1. target average time between blocks
2. maximum size of each block
3. length of initial setup phase
4. mining diversity
5. minimum / initial proof-of-work difficulty
6. frequency of recalculating proof-of-work difficulty level
7. maximum size of a standard transaction,
8. maximum size of data elements in standard transactions.

(d) Considerations for native blockchain currency (optional)

The organization has systems in place to determine the:

1. initial block reward
2. first block reward,
3. reward halving interval,
4. reward spendable delay,
5. minimum quantity of native currency in every transaction output
6. maximum quantity of native currency in every transaction output
7. minimum relay fee
8. units per display unit of the native currency

(e) Blockchain Security Program Plan

1. The organization develops and disseminates an organization-wide blockchain security program plan that: a. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; b. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; c. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and d. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations.

2. The organization reviews the organization-wide blockchain security program plan every month.

3. The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.

4. The organization protects the blockchain security program plan from unauthorized disclosure and modification.

Note: Blockchain security program plans can be represented in single documents or compilations of documents at the discretion of organizations.

(f) Senior blockchain security officer

The organization appoints a senior blockchain security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide blockchain security program.

(g) Blockchain security resources

1. The organization ensures that all capital planning and investment requests include the resources needed to implement the blockchain security program and documents all exceptions to this requirement.

2. The organization ensures that blockchain security resources are available for expenditure as planned.

(h) Plan of action and milestones process

1. The organization implements a process for ensuring that plans of action and milestones for the blockchain program and associated organizational information systems are developed and maintained.

2. The organization documents the remedial blockchain security actions to adequately respond to risk to organizational operations and assets, individuals, and other organizations.

3. The organization reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

(i) Information system inventory

The organization develops and maintains an inventory of its blockchain systems.

(j) Information security measures of performance

The organization develops, monitors, and reports on the results of blockchain security measures of performance.

(k) Enterprise architecture

The organization develops an enterprise architecture with consideration for blockchain security and the resulting risk to organizational operations, organizational assets, individuals, and other organizations.

(l) Critical infrastructure plan

The organization addresses blockchain security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

(m) Risk management strategy

1. The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, and other organizations associated with the operation and use of blockchain systems.

2. The organization implements the risk management strategy consistently across the organization.

3. The organization reviews and updates the risk management strategy regularly to address organizational changes. An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time.

(n) Security authorization process

1. The organization manages (i.e., documents, tracks, and reports) the security state of organizational blockchain systems and the environments in which those systems operate through security authorization processes;

2. The organization designates individuals to fulfil specific roles and responsibilities within the organizational risk management process.

3. The organization fully integrates the security authorization processes into an organization-wide risk management program.

(o) Mission/business process definition

1. The organization defines mission/business processes with consideration for blockchain security and the resulting risk to organizational operations, organizational assets, individuals, and other organizations.

2. The organization determines blockchain protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.

(p) Insider threat program

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

(q) Blockchain security workforce

The organization establishes a blockchain security workforce development and improvement program.

(r) Testing, training, and monitoring

1. The organization implements a process for ensuring that organizational plans for conducting blockchain security testing, training, and monitoring activities associated with organizational information systems are developed and maintained and continue to be executed in a timely manner.

2. The organization reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

(s) Contacts with security groups and associations

The organization establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel; to maintain currency with recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents.

(t) Threat awareness program

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.