How to Approach Blockchain Deployment While Mitigating Risk
Blockchain has emerged as one of the most promising technological developments of the past decade. Originating from the digital currency Bitcoin, blockchain employs use of a distributed ledger to provide consensus through its decentralized participants, eliminating the need for a central authority. This advancement has the potential to transform several key industries, much like the rise of the internet did in the 1990s.
Blockchain technology has a multitude of benefits, such as enabling peer-to-peer transactions, transparency, cost reduction, speed, fraud mitigation, and security by design. However, as is the case with any emerging technology, there are several risks with blockchain that should be considered by organizations that plan to use it. There are currently no universally accepted standards in place for blockchain, nor is there clear guidance available from a regulatory perspective. Due to these conditions, caution must be used when deploying blockchain technology at an enterprise level.
ISACA has developed a Blockchain Preparation Audit Program to provide organizations with a framework to manage blockchain. The program covers six key areas: pre-implementation, governance, development, security, transactions and consensus.
These areas touch upon the primary risks that are associated with use of blockchain, and aim to achieve the following objectives:
- Assess an organization’s blockchain solution to determine whether it is adequately designed and operationally effective
- Identify blockchain risks which could result in reputational and/or material impact
- Provide organizations with a holistic perspective on blockchain technology, with consideration for both technical and non-technical factors
When properly deployed, blockchain can provide substantial benefits. However, blockchain is not practical for every organization, and management must ensure that its use supports business objectives accordingly. The following are examples of adverse impacts that can occur when a blockchain solution does not align with business objectives:
- Impractical use cases that are in misalignment with organizational strategy
- Inadequate deployment that results in wasted time and resources
- A blockchain solution that does not function properly
- Potential for noncompliance with industry regulators
- Vulnerabilities that could impact source code, endpoints, and sensitive data
In addition to the risks discussed above, the blockchain audit/assurance preparation program also will allow organizations to consider other relevant questions. Some of these questions include:
- Was there a business case assessment created for the use of blockchain? Was it approved by key stakeholders?
- What were some practical use cases that the organization was looking to use blockchain for?
- What type of blockchain (permissioned vs. permission-less) is the organization using?
- Are blockchain wallet private keys being managed by a clearly identified custody approach?
- How is the organization acquiring the required development expertise to support the blockchain solution?
- How were vendors selected to support the organization’s blockchain solution? What due diligence processes were followed?
- Does management adequately understand blockchain technology, and are they providing effective oversight?
- What is the approach being used to manage applicable regulatory risks?
.Written by Varun Ebenezer, CISA, CBP, Senior IT Audit Manager, BMO Financial Group, USA; excerpted from the ISACA Now Blog