Table of Contents:

What Is Blockchain?

Who Are the Key Players?

Third-Party Assurance

Key Blockchain and Digital Asset Terminology

As a young consultant joining the assurance space, I was looking for opportunities to work in emerging technologies. Candidly, I just wanted to work on ‘cool’ clients, and those in the emerging tech space seemed to foot the bill. A fortunate conversation with a partner at my firm turned into a long discussion about blockchain and cryptocurrencies.

This was around 2019, and I had a faint understanding of crypto that was limited to knowing that Bitcoin existed, and that a guy I knew in high school had somehow made enough money to buy himself a brand-new BMW M3.

He tried to convince me to buy some, but it sounded like a scam. When he totaled that BMW and was promptly able to purchase a new one, I figured it had to be a scam because no high schoolers made that kind of money authentically.

The conversation with this partner, however, offered a change of tune that made me realize not only was this high schooler on to something in 2012, but that I probably missed out on making a fortune. This partner is an incredibly intelligent person whom I looked up to, who taught me about the underlying tech and its potential to completely change entire industries.

I figured if he believed in it that much, there must be something to it I didn’t understand. But I knew I wanted to learn.

Blockchain is defined as a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network. All participants on the network using the shared database are referred to as nodes connected to the blockchain, with each maintaining an identical copy of the ledger. When one participant wants to transact with another, all nodes must use the pre-determined consensus mechanism to validate that transaction.

Upon validation, all copies of the ledger are updated with the new transaction information (i.e., a new block is added to the chain). These transactions, or blocks of transactions, cannot be deleted or altered. In the event of an alteration, the rest of the network would reject the alteration and exclude it from the blockchain.

You can categorize key players into the following groups: Digital Asset Wallet Providers, Digital Asset Exchanges, Digital Asset Custodians, Cryptocurrency Payment Companies, and Utility Tokens.

These service providers need to be able to prove to customers that their platforms are secure. Some questions that a user entity of these service providers should ask are:

These groups and the organizations within them serve a mosaic of use cases ranging from supply chain tracking, financial transaction management, identity management, and much more. With the relatively nascent nature of the technology and lack of regulation in the industry, the need for comprehensive and scalable risk assessment frameworks is imperative.

As the volume of entities and enterprises entering this space grows, the need for assurance in their use of the technology amplifies. These entities need to be aware of the risks involved and how to mitigate them appropriately.

In recent years, scandals have rocked the world of blockchain and digital assets, with “rug-pulls” becoming a known term. These scams, where developers or creators withdraw all funds or liquidity and disappear, raise significant concerns about the availability of services and access to funds for customers.

This is where Third-Party Assurance can step up. SOC 2, for example, provides critical assurance for blockchain systems by establishing rigorous security controls, third-party validation, and continuous compliance monitoring tailored to decentralized environments.

A SOC 2 report can provide assurance against traditional and blockchain-specific risks at a service provider. This is achieved by evaluating their controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Other examples include:

Distributed Ledger Technology (DLT): A distributed, decentralized ledger technology that records transactions across a network of computers. Each transaction is grouped in a block and linked chronologically in a chain.

Block: A collection of transaction data.

Chain: A linked sequence of blocks, each referencing the previous one via a cryptographic hash.

Hashing: A cryptographic function that converts input data into a fixed-length string.

Nodes: Individual computers in the blockchain network that store copies of the ledger and follow the protocol.

Smart Contracts: Self-executing contracts with terms directly embedded into their code that execute actions automatically when predefined conditions are met.

Tokens and Digital Assets:

Public Blockchain: Open, permissionless networks (e.g., Bitcoin, Ethereum)

Private Blockchain: Permissioned networks with restricted access (e.g., Hyperledger Fabric)

Consensus Mechanisms: Protocols used by blockchain networks to agree on the validity of transactions and maintain the integrity of the distributed ledger.

When I stepped into this space, I knew it would be a wild ride. Between the ever-changing regulatory landscape, emerging use cases beyond anything I could have conceptualized, and the volatile nature of the industry, the ride has been much like the technology itself: complex.

The see-saw can be balanced with the right expertise and assurance, allowing the pioneers to focus on innovating.

To learn more about applying the benefits of blockchain assurance, contact us.

Whether it’s a headline-grabbing ransomware attack or a quiet data breach that leaks sensitive customer information, cyberattacks can jeopardize trust in an organization, disrupt its operations, and cause lasting damage.

Information security (InfoSec) is the practice of safeguarding your organization’s most valuable data. Whether it’s customer data, intellectual property, or internal communications, InfoSec ensures your information stays protected from unauthorized access, disclosure, or destruction.

At its core, information security is about protecting information assets using a holistic discipline that combines people, processes, and technology to safeguard data from threats.

One of the foundational concepts in InfoSec is the CIA Triad:

It’s also important to understand how cybersecurity fits into this picture. While InfoSec covers all forms of information, including paper records and verbal communications, cybersecurity focuses specifically on protecting digital assets such as networks, systems, and data.

On an organizational level, safeguarding sensitive information (such as customer data and intellectual property) is critical. A single data breach can erode customer confidence while, in contrast, demonstrating robust InfoSec practices helps your organization earn and retain stakeholder trust.

Effective InfoSec also plays valuable roles in ensuring business continuity. Downtime from a security incident can halt operations, but strong InfoSec policies and procedures can help an organization promote resilience and minimize disruptions.

Similarly, InfoSec helps organizations meet regulatory compliance obligations. Laws like the European Union’s GDPR and HIPAA in the United States impose strict data protection requirements. Compliance isn’t optional—it’s a necessity to avoid fines and regulatory inquiries.

On a broader societal level, strong InfoSec practices also protect critical infrastructure, combat cybercrime and terrorism, and foster a secure environment for innovation and economic growth.

InfoSec isn’t a single action—it’s a collection of practices across different domains that work together to protect your organization’s data, systems, and reputation. Effective security requires a continuous process that spans policies, technology, people, and procedures.

From identifying risks and implementing controls to monitoring systems and responding to incidents, each step builds on the other to create a resilient defense. This layered approach is designed to ensure that if one safeguard fails, others remain in place to protect your critical assets—reducing vulnerabilities and enhancing your organization’s ability to adapt to evolving threats.

Key aspects of InfoSec include:

Frameworks give structure to your InfoSec efforts, helping you meet industry standards and build trust with customers and partners. By aligning with established frameworks like ISO/IEC 27001, NIST CSF, or SOC 2, organizations gain a clear roadmap for identifying risks, implementing controls, and continuously improving their security posture.

These frameworks can help ensure your security measures are comprehensive, consistent, and aligned with regulatory and contractual obligations.

Some of the leading frameworks include:

Adopting a recognized framework demonstrates your commitment to safeguarding sensitive information, enhances credibility with stakeholders, and helps you create a competitive advantage in today’s security-conscious marketplace.

By understanding the fundamentals of InfoSec and adopting recognized frameworks, your company can stand out in the marketplace by demonstrating a strong security posture that protects your organization’s reputation as well as your data.

To learn more about the most effective ways to protect your organization and your critical data, contact us.

In today’s threat landscape, cybersecurity is no longer just about firewalls, encryption, and antivirus software. While those technical controls are still crucial, the real battlefield has shifted to something far more unpredictable and challenging to control: human behavior.

Social engineering, the art of manipulating people to give up confidential information or perform actions that compromise security, is rising. And it’s working. In fact, social engineering is now one of the most effective tools in a threat actor’s playbook.

Whether targeting the C-suite, IT personnel, or front-line staff, attackers are finding success not by breaking in, but by tricking someone into opening the door.

Recent publicly revealed examples include:

At its core, social engineering relies on deception rather than technical skill. The method involves exploiting psychological triggers—such as trust, urgency, or fear—to influence someone’s decision-making. Some of the most common social engineering techniques include:

With remote and hybrid work models, traditional security perimeters have dissolved, creating more opportunities for threat actors. Employees face constant information overload, making them more likely to click on fraudulent messages.

Meanwhile, AI-powered tools let attackers create hyper-personalized phishing campaigns that look legitimate. Add in social media oversharing, and it’s easy for hackers to gather intel and impersonate trusted contacts.

Social engineering attacks succeed because attackers leverage urgency to short-circuit critical thinking and exploit common psychological triggers. Messages framed with urgency (“Act now”), authority (“From your manager”), or fear (“You’re out of compliance”) can push people to act without thinking.

Fear-based approaches about compliance violations or security breaches can trigger immediate responses. Other messages, like fake password requests or suspicious incentive offers, appeal to our curiosity.

Social engineering remains the path of least resistance for threat actors targeting businesses. Effective defense requires a multi-layered approach that combines human awareness with technological controls:

Security awareness training must be ongoing and scenario-based, not just annual checkbox exercises. Employees need practical examples of current phishing tactics and manipulation methods relevant to their roles.

Establish clear reporting procedures that are simple and accessible. When employees suspect an attack, they should know precisely how to report it without fear of punishment, even if they’ve already clicked a suspicious link.

Multi-factor authentication (MFA) provides critical protection when credentials are compromised. Implement phishing-resistant options like hardware keys or push notifications with number-matching where possible.

Implement procedural controls for sensitive activities. Require verbal confirmation for wire transfers, establish separation of duties for financial transactions, and create approval workflows for data access requests.

Leverage threat intelligence and monitoring to stay ahead of evolving tactics. Deploy tools to identify suspicious behaviors and alert security teams to potential compromises before damage occurs.

The most successful social engineering defense programs balance technology and human factors—recognizing that both are essential to your security posture.

Cybercriminals are no longer just hackers in hoodies—they’re skilled manipulators. The best defense is not just smarter tools but smarter teams. Whether you’re an executive, IT leader, or business stakeholder, building a culture of awareness is essential.

Cybersecurity is not just an IT issue—it’s a people issue. And it’s time we treat it that way. To learn more about protecting your organization’s infrastructure and data, contact us.

The HITRUST framework and HIPAA regulations both play important roles in helping organizations meet their data security, customer privacy, and compliance goals. However, they have notable differences in their nature, scope, and application.

Let’s start with HIPAA (the Health Insurance Portability and Accountability Act), a U.S. law enacted in 1996 that established guidelines for protecting patient health information (PHI) and ensuring the privacy and security of electronic health records.

HIPAA consists of five rules that organizations must interpret in the context of their environment, but the legislation does not offer specific implementation guidance. 

HITRUST is a certifiable security and privacy framework designed by industry experts to help organizations manage information risk with confidence. It offers a comprehensive, structured approach by integrating multiple standards and authoritative sources, including HIPAA. With clearly defined security controls and requirements, HITRUST simplifies compliance and strengthens data protection across industries.

HIPAA is mandatory for covered entities (healthcare providers and insurance companies) and their business associates that handle PHI in the United States. HIPAA compliance is self-assessed, and there is no designated HIPAA certification process nor certification body. Instead, organizations must regularly review their compliance with HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule in a process that may include engaging third-party auditors.

These assessments generally focus on protecting PHI through administrative, physical, and technical safeguards outlined in the Security Rule. HIPAA also mandates regular risk assessments as part of ongoing compliance efforts but does not prescribe a specific timeline or format for those assessments.

This approach may be best suited for small medical practices or solo practitioners with limited resources. If a covered entity or partner doesn’t need to demonstrate compliance with multiple regulatory frameworks, they may find HIPAA compliance adequate for their needs.

For its part, HITRUST has a broader scope that can be applied to organizations across various industries beyond healthcare. The framework can be used by any organization looking to implement strong security controls based upon real-time threats and demonstrate compliance with multiple standards simultaneously.

HITRUST is more comprehensive, covering over 1,200 requirement statements that can be mapped to over 40 compliance and regulatory frameworks (authoritative sources) across various industries, including HIPAA, CCPA, ISO, NIST, and GDPR.

The HITRUST CSF (Common Security Framework), for instance, comprises of 14 control categories, 49 control objectives and 156 control references that detail specific tasks teams need to perform to achieve those objectives. The requirement statements are spread across the 19 domains that make up the HITRUST CSF.

HITRUST implementation is also more structured, involving a software solution (myCSF) that streamlines audits and assessments. Organizations can become HITRUST-certified by HITRUST, providing a standardized way to demonstrate their compliance and maturity.

HITRUST certification involves a multi-phase process that includes readiness assessments, gap remediation, validation by an external assessor, and a final review and QA by HITRUST itself. Depending on their risk level and assurance needs, organizations can choose from different assessment types.

While every healthcare organization has specific requirements, HITRUST certification can offer additional benefits for providers and their business partners than HIPAA compliance alone; given how robust and the coverage organizations implementing the HITRUST framework.

HITRUST, for instance, provides a more comprehensive and prescriptive approach to security and compliance while also offering greater flexibility. Because the framework’s requirements are tailored to each company’s risk profile and use of PHI, adoption can be scaled up or down to meet individual organizational needs.

With controls are mapped to different security, privacy, and governance standards and frameworks, HITRUST provides a comprehensive approach to meeting multiple compliance requirements simultaneously.

HITRUST certification also demonstrates a stronger commitment to data protection. For companies that provide services to covered entities, obtaining HITRUST certification can create competitive advantages over non-certified competitors as more healthcare organizations require HITRUST certification from their vendors.

Overall, HITRUST offers a structured approach with formal certification that demonstrates adherence to multiple regulatory frameworks beyond HIPAA. Organizations seeking higher assurance and broader compliance often opt for HITRUST certification.

While HIPAA is mandatory for healthcare providers and their business partners, HITRUST provides a stronger, more comprehensive security approach. It potentially provides greater value and benefits to organizations in the healthcare industry and beyond.

To learn more about HITRUST and HIPAA compliance, contact us.

As organizations work to maintain effective data protection, privacy, and governance, penetration testing provides powerful tools to guard against attacks.

A penetration test, often referred to as a “pen test,” is a simulated cyberattack designed to uncover vulnerabilities in systems and networks before malicious actors can exploit them. By identifying and addressing weaknesses, organizations can strengthen their security posture, ensure compliance with industry regulations, and gain peace of mind.

Unlike automated security scans, pen testing involves human experts who think creatively and adapt their approach during the attack. This provides a comprehensive view of a company’s security capabilities and identifies vulnerabilities that must be mitigated.

Common vulnerabilities that can be discovered during pen tests include:

Penetration testing is most common in industries that handle sensitive data or critical infrastructure, or where regulations mandate the practice. In financial services, for instance, penetration testing is mandated by various payment card and customer privacy regulations and reduces fraud risk by identifying vulnerabilities in transaction systems.

In other sectors, such as healthcare, government and defense, manufacturing, software, telecom and others, pen testing may not be required by regulation. Still, it represents a common and prudent security measure that can mitigate risk and satisfy contractual expectations to maintain data security and privacy.

An effective pen test is a systematic, iterative process that is typically conducted in five phases:

The first step involves defining the test’s objectives and methods. This sets the stage for the pen test and ensures critical systems and networks are included.

Penetration testers review as much information as possible about the target. They may examine public records, network scans, and open-source intelligence to identify potential entry points attackers might exploit.

Testers identify weaknesses in the target organization’s systems and applications, often blending automated tools and manual techniques to pinpoint security gaps.

This is the core of penetration testing. Testers attempt to use any identified vulnerabilities to gain unauthorized access to systems or data. Unlike actual attackers, pen testers stop short of causing damage, focusing instead on demonstrating the risks posed by these vulnerabilities.

The final phase involves documenting the findings and providing the target organization a comprehensive report detailing any discovered vulnerabilities, their potential impact, and recommendations to address them.

By following these steps, penetration testing goes beyond highlighting weaknesses to provide a clear path to strengthening security.

Penetration testing can provide:

The frequency with which an organization should undergo pen testing depends on several factors including its risk profile, any applicable regulations, stakeholder expectations, and other considerations. Consistent testing can help ensure the regular verification of security controls and help the organization adapt to emerging threats and changing environments.

For regulatory compliance, penetration testing is typically required at least annually, at regular intervals, or after significant changes to the environment. Large enterprises often conduct penetration tests every six months or annually, while some high-risk organizations may test monthly. Smaller companies may choose conduct penetration tests annually and focus their efforts on critical data and assets.

To learn more about how penetration testing can help your organization identify and manage cyber risks, contact us.

Defining the scope of an ISO/IEC 42001 compliance audit is an important early step in aligning the audit with the standard’s requirements, organizational risk, and stakeholder expectations.

In creating the audit scope, organizations need to define their Artificial Intelligence Management System (AIMS) and the associated roles, develop a governance structure, and identify important AI-related risks and controls.

Throughout the scope determination process, organizations should keep risk management and responsible AI use in mind. This should include assessing the organization’s processes for identifying and managing AI-related risks, as well as evaluating different types of exposures (such as risks inherent to AI development and use, control risk, and detection risk).

An important starting point in determining your scope is identifying the AI roles your organization performs. These will typically include being an AI provider, producer, or user (or a combination of these roles). Different AI roles have varying requirements and controls within the ISO/IEC 42001 standard. In addition, understanding these roles will provide valuable organizational context that will influence how the organization approaches AI risk assessment and management.

Once roles have been clarified, the next step is determining which AI systems will be included in the audit scope. Depending on the organization and the roles it performs, this may include specific AI products or services, third-party AI tools the organization uses, or systems or tools in development or testing phases.

After outlining the AI systems that will be reviewed during the audit, it’s time to consider the organizational boundaries of your AIMS. These can include:

You’ll next consider the inside and outside factors that can influence your AIMS. This list may include organizational objectives and strategies, regulatory requirements, or technology and industry trends affecting your AI use or plans.

Next up, consider anyone who could be interested in the responsible governance of your AI tools and systems. This may include, for instance, your internal users or customers, regulators, business partners, or suppliers.

The next phase of the audit scope definition process is ensuring your proposed audit scope aligns with your organization’s AI policies and objectives. Key steps in this phase include:

After reviewing the items discussed above, it’s time to draft a clear and concise scope statement that:

The ISO/IEC 42001 standard’s organizational structure can provide important insights in developing an effective audit scope. The standard includes 10 clauses outlining key requirements, such as:

The standard, and the specific controls outlined in the standard’s Annex A, will influence the type of evidence auditors seek to assess how well the organization’s AIMS aligns with the standard’s core requirements.

For example, the standard outlines methodologies for effective audit planning such as gap analyses to identify discrepancies between current practices and the standard’s requirements, as well as evidence collection through interviews, system testing, and document reviews.

The following examples illustrate the types of information outlined in ISO/IEC 42001 audit scope statements:

The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing ABC Corp’s role as an AI Service/Product Provider, delivering solutions through the Debra AI Agent solution. This includes the deployment, monitoring, and continuous enhancement of AI models to deliver advanced analytics and decision-support capabilities for clients across diverse industries

The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing the organization’s role as an AI provider, delivering cutting-edge solutions through the ABC Corp Platform (SaaS). This includes the deployment, monitoring, and continuous improvement of AI models to provide advanced analytics and decision-support capabilities for clients across various sectors. The organization is headquartered in Pleasanton, California, United States, with remote employees located globally. This certification aligns with ISO 42001 standards and is based on the SoA version 2.0 dated October 19, 2024.

By taking time to review the standard and plan an appropriate audit scope, organizations can ensure a comprehensive evaluation of their AIMS that in turn promotes more effective and responsible AI system, development, management, and usage.

To learn more about ISO/IEC 42001 and strategies for responsible AI governance and use, contact us.

The HITRUST cybersecurity framework provides a comprehensive approach to managing data protection, information risk, and regulatory compliance.

First developed for the healthcare industry, HITRUST has been adopted by organizations in a variety of sectors. It offers a broad-ranging framework that integrates requirements from more than 40 global data security standards and regulations.

This blended approach can help organizations take a unified approach to addressing multiple compliance needs such as:

Beyond compliance, HITRUST certification reduces the risk of data breaches by ensuring strong cybersecurity controls and demonstrates an organization’s commitment to data privacy that builds trust with clients and partners.

HITRUST certification is pursued most often by service providers, business partners, and vendors. HITRUST provides assurance to stakeholders that ththe organization has robust controls, policies, and procedures in place to process, store, and manage sensitive data responsibly.

HITRUST, originally an acronym for Health Information Trust Alliance, is designed to provide a standardized approach to managing data protection, information risk, and regulatory compliance.

The HITRUST organization is a privately held company. It provides the HITRUST CSF (Common Security Framework) and other tools for managing information risk and compliance. The organization collaborates with public and private sector experts to identify emerging cybersecurity threats and develop effective countermeasures.

The HITRUST CSF encompasses a range of security controls organized into 19 high-level domains covering various aspects of information security. Each domain contains control specifications that organizations must implement to achieve compliance.

The framework also includes five levels of maturity that are aligned with a given organization’s risk factors: Policy, Procedure, Implementation, Measured, and Managed. Organizations need to complete the first three to obtain certification. The “Measured” and “Management” levels are optional, but can increase an organization’s certification score and demonstrate a stronger commitment to the framework’s goals.

This risk-based approach helps organizations align their security and compliance efforts with their exposures, and potentially offers a more cost-effective approach to cybersecurity by enabling organizations to customize their efforts for their specific needs.

Achieving HITRUST certification offers numerous benefits:

Obtaining compliance certification from a HITRUST Authorized External Assessor involves a process that, depending on an organization’s size, complexity, risk factors, and readiness, can take between three to 18 months to complete.

There are several steps for most organizations:

Based on the assessment results and quality assurance review, HITRUST will make the final decision for approving or denying the certification. If approved, HITRUST will issue a Certification that is valid for two years (r2) or one year (e1 & i1).

While the process can seem complex, HITRUST certification can help organizations enhance and streamline their overall cybersecurity and compliance while providing other compelling benefits. To learn more about HITRUST certification, contact us.

As Artificial intelligence (AI) introduces new organizational opportunities and risks, the ISO/IEC 42001 standard offers guidance and controls to help organizations deploy AI efficiently and mitigate the related security risks by developing an Artificial Intelligence Management System (AIMS).

ISO/IEC 42001, published in 2023, addresses the AI system lifecycle from initial concepts to final system deployment and operations. The standard is designed to help organizations manage the risks associated with AI and ensure their systems are developed and used responsibly.

ISO/IEC 42001 compliance should be considered by any organization with public-facing products or services leveraging AI.

To evaluate compliance with the standard, an ISO/IEC 42001 certification audit will examine several areas, including AI-specific ethical, security, and operational considerations, system lifecycle management, performance optimization, and documentation.

Organizations should also evaluate the various organizational roles within the AI lifecycle—production, development, provision, and use—to understand and manage risk effectively.

ISO/IEC 42001 places significant emphasis on AI risk and impact assessments. For the standard’s mandatory risk assessment, organizations are required to identify potential risks related to AI systems, evaluate those risks, and develop risk mitigation plans.

The standard’s AI Impact Assessment process involves:

Organizations are required to document this process and measure AI-related risks and their potential consequences.

The ISO/IEC 42001 standard follows a similar structure as ISO/IEC 27001 (Information Security Management System), making it easier for organizations to integrate their security and compliance efforts. Thanks to this similarity, and the overlap in the information evaluated during a certification audit, organizations that have ISO/IEC 27001 certification can be well on their way to obtaining ISO/IEC 42001 certification if they choose to.

The ISO/IEC 42001 standard consists of 10 main clauses:

The first three clauses are shared with other standards, and specific considerations are addressed in Clauses 4-10:

ISO/IEC 42001 also includes two annexes that are important to an organization’s certification efforts and provide additional guidance and information:

These annexes offer detailed guidance on AI management ranging from development to risk assessment and sector-specific applications.

Achieving ISO/IEC 42001 certification can provide several benefits for organizations that include:

Like other notable security frameworks, ISO/IEC 42001 certification demonstrates an organization’s commitment to data protection and responsible policies and procedures.

An ISO/IEC 42001 certification audit is a comprehensive process that involves multiple stages to evaluate an organization’s AIMS. 

The stage one audit includes:

The stage two audit is more in-depth and involves

After the audit, organizations must address any identified non-conformities and provide evidence of corrective actions before receiving a decision from the certification body.

Once certified, organizations must undergo annual surveillance audits to maintain certification and participate in a recertification audit every three years.

As a certification body, Sensiba conducts audits against a variety of standards including ISO/IEC 42001, ISO/IEC 27001, ISO/IEC 27701, and others. To learn more, contact us.