Forming Bitcoin Policies for exchanges

[allten]

This thread is in response to a previous one that I began

Full Blown MtGox Audit - Get Ready To participate. Starting Sept 25th
https://bitcointalk.org/index.php?topic=43484.0


The sentiment in the previous thread was pretty much the proposal was a crazy and "preposterous".
Ok Ok Ok. Learning from mistakes and continuing forward.

So, the best way for an audit to occur is by encouraging any competitor to be audited.
If the market responds positively to that exchange with an audit, more than likely, all competitors will follow its lead.

However, the big question that popped into my mind is "what exactly would they be auditing?!?"
The obvious one is if all funds are accounted for, but isn't there much more that could be audited?

There are no exchanges (that I am aware of) that have their policies and standards of operation posted.
In order for a full company audit to occur, it seams apparent that there needs to be a set of guidelines to look at.

So, finally, the purpose of this post is to brainstorm the following
        1) what practices could an exchange execute that would be undesirable for the market? (i.e manipulate the price)

        2) From the ideas above, what policies and standards would you like to see an exchange adopt?

My goal is to form a well written document that any exchange could adopt or even adapt for their own.
From there, we would have a good idea of what kind of information an audit should contain.

Thanks for your criticism and input.

[casascius]

Google SAS 70 Type II audit...many things can be audited.

It's not just a matter of "is the money there?" and we're done.  The audit seeks to document how critical processes are handled - such as backups and security - as well as separation of powers among individuals within the organization.

For backups and security, the audit may seek to know in a general sense who is responsible and how it's done and how often the backups are tested and verified to be good.  And who personally verifies that workstation and server OS's are up to date on patches, and if there's a reason they're not, why not.

By separation of powers I mean for example, if all of the programmers can also manipulate rows in the database at will, and can make changes to code running in production without oversight or any recordkeeping as to the change... this is the kind of thing that such an audit seeks to document.

All of this is confidence building.  Generally these auditors aren't looking to write a crappy report (or they might never get repeat business)... often a SAS 70 type II engagement is to come out at the beginning of some time period and again at the end of it.  (the beginning visit often results in a lot of consulting as to what needs to be done to avoid having to have negative items in the report).

[allten]

@ casascius,
     I appreciate the response. I really like the sound of the SAS 70.
I found this page most helpful:
http://sas70.com/sas70_overview.html

Hopefully sound audits will become common place in the future with some of the more successful BTC business (more notably exchanges).

-------------------------------------------------------------
It did dawn on me that it would be nice if there was more documentation provided up front by those who handle money.
By documentation I mean "Terms of Service", Policies an procedures, model of operation, etc.

A short example of what could be posted on exchange sites:
          1) All bitcoins and USD (or whatever currecny) is backed 100% a 100% of the time.
              There is no fractional reserve lending. We do not speculate with you bitcoins or money
              any market.
           2) All volume reported by this exchange is from customer transactions only. transaction internal
               to the company are not reported.
            There's so much more..........................................

realizing that many of these business are just trying to get started and avoid costly security misshaps, this kind of undertaking is probably a low priority;
however, it is very important to the people putting their money into these businesses such as myself.
The goal of this thread is to generate the trivial and obvious wording that could be adopted by these businesses thereby helping BTC mature even more.



         

[im3w1l]

I would want an audit to check that the website is hard to hack:

• hashed and salted passwords
• updated software
• input sanitization
• balances on a separate box from website

I would also welcome info about who to sue when shit hits the fan.

[Elwar]

Seems like a good business model for someone.

Bitcoin site accredidation.

Just set it up so you can put "Verified by X company" on the page with a link to verification on their site.

Several companies can be set up and if someone gets hacked and they are accredited by a certain company then that company would lose credibility.

[Phinnaeus Gage]

Seems like a good business model for someone.

Bitcoin site accredidation.

Just set it up so you can put "Verified by X company" on the page with a link to verification on their site.

Several companies can be set up and if someone gets hacked and they are accredited by a certain company then that company would lose credibility.

Bitcoin Accredidation: Now why hasn't anybody else thought of that?