Building a Framework for IoT Security Compliance

The IoT Security Foundation is a “vendor-neutral, international initiative aspiring to be the expert resource for sharing knowledge, best practices and advice.” Those resources include the best practice guides, one of which is “IoT Security Compliance Framework.” The first version of the framework covers consumer products and markets, but future iterations will cover several other categories, such as medical, automotive and critical infrastructure.

“The IoT is the next evolutionary wave of the internet and, with dwindling costs of technology and low barriers to entry, new products are flooding the market,” declared John Moor, managing director of the IoT Security Foundation. The internet of things extends to all kinds of new wearables, as well as connected appliances and smart toys.

The toy category has already raised data privacy concerns, but all types of businesses have to think about privacy issues when designing anything that connects to the internet. What is first hailed as “the ‘internet of treats,'” Moor explains, can easily develop into “the ‘internet of threats’ if these new products do not have sufficient security capabilities.”

The question is, What is sufficient security? That’s a question the framework seeks to answer with a checklist for users. It lists a range of product categories and defines the recommended class of compliance for each one, depending on the potential security loss that can result from the product.

The compliance classes range from zero for data breaches that would have “little discernible impact” to four for breaches of sensitive data that have “the potential to affect critical infrastructure or cause personal injury.”

Levels of Integrity, Availability and Confidentiality

The framework sets out the compliance class, along with the corresponding levels of integrity, availability and confidentiality required. For example, class 0 requires only basic levels, while class 4 calls for high levels.

In between those levels, you get a mix, such as medium level integrity and availability combined with a basic confidentiality level for class 1. Or you could have medium level integrity combined with high levels for availability and confidentiality for class 3.

The framework also distinguishes between what is “mandatory” (a requirement considered “vital to secure the product category,” for anything in class 2 or above compliance) and merely “advisory” (allows for deviating from the requirements if “there are sound product reasons”). However, that is not to be taken as carte blanche for applying one’s own discretion.

The framework stipulates that opting out for something under the advisory category is to be documented, along with the justification. Complying with the guidelines set forth in this framework entitles businesses to download and display badges from the organization as a sign of their self-certified status, which they likely would have to update as new iterations of the framework come out.

Pamela Gupta, president of Outsecure and chair of the self-certification working group, explained that the “IoT is very broad and its security is not only context-dependent, it is also evolving on a daily basis. Given the immediate requirement and future objectives of the self-certification scheme, we concluded that we needed to establish a risk-based framework, which could then be built upon and updated to address emerging risks and requirements.”

 

Feeling stuck in self-doubt?

Stop trying to fix yourself and start embracing who you are. Join the free 7-day self-discovery challenge and learn how to transform negative emotions into personal growth.

Join Free Now

Picture of Ariella Brown

Ariella Brown

TRENDING AROUND THE WEB

If a woman is highly intelligent, she’ll usually display these 8 rare qualities

If a woman is highly intelligent, she’ll usually display these 8 rare qualities

Small Business Bonfire

If your partner is willing to do these 6 things, they love you unconditionally

If your partner is willing to do these 6 things, they love you unconditionally

Personal Branding Blog

People who find it harder to make friends as they get older usually display these 8 behaviors (without realizing it)

People who find it harder to make friends as they get older usually display these 8 behaviors (without realizing it)

Global English Editing

If you have these 7 traits as an adult, you probably had a better childhood than you remember

If you have these 7 traits as an adult, you probably had a better childhood than you remember

Global English Editing

People who never had their emotional needs fufilled as a child typically display these 8 behaviors later in life, says psychology

People who never had their emotional needs fufilled as a child typically display these 8 behaviors later in life, says psychology

Global English Editing

8 subtle behaviors of an unfaithful man, according to a relationship expert

8 subtle behaviors of an unfaithful man, according to a relationship expert

Personal Branding Blog