General Security and Privacy Guidelines, version 1

BSSC Specification

This Version
https://specs.blockchainssc.org/gsp/v1.html
Date
2025-05-13
Editors
John Kemp (BSSC), Joe D'Annolfo (Coinbase)
Contributors
Max Courchesne-Mackie (Figment), Joel Kerr (Coinbase), Greg Kohn (BSSC), Chaals Nevile (BSSC), Matan Nevo (Fireblocks), Akshar Rawal (Coinbase), Annalea Sanders (Figment), Max Zinkus (Anchorage Digital)
Latest Version URL
https://specs.blockchainssc.org/gsp/

Copyright ©2025 Blockchain Security Standards Council (BSSC) Inc. All Rights Reserved.

Summary

The General Security and Privacy Guidelines (GSP) is a set of requirements that defines baseline risk management, security, and privacy requirements that should be met by all participants in blockchain. These guidelines provide a targeted subset of requirements provided in other recognized security standards such as [ISO 27001], [SOC2] or [CCSS]. These requirements are categorized according to the NIST Cybersecurity Framework NIST-CSF in order to provide a familiar taxonomy in tackling blockchain-based security and privacy concerns.

Table of Contents

Domains

1. Govern

To establish, communicate, and monitor your organization's cybersecurity risk management strategy, expectations, and policy, your organization should:

  • Maintain a risk management governance framework, including a risk register, which includes regular reviews with stakeholders.
  • Monitor and adapt to evolving global and local regulatory frameworks that impact blockchain operations, such as AML, asset classifications, cross-border transactions etc.
  • Employ and maintain a dedicated governance and compliance team, familiar with these standards as well as others applicable, such as ISO27001, SOC2 and others.
  • Conduct and document a vendor relationship management process when working with vendors and other third-parties.
  • Document a data classification matrix or methodology to define data classification tiers, access restrictions to higher tiers, and protection requirements per tier.
  • Maintain a publicly accessible "trust centre" that includes compliance documentation, privacy policy, and other pertinent information.

2. Identify

To accurately identify and understand cybersecurity risks your organization should:

  • Conduct regular risk assessments that address blockchain-specific risks.
  • Document all risks associated with customer funds and make that documentation readily accessible.
  • Subscribe to and integrate threat intelligence data from reputable sources.
  • Conduct regular documented threat hunting activities.
  • Establish protocols for sharing information about threats with other blockchain organizations and industry stakeholders
  • Perform dynamic code analysis on all production code to identify runtime vulnerabilities and test against real-world attacks.
  • Formally document and define procedures for network and application vulnerability management, with monthly vulnerability assessments conducted.
  • Perform static code analysis on all code prior to pushing to production to identify potential bugs or vulnerabilities.
  • Inventory and monitor third party dependencies for existing and newly published Common Vulnerabilities and Exposures (CVE).

3. Protect

To adequately protect systems and data, and manage cybersecurity risks, your organization should:

  • Require all staff to complete annual security awareness training that minimally covers how to handle sensitive data, phishing, and social engineering.
  • Provide developers with additional Secure Software Development LifeCycle (SSDLC) training that incorporates security guidance and best practices relevant to their area of practice.
  • Review access to production systems and applications annually, with privileged access being reviewed minimally on a semi-annual basis.
  • Restrict sensitive data and Personally Identifiable Information (PII) to only be accessed by users with a legitimate business need.
  • Implement a process to revoke all access to corporate and production systems within 24 hours of employee termination.
  • Document and implement password standards across all production and corporate systems that at a minimum addresses length and complexity.
  • Guard user wallet addresses and other blockchain-specific sensitive data from unauthorized disclosure.
  • Require additional verification for all privileged (administrator) access, and maintain documented procedures to specifically audit and limit privileged use and users.
  • Perform enhanced background checks, additional to those completed during initial onboarding, on those whose privileged access includes access to customer funds, and refresh those background checks periodically.
  • Ensure the integrity and security of software components and dependencies used in blockchain applications.
  • Incorporate robust error handling, input validation, and fallback mechanisms to ensure resilience against receiving malformed or malicious data into all systems that rely on third-party data (e.g., from APIs).
  • Ensure all devices (laptops, mobile, etc.) that connect directly to corporate or production systems are enrolled in and centrally managed by an MDM solution that can perform security posture assessments, force minimum hardening requirements, and remotely wipe the device in the event of a loss or theft event.
  • Implement and maintain a solution for all web applications and internet facing systems to detect and prevent common threats including DDoS, malware, malicious bot traffic, and viruses.
  • Log all security events within production systems and applications.
  • Implement and maintain a Data Loss Prevention (DLP) solution to detect and prevent exfiltration of sensitive data through mediums including email, web storage, and removable media (USB, etc.).
  • Implement controls to prevent customer data from being exported or copied from production systems, unless explicitly required by a business workflow, in which case, care must be taken to ensure minimization of both the data copied, and of any additional access granted to these data.

4. Detect

To quickly detect and analyze cybersecurity threats your organization should:

  • Employ real-time threat monitoring services.
  • Subscribe to and integrate threat intelligence data only from reputable sources.
  • Perform and document security reviews and assessments of all produced software (on-chain and off-chain).
  • Provide a mechanism for external security researchers to responsibly report vulnerabilities in its software.
  • Maintain and use a process to triage and remediate reported vulnerabilities.
  • Implement and maintain a breach detection solution to detect anomalous or potentially malicious activity within production and corporate environments that is configured with real-time alerting monitored by security staff.
  • Conduct independent third party penetration testing on your corporate network and production systems, including all external facing applications, minimally on an annual basis.

5. Respond

To effectively respond to and take action against cybersecurity incidents your organization should:

  • Develop and implement an incident response plan (IRP) to define and guide your response to cybersecurity incidents. This includes:
    • Categorization of incidents based on severity.
    • Analysis of relevant security logs, data, and indicators of compromise to fully determine the scope and impact of the incident.
    • Evaluation of incidents to determine regulatory reporting requirements, and thresholds to trigger further internal or external communications.
    • Cadence for ongoing stakeholder, leadership, customer (as applicable), and regulator (as applicable) communications as recovery and mitigating actions are taken.
    • Criteria for an incident to be considered contained and or mitigated (i.e. ‘closed’).
  • Test and update your IRP regularly (annual minimum), and train key security staff on the procedures contained within.
  • Document and follow a root cause analysis process upon the closure of an incident to determine how the incident occurred, including identification of security control creation or improvements to prevent or reduce the likelihood of future incidents of the same type from occurring.

6. Recover

To successfully recover from a cybersecurity incident and restore assets & operations your organization should:

  • Document a business continuity plan for critical business processes to ensure timely recovery and minimize downtown in the event of an unplanned disruption occurs.
  • Document a disaster recovery plan for all critical applications with defined recovery time objections (RTO) to bring the applications back online in the event of an unplanned disruption, recovery point objections (RPO) to recover and maintain integrity of in scope data, and processes for failover to backup applications in the event the RTO is breached.
  • Annually review and test both the business continuity plan and the disaster recovery plan, and test upon significant organization and or environmental changes.

7. Privacy

To honor consumer and end user Privacy rights and expand Privacy best practices into the blockchain / Web3 ecosystem your organization should:

  • Treat all on-chain data that can be associated or linked back to an individual as Personally Identifiable Information (PII). Including:
    • Wallet Address - This can be linked to individual users and may be used to reveal transaction history and patterns.
    • Transaction Data - This can reveal information about individuals and financial habits/behaviors.
  • Collect and process any type of personal data, including on-chain personal data, only for a defined, explicit, and legitimate purpose that has been clearly communicated to users.
  • Use personal data only for the purpose(s) communicated. Only use on-chain personal data for explicit and legitimate purposes communicated in your Privacy Policy (it must not be further used in a manner that is incompatible with those purposes).
  • Obtain consent from and/or provide disclosures to individuals if there is a business need to use personal data for a new purpose that is not compatible with the original purpose.
  • Be transparent with individuals about how their personal data is being collected and used, even if collected from public sources. Prior to submitting personal data to miners for validation on public blockchains, you must provide clear, concise, and accessible information to users about:
    • What personal data is being stored on-chain.
    • The purpose for storing personal data on-chain.
  • Design products and services such that the minimum amount of personal data necessary to meet the intended use case is stored on-chain.

References

[CCSS]
CryptoCurrency Security Standard, C4, 2024. https://cryptoconsortium.org/cryptocurrency-security-standard-documentation/details/
[ERC-20]
"ERC-20: Token Standard", F. Vogelsteller and V. Buterin, Ethereum Improvement Proposals 2015. https://eips.ethereum.org/EIPS/eip-20
[ISO 27001]
ISO/IEC 27001 - Information security management systems, ISO. https://www.iso.org/standard/27001
[NIST-CSF]
NIST CyberSecurity Framework, NIST, 2024. https://doi.org/10.6028/NIST.CSWP.29
[SOC2]
SOC 2® - SOC for Service Organizations: Trust Services Criteria, AICPA. https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2

Document Status and Feedback

This document is the BSSC General Privacy and Security Guidelines, developed by the Technical Working Group of the Blockchain Security Standard Council (BSSC Inc.).

The BSSC requests feedback on this document, which can be provided through our contact form.

The BSSC may publish a new version of this specification, or another specification, that obsoletes this version, in response to feedback received or other developments in the ecosystem.

Disclaimer of Warranty and Liability

NO WARRANTIES: THIS SPECIFICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL BSSC, ITS MEMBERS OR ITS CONTRIBUTORS BE LIABLE FOR ANY CLAIM, OR ANY DIRECT, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE SPECIFICATION.

THIRD PARTY RIGHTS: Without limiting the generality of the foregoing, BSSC ASSUMES NO RESPONSIBILITY TO COMPILE, CONFIRM, UPDATE OR MAKE PUBLIC ANY THIRD PARTY ASSERTIONS OF PATENT OR OTHER INTELLECTUAL PROPERTY RIGHTS THAT MIGHT NOW OR IN THE FUTURE BE INFRINGED BY AN IMPLEMENTATION OF THE SPECIFICATION IN ITS CURRENT, OR IN ANY FUTURE FORM. IF ANY SUCH RIGHTS ARE DESCRIBED ON THE SPECIFICATION, LICENSOR TAKES NO POSITION AS TO THE VALIDITY OR INVALIDITY OF SUCH ASSERTIONS, OR THAT ALL SUCH ASSERTIONS THAT HAVE OR MAY BE MADE ARE SO LISTED.