Blockchain Security Consulting
Prove Your Blockchain is Secure
Anyone who wants to leverage blockchain technologies to advance their business is faced with the task of demonstrating it can securely process the information the technology is managing. There may be no greater need for a blockchain based organization than the need to prove to customers, regulators and management that information is safe in their hands.
Simply put, we help provide that proof. Knowing their blockchain environments are secure, and being able to prove so, allows our clients to focus on more important things… like growing their business.
Who is Demanding Your Blockchain is Secure?
In our experience, the reason you need to pay attention to securing your blockchain environment is because someone (or many someones) are asking… nay, demanding you show it is secure.
But how do you go about proving your blockchain environment is secure? Even more challenging, how do you do this in an efficient, effective and repeatable way?
Proving Technology and Apps Can Securely Process Data is Our Thing
Although Satoshi Nakamoto might disagree, blockchain technology is still relatively new. It comes with its own language that includes terminology many people are not familiar with and when things are unfamiliar, they feel scary.
Fortunately, the concepts of risk management and information security have been around for a much longer time and, with the right help, are easily adapted to the unique challenges brought about by blockchain technology.
We have been in the “prove you are secure and compliant” business for over 20 years. Because of our experience working within a wide range of industries and organizations, we have the experience and expertise to bring the information security & risk management methodologies used to prove other technologies are secure to blockchain.
What certification level should your organization pursue?
The Pivot Point Security Proven Process to Prove Your Blockchain is Secure
Information Security Management System (ISMS) Strategy/Framework Selection – Determining the optimal approach to ISMS development in light of industry, regulatory compliance, and attestation requirements. For example, should a Blockchain service provider to Financial Service companies leverage NIST, SOC 2, ISO 27001 or some combination of those three standards? We will analyze where you are, where you want to be and decide on the standards we should align with.
ISMS Scope Determination & Optimization – Scope determination is critical to proving any environment is secure. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.
Risk Assessment – Risk Assessment/Management is fundamental to an ISMS. While we are advocates of ISO-27005, we also use other standards including OCTAVE, OCTAVE-S, NIST SP 800-30 and NZ-AST 4360 to run contextualized risk assessments.
Risk Treatment Plan Development – The risk treatment plan defines the controls required, including the necessary extent and rigor, to treat (mitigate) risk to a level that is deemed acceptable. It is a fundamental ISMS artifact in many standards and forms the basis for the gap assessment.
ISMS Gap Assessment – Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO 27001) is a key input into a “Prioritized Roadmap” (Gap Remediation Plan).
Security Controls Gap Assessment – Understanding the gap between the current and desired state of the control practices is a key input into a “Prioritized Roadmap” (Gap Remediation Plan). ISO-27002 Gap Assessments (and derivatives like Shared Assessments and HITRUST) are widely used outside of ISO 27001 certification efforts as a “best security practices” gap assessment and can also be used to serve as a form of design/operational attestation.
Prioritized Roadmap Definition – Roadmaps define the activities, approach and responsibilities necessary to address identified gaps in the time-frame required to achieve project objectives, including any certifications/attestations you may want to achieve.
Gap Remediation Facilitation/Support – Ideally, gap remediation will be largely accomplished by the internal team, rather than a third party (like Pivot Point Security). An internally focused approach leveraging a third party for subject matter expert on demand, templates and artifact validation, maximizes the development of organizational knowledge/expertise, ensures that key personnel are “stakeholders” in the resultant control environment and prevents an organization from being overly reliant on a third party to operate the ISMS post certification… we should not be your crutch but rather your jet pack.
Security Metrics – Security metrics are critical to the optimal operation of an ISMS, as they are integral to demonstrating the continuous improvement principles that are inherent in most ISMSs. This service is focused on simplifying the process of measuring, reporting and hence systematically improving ISMS effectiveness. Independent of the security framework being leveraged, ISO-27004 provides excellent guidance on security metrics.
Policy, Standards, & Procedure (PSP) Support – PSPs form the backbone of any ISMS. Remarkably, although PSPs are the most basic elements of an ISMS, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs.
Can You Afford to Ignore Securing Your Blockchain?
Seriously, run an ROI on this… we’ll be happy to help with that BTW. Blockchain technology is moving fast and the players in the game with more buttoned-up security will inherently be more attractive to their prospects and customers.
Security can Be YOUR Strength
Imagine arming your sales team with the weapon they need to slay the competition. Like Thor needed Stormbreaker to defeat his enemy, your team needs security proof to win in the blockchain game. Be the hero, forge the axe, save the galaxy.