| Cryptographic Asset Management |
Key / Seed Generation |
Operator-created Key / Seed |
|
|
|
| Creation methodology is validated |
|
|
|
| DRBG Compliance |
|
|
|
| Entropy Pool |
|
|
|
| Wallet Creation |
Unique address per transaction |
|
|
|
| Multiple keys for signing |
|
|
|
| Redundant key for recovery |
|
|
|
| Deterministic wallets |
|
|
|
| Geographic distribution of keys |
|
|
|
| Organizational distribution of keys |
|
|
|
| Key Storage |
Primary keys are stored encrypted |
|
|
|
| Backup key exists |
|
|
|
| Backup key has environmental protection |
|
|
|
| Backup key is access-controlled |
|
|
|
| Backup key has tamper-evident seal |
|
|
|
| Backup key is encrypted |
|
|
|
| Key Usage |
Key access requires user/pass/nth factor |
|
|
|
| Keys are only used in a trusted environment |
|
|
|
| Operator reference checks |
|
|
|
| Operator ID checks |
|
|
|
| Operator background checks |
|
|
|
| Spends are verified before signing |
|
|
|
| No two keys are used on one device |
|
|
|
| DRBG Compliance |
|
|
|
| Key Compromise Protocol (KCP) |
KCP Exists |
|
|
|
| KCP Training + Rehearsals |
|
|
|
| Keyholder Grant/Revoke Policies & Procedures |
Grant/Revoke Procedures/Checklist |
|
|
|
| Requests made via Authenticated Communication Channel |
|
|
|
| Grant/Revoke Audit Trail |
|
|
|
| Operations |
Security Audits / Pentests |
Security Audit |
|
|
|
| Data Sanitization Policy (DSP) |
DSP Exists |
|
|
|
| Audit Trail of all media sanitization |
|
|
|
| Proof of Reserve (PoR) |
Proof of Reserve Audits |
|
|
|
| Audit Logs |
Application Audit Logs |
|
|
|
| Backup of Audit Logs |
|
|
|
