Blockchain Maturity Model

Similar documents
Blockchain Maturity Model

This article was first published in IOTA e-book "Disruptive Business Models Challenges and Opportunities"

Distributed ledger technologies (DLTs) - revolution or evolution?

Moderator: Speakers: Nandini Harihareswara, Regional Technical Specialist, Mobile Money for the Poor, United Nations Capital Development Fund

Blockchain for Education & Research Webinar. December 6, 2016

Analysis of Potential Blockchain Use Cases Deloitte Consulting, September 2016

MULTI-ECHELON SUPPLY CHAIN VISIBILITY. CERTIFICATION OF PEOPLE AND MACHINES. SOFTWARE LIFECYCLE MANAGEMENT.

Paolo Caniccio. A Blockchain solution for European SMEs

Table of Contents. 1. Real Estate Market Opportunity in Global Real Estate World DLT Tech for Real Estate...2

BLOCKCHAIN: INCREASING TRANSPARENCY IN MEDIA & ADVERTISING. Jessica B. Lee, Partner, Advanced Media and Technology

Commercial Blockchain Application & Scalability

Blockchain & beleggingen. NBA Amsterdam, 28 mei 2018

Riding the Blockchain Wave for High Tech

Could blockchain be the foundation of a viable KYC utility?

Blockchain technology in financial institutions 1

Blockchain risk management Risk functions need to play an active role in shaping blockchain strategy

/// BLOCKCHAIN TECHNOLOGY THAT S READY TO ROLL

Ruschlikon embraces Blockchain technology

Blockchain 101 for Healthcare Session 145 March 7, 2018, 11:30 a.m.

Cybersecurity Tech Basics: Blockchain Technology Cyber Risks and Issues: Overview

Federal Reserve Bank of Chicago

Harnessing Commodity Markets Commodities and Blockchain - Distributed Ledger Technology

How Blockchain Can Help Secure Connected Devices

Private Wealth Management. Understanding Blockchain as a Potential Disruptor

Blockchain Series Part 1 of 4:

4/19/2017 BLOCKCHAINS PRACTICES IN THE BRAVE NEW WORLD. BLOCKCHAIN AND ACCOUNTANCY: A Smart Combination? Martijn Siebrand. Agenda.

Blockchain for financials

BLOCKCHAIN S TRANSFORMATIONAL POTENTIAL FOR MEDICAID SESSION ID #: 2 2 DAY: FRIDAY, AUGUST 18, 2017 ROOM: 307

Blockchain s Potential Role in Payment Modernization

Digital KYC Utility for UAE Concept Paper

TECHNICAL WHITEPAPER. Your Commercial Real Estate Business on the Blockchain. realestatedoc.io

Blockchain Bond. Thursday, November 29, :00 a.m. 10:30 a.m. DC Time

Blockchain in Insurance: An Introduction

Dreaming of a Frictionless Market

Blockchain: An introduction and use-cases June 12 th, 2018

Blockchain & The Hollywood Supply Chain

Blockchain made Simple

Building Blockchain Solutions

$110100$010. Crypto Currencies. Good or Evil? 10$ $100010

Product Overview. A technical overview of xcurrent. October 2017

Blockchain Technology & Transportation

INTRODUCTION BLOCKCHAIN TECHNOLOGIES. Nyenrode Breukelen, 28 March 2017 M. Oskar van Deventer

Blockchain & Decentralised Identity (trust framework) David Pollington, Head of Service Access Technology

How Will the Distributed Ledger Change the Customer Experience?

Block This Way: Securing Identities using Blockchain

Transforming Industries Through Blockchain Innovations

BLOCKCHAIN FOR POST & PARCEL

Blockchain 2.0: Smart Contracts

Current State of Blockchain

Blockchain-based Traceability in Agri-Food Supply Chain Management: A practical Implementation

Changing Data Protection: Heading towards a Blockchain-Operated Future

Basel Infrastructure Survey 2012 kpmg.com

Blockchain for the Internet of Things

THE FUTURE OF BLOCKCHAIN WITH IOT. Ama Asare

Copyright Scottsdale Institute All Rights Reserved.

Blockchain in Re/Insurance

BankChain. 25 th April, Community of banks for exploring, building and implemen7ng blockchain solu7ons

Digital Transformation A Focus on Blockchain

Blockchain & Standards ANSI SPRING

Ball State University

Bitcoin. CS 161: Computer Security Prof. Raluca Ada Poipa. April 24, 2018

Blockchain and Smart Contracts: Relevance of Security Facts and Myths to Industrial Control

Technical Line. A holder s accounting for cryptocurrencies. What you need to know. Overview

A System-of-System Model

an introduction to Blockchain Technology

Blockchain and financial market innovation

Blockchain in Aviation. 28 June, 2018

GLOBAL FINTECH HACKCELERATOR

Appendix 11 Overview of cost data

Blockchain and the possible impact on testing. New technology needs new testing?

November 2018 Abstract

Energy Web Foundation blockchain and digital security in energy. OECD workshop, 15 February 2018

Blockchains, Smart Contracts (DApps), and Regulation

VIEWPOINT. Oil and Gas Industry Blockchain, the Disruptive Force of the 21st Century

Blockchain Technology in Banking and Financial Services

Making Blockchain Real for Business IBM Blockchain

Primechain-CONTRACT. 16 th March A private blockchain for contract management - secure storage, authen8ca8on & verifica8on. Save?

BLOCKCHAIN WORKSHOP. by Deriv Asia & DX Markets. Sam Ahmed. 2015: Not to be circulated or distributed.

Alexandros Fragkiadakis, FORTH-ICS, Greece

Re: Chamber of Digital Commerce Response to the UK FCA s Discussion Paper on Distributed Ledger Technology

FAST BREAK : HEALTHCARE BLOCKCHAIN Jonelle Saunders and Jake Harper March 28, Morgan, Lewis & Bockius LLP

Cisco Live /11/2016

Blockchain and Law - the Perspective - SANG YONG LEE CHUNGNAM NATIONAL UNIVERSITY LAW SCHOOL

Blockchain and Trucking: The Promise and Potential

Risk Management: Assessing and Controlling Risk

Making Blockchain Real for Business Explained. V3.7, 27 October 16

Blockchain: from electronic cash to redefining trust

Fintech and Innovation: From disruption to real world change

What Blockchain Means For Your Organization s Insurance Program

Blockchain Overview. Amr Eid Cloud Architect, Cloud Platform, MEA

BLOCKCHAIN. Bureaucracy Killer MILOVAN PASINI, CO-FOUNDER NIKOLA JOKIĆ, CO-FOUNDER. kip.investmens

A maturity model for blockchain adoption

Introduction. Ravi Beegun KPMG Luxembourg

Blockchain: game changer or just another tech trend? Ken Marke Chief Marketing & Communications Officer, B3i Technologies

How can Blockchain change the energy market. Catarina Naucler, R&D manager Fortum

Overview of blockchain for energy and commodity trading

Supporting the entrepreneur realize his dreams

Bitcoin. CS 161: Computer Security Prof. Raluca Ada Popa. April 11, 2019

Special Considerations in Auditing Complex Financial Instruments Draft International Auditing Practice Statement 1000

Secure Payment Transactions based on the Public Bankcard Ledger! Author: Sead Muftic BIX System Corporation

Transcription:

Blockchain Maturity Model Helping you to get from Proof-of-Concept to production kpmg.nl

What is the blockchain maturity model? Introduction Blockchain or Distributed Ledger Technology (DLT) is seen as a revolutionary new technology that might enable potentially significant cost savings and efficiency gains. Quick scan KPMG has developed a blockchain maturity model which helps to get a grip on the specific risks associated with blockchain implementations. Blockchain enables multiple parties in a value chain to efficiently work together based on a single source of truth. This facilitates sharing data between multiple parties, transferring value in a digital way and eliminating the need for costly reconciliations. New risks Due to the nature of blockchain, implementing distributed ledger technology also introduces new and specific risks that do not exist in more traditional centralized systems. This framework helps you to get an understanding of the IT risk maturity of the blockchain implementation in all eight risk areas. The assessment enables you to identify weak points and to spot opportunities for improvement. The overall report provides you with concrete pointers as to how to improve and raise your blockchain maturity level. This raises the question whether new blockchain implementations will be sufficiently in control when moving from proof-of-concept phase to production. KPMG has identified eight specific blockchain risk areas including interoperability, security, access management, privacy and scalability. 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 2

Which levels does the maturity model contain? Level 1 - Initial Processes unpredictable, poorly controlled and reactive Maturity levels The KPMG Blockchain Maturity model is based upon the Capability Maturity Model (CMMI) for IT maturity. CMMI is a model owned by ISACA, the international professional body for IT governance. The CMMI uses five maturity levels to measure maturity, ranging from 1 (processes unpredictable, poorly controlled; lowest level) to 5 (focus on process improvement; highest level). The scale is further explained in the figure on the right. Based on the CMMI scale you can easily define your ambition level for blockchain maturity. Scoring KPMG scores each blockchain risk area against the CMMI maturity model resulting in a maturity score per risk area. This helps you to identify which risk areas are below your desired maturity level. KPMG provides specific recommendations to improve the maturity level and help you get your blockchain Proof-of-Concept to production level from an IT governance perspective. Level 2 - Managed Processes characterized for projects and is often reactive Level 3 - Defined Processes characterized for the organization and is proactive Level 4 - Quantitatively managed Processes measured and controlled Level 5 - Optimizing Focus on process improvement 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 3

What are the risk areas of the blockchain maturity model? 1. Access and user management 2. Authorization and provisioning management 3. Data management 4. Interoperability blockchain specific access and user management risks such as: management of cryptographic keys, unauthorized access of participants and uniquely identifiable users blockchain specific authorization and provisioning management risks such as: segregation of duties, incorrect authorizations and abuse of high privileged or over authorized users. blockchain specific data management risks such as: data confidentiality, integrity and availability. blockchain specific interoperability risks such as: integrating with legacy systems, failure to fully integrate IT legacy and blockchain internal control mechanisms. 5. Scalability and performance 6. Change management 7. Privacy 8. Security blockchain specific access and user management risks such as: management of cryptographic keys, unauthorized access of participants and uniquely identifiable users blockchain specific change management risks such as: agreement by all participants, slow adoption and forking. blockchain specific privacy risks: append-only data structure, the right to be forgotten and GDPR. blockchain specific security risks: the consensus mechanism chosen, the number and location of nodes. 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 4

How does the maturity model scoring work? The model contains blockchain specific risks grouped in eight IT risk areas. Each of these risk areas contains multiple risks. For each risk a number of controls have been defined to allow KPMG to assess the maturity on the specific risk. 8. Security 1. Access and user management 2. Authorization and provisioning management Data used within the DLT is invalid or not accurate. Data integrity verification procedures are described An assessment has been performed to the implementation and security of used oracles by the DLT. 7. Privacy IT RISK AREAS 3. Data management Data is unavailable for the system. 6. Change management 5. Scalability and performance 4. Interoperability Data is visible for non authorized parties 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 5

Time schedule Day 1 Day 2 Day 3 Day 4 Day 5 Kick-off meeting Discuss blockchain use case Determine stakeholders for data gathering Interviewing stakeholders Gathering documentation Interviewing stakeholders Gathering documentation Interviewing stakeholders Gathering documentation Analyzing received information Filling in blockchain maturity model Day 6 Day 7 Day 8 Day 9 Day 10 Analyzing received information Filling in blockchain maturity model Discuss findings with interviewees Creating report with findings Creating report with findings Present report with findings and recommendations 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 6

Maturity assessment in detail Assessment questions The full model consists of 8 risk areas, each risk area has several risks and for each risk there is a set of maturity questions To give an example we have taken one risk from the Data management category and the table on the right shows the associated maturity assessment questions. Data used within the DLT is invalid or not accurate. Construct: Data management Risk ID Maturity self-assessment questionnaire Maturity level Literature Date used within the DLT is invalid or not accurate. Data is modified, inserted or deleted inappropriately 4.1.1 Integrity verification procedures are described; If yes: maturity level 2 4.1.2 History of data in the DLT is immutable. If yes: maturity level 3 4.1.3 Error checking mechanisms are in place to check entered data, such as input validation (completeness checks) to preclude the entering of invalid data, erro detection/data validation to identify errors in data 4.1.4 Controls are in place, as conditions to be verified before data is updated. 4.1.5 An assessment has been performed to the implementaton and security of used oracles by the DLT. If yes: maturity level 3 If yes: maturity level 3 If yes: maturity level 3 (Robeco: Jeroen van Oerle & Lemmens, 2016); (Tas ca et al., n.d.) (Morabito, 2017; Trautman, 2016) (Rights, 2017 (Hard y et al., 2008; ISACA, 2017; ITIL, 2013; NIST, 2016; OWASP, 2008)) 3. Data management Data is unavailable for the system. 4.1.6 Real world objects tracked in the DLT are on boarded by trusted party. 4.1.7 A checkpointing system is implemented in the DLT to ensure data availability. If yes: maturity level 3 If yes: maturity level 3 Data is visible for non authorized parties 4.1.8 A monitoring system is in place to verify the data integrity of underlying data sources connected to the DLT. If yes: maturity level 4 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 7

Blockchain maturity model assessment findings Access and user management Score: 2 - Managed Risk: authentication mechanisms are not working Risk: XYZ Risk: ABC Level 1 - Initial Level 2 - Managed Level 3 - Defined Level 4 - Quantitatively managed Level 5 - Optimizing 0 1 2 3 4 5 Risk: authentication mechanisms are not working, maturity level 3 Procedures regarding certificate generation, distribution, storage, use and destruction exist on a technical level. Business procedures are yet to be written. The platform uses standard login methods, however in the first phase the system will use dedicated login system. Due to regulation that differs per country the authentication mechanisms used to interface with the DLT can be different for each participant. Digital certificates can be stored both on a hardware device and in software, however periodic checks to confirm the correct working of certificate storage are not performed. Periodic re-issuing/revocation of certificates is not implemented. Risk: XYZ, maturity level 3 Analysis here Risk: ABC, maturity level 2 Analysis here 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 8

Blockchain maturity model assessment findings Authorization and provisioning management Score: 3 - Defined Level 1 - Initial Risk: abuse of high privileged users Risk: XYZ Level 2 - Managed Level 3 - Defined Level 4 - Quantitatively managed Level 5 - Optimizing 0 1 2 3 4 5 Risk: abuse of high privileged users, maturity level 3 Procedures are in place that ensure that super user access and authorization is restricted to an appropriate (limited) group of individuals. System enforced dual controls on super user actions are not in place. However periodic reviews of the actions of high privileged users are taking place. Risk: XYZ, maturity level 4 Analysis here 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 9

Blockchain maturity model assessment findings Interoperability Score: 2 - Managed Risk: Current security mechanisms in place do not cover all risks within the Level 1 - Initial Level 2 - Managed Level 3 - Defined Risk: XYZ Level 4 - Quantitatively managed Level 5 - Optimizing 0 1 2 3 4 5 Risk: security mechanisms do not cover all risks, maturity level 2 There is a process in place in which the orgnization documents interface characteristics, security requirements and nature of information communicated between legacy systems and blockchain. However, there are no monitoring controls in place to check the correct working of interfaces between blockchain and legacy systems. Also no periodic reviews of interface standards have been scheduled. Risk: XYZ, maturity level 3 Analysis here 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 10

Blockchain maturity model assessment recommendations Access and user management Benchmark Recommendation Access and user Management While the preventative controls are implemented, we do see room for improvement on implementing more detective controls such as periodic checks on access rights and associated digital identities. Another suggestion would be to perform monitoring to be able to spot when malicious actors are trying to obtain access to the system. Scalability and performance Authorization and provisioning management Change management Interoperability Recommendation Authorization and provisioning management While authorizations for regular users are thoroughly managed, the access of high privileged users is inadequately supervised and dual control is lacking. Implementing dual control on super user actions is recommended. Privacy Data management Security Recommendation Interoperability It is recommended to implement monitoring on all connections from the blockchain implementation to legacy systems. Additionally it is recommended to perform periodic reviews of interface standards. 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 11

The benefits of the maturity model CLEAR INSIGHT INTO BLOCKCHAIN RISKS This framework helps you to get an understanding of the IT risk maturity of the DLT implementation from eight risk areas. FROM PROOF-OF-CONCEPT TO PRODUCTION Going from proof-of-concept to a production ready system requires a good view on IT risks. The maturity model identifies weaknesses in your existing blockchain solution. CONCRETE ACTION PLAN The assessment gives concrete pointers to risk areas for improvement and concrete recommendations how to improve and raise to the next blockchain maturity level. UNIQUE AND VALIDATED MODEL This assessment with its specific blockchain focus is unique in the current market and is based upon solid research, IT risk standards and years of experience and was validated with clients. 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 12

Credentials Digital Trade Chain - KPMG has performed a blockchain maturity assessment on the We.Trade (formerly known as Digital Trade Chain) proof-of-concept which the Rabobank is running together Deutsche Bank, HSBC, KBC, Natixis, Société Générale, Unicredit and Banco Santander. We.trade is a blockchain-based digital platform for managing and tracking domestic and cross-border Open Account trade transactions securely. Chris Huls Teamlead Blockchain at Rabobank The blockchain maturity model enabled us to get a clear grip on our IT risks when implementing a new blockchain solution The aim of the platform is to make domestic and crossborder commerce easier for European small and medium-size (SME) businesses by harnessing the power of blockchain. With a schedule to go live at Q2 2018, it will be one of the very first blockchain applications running in a production setting. 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 13

Contact details Hardwin Spenkelink Senior consultant KPMG Digital Ledger Services Mob: +31 (0) 6 10 125 756 Spenkelink.Hardwin@kpmg.nl Dennis de Vries Lead KPMG Digital Ledger Services Netherlands Mob: + 31 (0) 6 43 817 117 devries.dennis@kpmg.nl Martijn Berghuijs Director KPMG Innovation Advisory Mob: +31 (0)6 51 366 540 Berghuijs.martijn@kpmg.nl 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback