ICO Security Audit

Program Overview

Practical Assurance has developed the IISF and its audit program to serve as a component of due diligence for those wishing to buy tokens and participate in ICOs. The IISF enables companies to establish organizational wide information security controls which can increase customer and investor confidence. The audit function provides an additional layer of 3rd party assurance that ultimately build trust. We have found that smart contract security audits are necessary, but not sufficient to mitigate ICO risks. Our audit program and compliance framework is holistic and was developed specifically for blockchain companies. We help you build trust in the blockchain ecosystem.

Fraud, Security, and Compliance Concerns

Why Audit

Companies offering a token sale are immediately putting themselves at risk of direct attack. We've seen many types of attacks such as sophisticated spear phishing, network compromises, DoS attacks, the list continues. All of which can delay a sale and in some cases result in stolen funds. While many times have security expertise in-house, it is rare that all information security disciplines are covered. Our audit program ensures that all risk factors are mitigated and you and your company can appropriately respond with the best controls.

Token buyers also have an interest in audit reports. Sifting through hundreds of companies, whitepapers, and founder claims can be daunting. On top of that, news articles are published every day telling stories of ICOs gone wrong. An audit report can help build trust and have a significant impact on your token sale.

Fraud, Security, and Compliance Concerns
"Investors should be wary of companies touting ICOs as a way to generate outsized returns,” SEC spokesperson Andrew M. Calamari followed up in the statement out today. “As alleged in our complaint, Zaslavskiy lured investors with false promises of sizeable returns from novel technology."
 – The SEC has charged two initial coin offerings with defrauding investors” TechCrunch September 2017
"More than 30,000 people have fallen prey to ethereum-related cyber crime, losing an average of $7,500 each"
 – “Ethereum Bandits Stole $225 Million This Year” Fortune August2017
"Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.
 – "$7 Million Lost in CoinDash ICO Hack" CoinDesk July 2017
Looking for ways to protect ICO investors

How it Works

The Practical Assurance audit process is straight forward. First, participating companies submit an intake questionnaire and upload audit artifacts to the PA Audit Portal. The IISF review and a self-directed risk assessment is conducted. Next Practical Assurance runs automated verification and validated checks, conducts a manual review of key audit artifacts, and a technical analysis of source code, configurations, and architecture. Upon completion of the audit, a public compliance status page and detailed audit report of findings is created. Companies have the option to perform remediation and submit artifacts for a reassessment.

ICO Audit Process

Audit Plans Right-Sized for You

Pricing Plans to Meet the Scale of Any Organization

  Silver audit
  • Business Identity Validation
  • Fraud Red Flag Assessment
  • Business Process Maturity Assessment
  • Technical Maturity Assessment
  • Information Security Assessment (IISF)
  • Self Attestation Report
  • Compliance Reporting Widget
  • Online Compliance Certificate
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Accepting BTC, BCH, ETH
Pricing varies due to volatility

  Get Quote

  Gold audit
  • Business Identity Validation
  • Fraud Red Flag Assessment
  • Business Process Maturity Assessment
  • Technical Maturity Assessment
  • Information Security Assessment (IISF)
  • System Architecture Review
  • Self Attestation Report
  • Compliance Reporting Widget
  • Online Compliance Certificate
  • Detail Validated Audit Report (Manual Audit)
  • Remediation Assistance
  • Security & Compliance Support
  •  
  •  
  •  

Accepting BTC, BCH, ETH
Pricing varies due to volatility

  Get Quote

  Platinum audit
  • Business Identity Validation
  • Fraud Red Flag Assessment
  • Business Process Maturity Assessment
  • Technical Maturity Assessment
  • Information Security Assessment (IISF)
  • System Architecture Review
  • Vulnerability Assessment
  • Secure Source Code Review
  • Smart Contract Review
  • Self Attestation Report
  • Compliance Reporting Widget
  • Online Compliance Certificate
  • Detail Validated Audit Report (Manual Audit)
  • Remediation Assistance
  • Security & Compliance Support

Accepting BTC, BCH, ETH
Pricing varies due to volatility

  Get Quote



Business Process Audit

Information Security Assessment

This is a risk assessment conducted against the ICO Information Security Framework. The objective of this assessment is to determine which administrative, technical, and physical security controls have been implemented by the company. A maturity rating and risk level is assigned.

  • Encryption Practices
  • Administrative Controls
  • Authentication & Access Control
  • Logical Security / Account Provisioning
  • Cryptography and Key Management
  • Firewall Implementation
  • System Monitoring & Alerting
  • Configuration Hardening and Patch Management
  • Physical Security
  • Business Continuity
  • Technical Maturity Assessment

    This is an assessment covering the key technical operational areas of the Company. The objective of this assessment is to determine if the Company has developed internal processes necessary for developing software and supporting the operation of systems. A maturity rating and risk level is assigned.

  • Change Management
  • Application Development Lifecycle
  • System Reporting and Monitoring
  • Operational Procedures
  • Quality Assurance Testing
  • Production Deployment Process
  • Business Identity Validation

    This is an assessment that focuses on the identification of key business attributes that would interest token buyers and taking steps to validate accuracy. It is conducted by reviewing submitted documentation, corroborating responses with references, and searches in available global databases. A level-of-confidence assessment is report on key business attributes. (e.g. “High confidence of accuracy”)

  • Identification of Business Attributes
  • Business Structure Review
  • Key Management
  • Phone Verification
  • Reference Checking
  • Online/Social Media
  • Fraud Red Flag Assessment

    This is an assessment of business attributes that would indicate a low risk of fraud. It includes a review to determine if internal controls are suitable designed to prevent fraud by employees or other stakeholders.

  • Fraud Risk Identification
  • Qualitative Risk Factors
  • Board of Directors
  • Tone at the Top
  • Code of Ethics
  • Segregation of Duties
  • Asset Management
  • Business Process Maturity Assessment

    This is an assessment of key business processes related to the operation of the business. The objective of this assessment is to determine how well employees, customers, token buyers, and other stakeholders are managed. A maturity rating and risk level is assigned.

  • Employee Management
  • Employee On-boarding & Off-boarding
  • Customer Support
  • Customer Communication Practices
  • Token Buyer Communication
  • Confidentiality Agreements
  • Privacy Policy
  • Technical Assessment

    Secure Source Code Review

    An automated and manual analysis of source code supporting the “ICO Company’s” product. Source code will be reviewed for common Web-app vulnerabilities such as injection, XSS, insecure direct object reference, CSFR, misconfiguration, etc. Non web- based products may be tested with static analysis.

    Smart Contract Review

    A hands on review of smart contracts looking for vulnerabilities to known attacks such as race conditions, transaction-ordering dependence, timestamp dependence, and DoS attacks. Additionally, recommendations on improvements or best practices may be reported when necessary.

    System Architecture Review

    A hands on review of system architecture and technical documentation. This includes network segmentation, platform structure, OS-configuration/hardening, and review of best practices followed.

    Vulnerability Assessment

    An external network vulnerability assessment will be conducted on all external facing hosts. This assessment will uncover OS or network-level vulnerabilities due to improper patching or configuration of server resources.

    Reporting

    Self-Attestation Report

    A streamlined report covering all areas in the business process assessment. It includes information on business identity, fraud prevention controls, a maturity rating for all business, technical, and information security processes. Maturity ratings are used to calculate an overall risk-rating for each business process area.

    Detail Validated Audit Report

    A detailed report that is an extension of the Self-Attestation report. It is available to only Gold and Platinum customers and includes detailed descriptions of testing procedures, results of technical architecture reviews, vulnerability assessment, secure source code reviews, and smart contract reviews.

    Online Compliance Certificate

    An online compliance certificate/report that provides high level details on the state of the assessment, business identity, overall process maturity, and risk assessment.

    Compliance Reporting Widget

    A JavaScript-based tag that can be placed on the “ICO Company” profile page and the company’s website. It returns the status of the assessment as well as which areas were evaluated.

    Advisory Services

    Security & Compliance Support

    Gold and Silver companies wishing to have a favorable and comprehensive Practical Assurance report will have the option to conduct a pre-assessment. This will allow the “ICO Company” to ensure that the actual assessment runs smoothly. Areas of improvement will be known immediately after the pre-assessment. This will give companies the ability to respond to and fix any outstanding issues before the assessment takes place.

    Remediation Assistance

    Gold and Silver companies will receive remediation assistance from Practical Assurance. This includes sample policies and procedures, templates, and recommendation on how to address business and technical risks related to blockchain technologies.