IEEE 2140.2-2021 pdf download

IEEE 2140.2-2021 pdf download.IEEE Standard for Security Management for Customer Cryptographic Assets on Cryptocurrency Exchanges
3. User authentication management
3.1 General
The goal of user authentication management is to establish a more comprehensive information management and profile analysis capability for users from the collection of multi-dimensional user information on the premise of protecting user data privacy, and to improve the exchange’s ability to identify possible risks in customer accounts. On the other hand, cryptocurrency exchanges use multiple tools to confirm the identity of platform users, promptly identify suspicious users and high-risk behaviors on the platform, and take blocking actions. User authentication mainly covers three scenarios: registration authentication, real-name authentication, and security authentication.
3.2 Registration authentication
Users generate account information on the exchange based on the SMS verification code of the mobile phone number or the verification code of the registered mailbox, etc., and through human-machine verification, it addresses problems such as machine risks, garbage registration, and bonus hunter.
3.3 Real-name authentication
After completing registration and generating account information, users shall submit relevant information that proves their identity such as ID cards, passports, or bills, and may pass more advanced biometric technology verification such as face recognition.
3.4 Security authentication
Cryptocurrency exchanges shall guide and remind customers to complete diversified password setting strategies to improve account security levels, including but not limited to account passwords, fund trading passwords, Google identity one-time password, gesture passwords, and fingerprint passwords. When monitoring abnormal behaviors such as login and password modification in different IP areas of the same account, exchanges shall notify the customer in a timely manner via SMS or other means to confirm the real name and security authentication. Conclusively, cryptocurrency exchanges shall establish user data form management mechanism and dynamically update based on the collected customer authentication information. Cryptocurrency exchanges may also identify abnormal account behaviors by marking different user accounts.
4. Infrastructure security regulations
4.1 General Infrastructure services are software- and hardware-integrated solution capabilities that support the overall business operations of cryptocurrency exchanges and are the core support of cryptocurrency exchanges. Historically, exchange infrastructure service systems have caused the loss of customer cryptographic assets on the exchange due to factors such as hacking or manual operation errors. The core infrastructure of the exchange includes servers (e.g., computer rooms), communication networks, encrypted asset custodial wallets, Web and App applications. Therefore, the security business specifications shall be formulated for the above three infrastructures, and the security regulations shall be strictly implemented to establish security problem identification. Security specifications mainly cover four aspects: security management of the physical area where the infrastructure is located, security inspection and protection of the infrastructure itself, personnel security education, and security response specifications.
4.2 Security management of the physical area where the infrastructure is located
Establish security management standards for the computer room area where the server is located and the office area where the communication network and equipment are located, as follows:
— Personnel entry and exit registration management and identity verifcation.
— Physical area monitoring: Key personnel access, key equipment and visible physical operations are monitored and covered, and monitoring records are retained for not less than six months.
— Network isolation requirements for key departments: Establish a network frewall in the area where computer equipment in key departments such as fnance is located.
4.3 Detection and protection of infrastructure security
4.3.1 Computer room and hardware Computer room devices, hardware changes, and multi-site backups are included in the security of computer room and hardware.
— Lock key cabinets, and set up monitoring and alarm sensing devices.
— Hardware changes shall be recorded and reported, and they should be destroyed when certain conditions are met.
—Establish a multi-site and multi-center disaster recovery room for backup.
4.3.2 Communication networks Network terminal access and traffic loads are considered in a regular mechanism.
— Possess vulnerability detection capabilities and establish a mechanism for the regular detection of vulnerabilities.
— Capable of protecting against network traffc attacks.
— Communication network terminal access management and control capabilities, and the ability to discover potential threats introduced by the terminal.IEEE 2140.2 pdf download.IEEE 2140.2-2021 pdf download