ANSI - X9 TR 54
Blockchain Risk Assessment Framework
|Publication Date:||25 July 2021|
Scope and Purpose
This technical report (TR) provides a framework for the performance of operational risk assessments on blockchain systems and applications within a distributed network. Operational risks include information technology (IT) and information security (IS) areas. IT includes interoperability, resiliency, accessibility, and software maintenance. IS includes data integrity, confidentiality, authentication, authorization, and accountability (logging capability). This report features some aspects of application risks including data accuracy, version control, backwards compatibility, and other usability functions.
This technical report can be used for multiple purposes, including system design reviews, internal control planning, or internal and external audits. Risk assessments are a basic and necessary function for providing blockchain assurance to stakeholders.
The content of this document is intended to provide the reader with background terminology and concepts of a blockchain system. This document's main contribution is the Risk Assessment Questionnaire (Section 5.). Here, we offer a series of questions for identifying the blockchain environment and potential risks, and a set of high-level IT control objective statements. The framework, questionnaire, and IT controls are use case-agnostic and oriented to permissioned blockchain systems.1 The Risk Assessment Questionnaire is divided into five main categories. Each main category (see below) contains several subsections, as described in Table 1.
Design and Architecture: Discovers the risks of the system's design and architectural arrangement.
Governance and Operations: Discovers the risk of how the system technically operates and how technical functions are governed.
Trust and Resilience: Discovers the risks of inadequate technical security processes
System Integration: Discovers the risks of integration points outside the blockchain system itself.
Smart Contracts: Legal and Business processes: Discovers the risks of autonomous/technical
The content of this document does not include detailed audit plans or the detailed controls and test of controls that are required when designing an audit plan. The content from this document can be leveraged by the reader when assessing risks and determining what components may be needed within the audit plan. It is recommended that the reader review blockchain-oriented audit plans, audit guidance or relevant information that may be available from the following organizations:
● American Institute of Certified Public Accountants (AICPA)
● Canadian Institute of Chartered Accountants (CICA)
● Information Systems Audit and Control Association (ISACA)
● The Institute of Internal Auditors (IIA)
In addition, several other topics are considered out of scope for this technical report but are highly recommended for future study. These include.
● Data and process operations performed off the blockchain. This would include off-chain data provenance, integrity, and confidentiality business process and operations.
● Specific capabilities necessary to judge the authenticity of an input document to the blockchain. For example, this technical report does not address the usefulness, completeness, truthfulness, or accuracy of data or documents input to the blockchain system.
● Specific technical considerations for providing assurance over data or processes supporting blockchain operations but performed off-chain.
● Credit and/or market risks associated with the application of blockchain technologies or consensus mechanisms may apply, depending on the scope of the specific blockchain application under consideration.
1 Note that a 'permissioned' system is one in which some control and governance, established by agreement of the parties participating in the system, exists to determine who or what is allowed to read, write, or in other ways manage, operate, or govern the system. Some blockchain systems are public and considered 'permissionless' such that anyone with the requisite hardware, software, and skill can participate in all or most activities of the network. These types of systems may introduce additional risks beyond the scope of this report.