ISACA issues new audit programs for blockchain, CASBs and GDPR

Auditors face an onslaught of new technologies, systems and regulations to incorporate into assessments. New audit programs from global technology association ISACA give auditors additional frameworks for toolkits to provide assurance for blockchain, cloud access security brokers (CASBs) and the EU GDPR.

The Blockchain Preparation Audit Program helps organizations manage the preparation for using blockchain technology–the underlying distributed network system often associated with the decentralized cryptocurrency, bitcoin–found in applications across myriad industries.

Covering all aspects of blockchain, from pre-implementation, governance, development, security, transactions and consensus, this program guides auditors in identifying and developing key policies, procedures and controls to mitigate risk and streamline processes prior to a blockchain implementation and includes a blockchain technology audit preparation program worksheet.

By using this program, auditors gain tools to:

• Provide management with an assessment of whether their proposed blockchain technology control environment is adequately designed and operationally effective
• Identify potential blockchain risks which could result in reputational and/or material financial impact
• Provide management with a holistic perspective on blockchain technology that considers both technical and non-technical factors.

To assist IT auditors assess the effectiveness of CASB solutions, ISACA releases the Cloud Security Access Broker (CASB) Audit Program. Enterprises often use CASBs to manage risks, such as those associated with various deployment models, identity management, and compliance with data drive regulations.

This audit program factors in several considerations auditors should keep in mind when assessing whether operational and compliance expectations can be met with their CASB deployment, including:

• Data security, particularly as related to expectations of regulated data
• Identity management of users, inclusive of privileged users and enhanced access groups
• Mitigation of risks associated with different deployment models
• Asset management and protection through security initiatives such as physical security and though program management (key management and incident response as examples).

Following the 25 May 2018 implementation date, the EU General Data Protection Regulation (GDPR) gives EU residents control over their personal data wherever this data may reside, standardizing regulation across the EU and the European Economic Area (EEA) as well as affecting all enterprises that process data from EU/EEA countries.

The GDPR Audit Program for Small and Medium Enterprises offers an audit framework to assess how effectively GDPR is governed, monitored and managed. It provides guidance to:

• Provide management with an assessment of GDPR policies and procedures and their operating effectiveness
• Identify control weaknesses which could result in increased use of unsanctioned GDPR solutions (and higher likelihood that the solutions are not detected)
• Evaluate the effectiveness of the organization’s practices and ongoing management of GDPR.