2.4.3 Business Process
This section`s intended audience is those personnel who are responsible for governance of a business developing and deploying IoT Devices. There must be named executive(s) responsible for product security, and privacy of customer information. There are several classes of requirements, which have been identified by a keyword. Each class should be allocated to a specified person or persons for the product being assessed. Further guidance is available from the IoTSF Best Practice Guidelines (IOTSF.SD-BPG). The applicability of each requirement is defined as Advisory or Mandatory for the assessed risk level of any device, the default is Advisory.
| Req No | Requirement | Primary Keyword | Secondary Keyword | Compliance Class And Applicability |
|---|---|---|---|---|
| 2.4.3.1 | There is a person or role, accountable to the Board, who takes ownership of and is responsible for product, service and business level security, and mandates and monitors the security policy. | business | responsibility | Mandatory for all classes |
| 2.4.3.2 | There is a person or role, who takes ownership for adherence to this assurance framework process. | business | responsibility | Mandatory for all classes |
| 2.4.3.3 | Intentionally left blank to maintain requirement numbering | - | ||
| 2.4.3.4 | The company follows industry standard cyber security recommendations. | business | policy | Mandatory for all classes |
| 2.4.3.5 | A policy has been established for interacting with both internal and third party security researcher(s) on the products or services. | business | policy | Mandatory for all classes |
| 2.4.3.5.1 | The third party policy shall be publicly available and include contact information for reporting issues and information on timelines to acknowledge and provide status updates. | business | policy | Mandatory for all classes |
| 2.4.3.6 | A policy has been established for addressing risks that could impact security and affect or involve technology or components incorporated into the product or service provided. At a minimum this should include a threat model, risk analysis and security requirements for the product and its supply chain through its whole stated supported life. This should be maintained, communicated, prioritised and addressed internally as part of product development throughout the product support period. | business | policy | Mandatory for Class 2 and above |
| 2.4.3.7 | Processes and plans are in place based upon the IoTSF “Vulnerability Disclosure Guidelines” [IOTSF.VDISC-BPG]1, or a similar recognised process, to deal with the identification of a security vulnerability or compromise when they occur. | business | policy | Mandatory for all classes |
| 2.4.3.8 | A process is in place for consistent briefing of senior executives in the event of the identification of a vulnerability or a security breach, especially those executives who may deal with the media or make public announcements. | business | process | Mandatory for all classes |
| 2.4.3.9 | There is a secure notification process based upon the IoTSF “Vulnerability Disclosure Guidelines” [IOTSF.VDISC-BPG]1, ISO/IEC 29147 [ISO.IEC.29147]2, or a similar recognised process, for notifying partners/users of any security updates, and what vulnerability is addressed by the update. | business | process | Mandatory for all classes |
| 2.4.3.9.1 | There is a minimum support period during which security updates will be made available to all stakeholders. | business | process | Mandatory for all classes |
| 2.4.3.10 | A security threat and risk assessment of the entire system shall have been carried out using a standard methodology appropriate to IoT products and services, to determine the risks and evolving threats before a design is started. | business | process | Mandatory for Class 1 and above |
| 2.4.3.11 | As part of the Security Policy, include a specific contact and web page for Vulnerability Disclosure reporting. | business | policy | Mandatory for all classes |
| 2.4.3.12 | As part of the Security Policy, provide a dedicated security email address and/or secure online page for Vulnerability Disclosure communications. | business | policy | Mandatory for all classes |
| 2.4.3.13 | As part of the Security Policy, develop a conflict resolution process for Vulnerability Disclosures. | business | process | Mandatory for all classes |
| 2.4.3.14 | As part of the Security Policy, publish the organisation’s conflict resolution process for Vulnerability Disclosures. | business | process | Mandatory for Class 1 and above |
| 2.4.3.15 | Intentionally left blank to maintain requirement numbering | business | ||
| 2.4.3.16 | As part of the Security Policy, develop security advisory notification steps. | business | process | Mandatory for all classes |
| 2.4.3.17 | The Security Policy shall be compliant with ISO/IEC 30111 [ISO.IEC.30111]3 or similar standard. | business | policy | Mandatory for Class 3 and above |
| 2.4.3.18 | Where the a device may be used in real-time or high-availability systems, a procedure must be defined for notifying operators of connected components and system management of impending downtime for updates. In such real time or high availability system the end user should be able to decide whether to automatically install updates or to chose to manually install an update at a time of their choosing (or to ignore an update). | business | process | Mandatory for Class 2 and above |
| 2.4.3.19 | Whilst overall accountability for the product or service remains with the person in 2.4.3.1, responsibility can be delegated for each domain involved in any system or device update process, e.g. new binary code to add features or correct vulnerabilities. | business | responsibility | Mandatory for Class 2 and above |
| 2.4.3.20 | Responsibility is allocated for control, logging and auditing of the update process. | business | process | Mandatory for Class 2 and above |
| 2.4.3.21 | There is a point of contact for third party suppliers and open source communities to raise security issues. | business | process | Mandatory for Class 1 and above |
| 2.4.3.22 | Where remote update is supported, there is an established process/plan for validating "updates" and updating devices on an on-going or remedial basis. | business | process | Mandatory for Class 2 and above |
| 2.4.3.22.1 | Users must have the ability to disable updating. | business | process | Mandatory for Class 1 and above |
| 2.4.3.23 | The security update policy for devices with a constrained power source shall be assessed to balance the needs of maintaining the integrity and availability of the device. | business | policy | Mandatory for Class 2 and above |
| 2.4.3.24 | There is a named owner responsible for assessing third party (including open-sourced) supplied components (hardware and software) used in the product | business | responsibility | Mandatory for Class 2 and above |
| 2.4.3.25 | Where a remote software upgrade can be supported by the device, there should be a transparent and auditable policy with a schedule of actions of an appropriate priority, to fix any vulnerabilities in a timely manner. | business | policy | Mandatory for Class 2 and above |
| 2.4.3.26 | As part of the security policy, define a process for maintaining a central inventory of third party components and services, and their suppliers, for each product. | business | policy | Mandatory for all classes |
| 2.4.3.27 | As part of the security policy, define how security requirements on third party components and services (including open-source) will be established and assessed. | business | policy | Mandatory for all classes |
| 2.4.3.28 | As part of the procurement policy, a supplier should be awarded a higher score where they demonstrate that they implement secure design in accordance with industry implementation standards or guidelines. | business | policy | Mandatory for all classes |
| 2.4.3.29 | The organisation retains an enduring competency to revisit and act upon such information during product upgrades or in the event of a potential vulnerability being identified. (Key security design information and risk analysis is retained over the whole lifecycle of the product or service.) | business | process | Mandatory for all classes |
Footnotes
-
IoTSF "Vulnerability Disclosure Best Practice Guidelines", Release 2.0, September 2021. https://iotsecurityfoundation.org/wp-content/uploads/2021/09/IoTSF-Vulnerability-Disclosure-Best-Practice-Guidelines-Release-2.0.pdf. ↩ ↩2
-
ISO/IEC 29147:2018 "Information technology — Security techniques — Vulnerability disclosure". https://www.iso.org/standard/72311.html. ↩
-
ISO/IEC 30111:2019 "Information technology — Security techniques — Vulnerability handling processes". https://www.iso.org/standard/69725.html. ↩