Blockchain is a type of database known as a distributed ledger that does not have a central administrator and operates on a consensus basis. It enables decentralized groups to work together, from anywhere in the world, in a secure, trusted and verifiable way. Because blockchain-based systems enable secure, distributed work processes, they also enable tasks to be executed by distributed teams operating together in a much looser way — but with as much security as if they were working side-by-side.
Because blockchain blurs the boundaries of organizations and requires data and processes to be shared outside the organization, companies must fully understand how the technology is implemented to establish appropriate risk management strategies.
One risk associated with blockchain is the use of a private digital key for identity verification. If the private digital key were compromised, outside agents could gain access to the blockchain. Another blockchain risk exists with smart contracts, which contain a self-executing code that is designed to execute specific rules when defined conditions are met. As these smart contracts become more complex, they are more prone to errors that could provide external agents an opportunity to compromise the system. Companies should implement risk and control strategies to facilitate the integrity of these smart contracts.
Example audits could include:
- Blockchain implementation governance: evaluate the organization’s strategy for governing the implementation of blockchain usage
- Blockchain security and risk assessment: evaluate the organization’s controls and strategy in place to manage and mitigate risks surrounding blockchain
2. Cloud computing
Cloud computing enables organizations to shed their complex internal IT structure, allowing them to focus on strategy rather than operations and respond quickly to changing marketplace conditions. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing is evolving rapidly, giving companies a variety of choices; however, like most technology changes, the cloud presents its share of risks and challenges that are often overlooked or not fully understood.
Example audits could include:
- Cloud strategy and governance: evaluate whether the organization’s cloud strategy is aligned to overall business objectives
- Cloud security and privacy: assess the information security practices and procedures of the cloud provider
- Cloud provider services: assess the ability of the cloud provider to meet or exceed the agreed-upon SLAs in the contract and the contingency plans in case of failure, liability agreements, extended support, and the inclusion of other terms and conditions as part of the service contracts, as well as availability, incident and capacity management, and scalability
Cybersecurity threats continue to evolve and grow with seemingly no rules or restrictions as to who can unpredictably be attacked. Users no longer need to gain physical access to a facility to cause harm to an organization. They can now gain access through malware or phishing attacks, connections with third parties, new technologies, and other new and evolving paths.
Organizations must focus on IT security and information security to avoid falling victim to cyber threats by developing a cyber audit program that addresses areas such as:
- Security awareness: evaluate the processes and controls over the training of users to heighten their awareness and sensitivity to attempts to gain unauthorized physical or logical access to the entity’s information and systems
- Asset management: evaluate the processes and controls over the retention of a comprehensive inventory of technology assets that have the ability to connect the entity’s network
- Vendor risk management: evaluate the processes and controls over third-party service and supply chain vendors
- Incident response: evaluate the processes and controls over the response procedures management employs when unusual activity is detected
4. Mobile computing
The modern mobile device sits at the crossroads of personal use and highly sensitive business information. As the old saying goes, the chain is only as strong as its weakest link and business data residing on mobile devices is no exception.
This technology allows employees to access and distribute organizational information anytime, anywhere, increasing the efficiency and productivity of employees. However, this same access and distribution capability also introduces significant risks. For example, increased usage of public Wi-Fi networks by business users exposes sensitive information to complete strangers, if not properly encrypted.
As with any technological advancement, an organization must first identify and address the risks and then monitor the environment to better understand the impact mobility has on the corporate risk profile.
Potential audits could include:
- Device configuration: identify risks in mobile device settings and vulnerabilities
- Mobile application black box: use front-end and black box testing techniques in an attempt to exploit the vulnerabilities identified in mobile applications
- Mobile application gray box: prioritize high-risk areas of the code, maximize code coverage and identify root cause of identified vulnerabilities