2.4.3 Business Processes
This section's intended audience is those personnel who are responsible for governance of a business developing and deploying IoT Devices. There must be named executive(s) responsible for product security, and privacy of customer information. There are several classes of requirements, which have been identified by a keyword. Each class should be allocated to a specified person or persons for the product being assessed. Further guidance is available from the IoTSF Best Practice Guidelines [ref 44]1. The applicability of each requirement is defined as Advisory or Mandatory for the assessed risk level of any device, the default is Advisory.
Req No | Requirement | Compliance Class And Applicability | Primary Keyword | Secondary Keyword |
---|---|---|---|---|
2.4.3.1 | There is a person or role, accountable to the Board, who takes ownership of and is responsible for product, service and business level security, and mandates and monitors the security policy. | Mandatory for all classes | Business | Responsibility |
2.4.3.2 | There is a person or role, who takes ownership for adherence to this compliance framework process. | Mandatory for all classes | Business | Responsibility |
2.4.3.3 | Intentionally left blank to maintain requirement numbering | - | ||
2.4.3.4 | The company follows industry standard cyber security recommendations. | Mandatory for all classes | Business | Policy |
2.4.3.5 | A policy has been established for interacting with both internal and third party security researcher(s) on the products or services. | Mandatory for all classes | Business | Policy |
2.4.3.5.1 | The third party policy shall be publicly available and include contact information for reporting issues and information on timelines to acknowledge and provide status updates. | Mandatory for all classes | Business | Policy |
2.4.3.6 | A policy has been established for addressing risks that could impact security and affect or involve technology or components incorporated into the product or service provided. At a minimum this should include a threat model, risk analysis and security requirements for the product and its supply chain through its whole stated supported life. This should be maintained, communicated, prioritised and addressed internally as part of product development throughout the product support period. | Mandatory for Class 2 and above | Business | Policy |
2.4.3.7 | Processes and plans are in place based upon the IoTSF “Vulnerability Disclosure Guidelines” [ref 19]2, or a similar recognised process, to deal with the identification of a security vulnerability or compromise when they occur. | Mandatory for all classes | Business | Process |
2.4.3.8 | A process is in place for consistent briefing of senior executives in the event of the identification of a vulnerability or a security breach, especially those executives who may deal with the media or make public announcements. | Mandatory for all classes | Business | process |
2.4.3.9 | There is a secure notification process based upon the IoTSF “Vulnerability Disclosure Guidelines” [ref 19]2, ISO/IEC 29147, or a similar recognised process, for notifying partners/users of any security updates, and what vulnerability is addressed by the update. | Mandatory for all classes | Business | Process |
2.4.3.9.1 | There is a minimum support period during which security updates will be made available to all stakeholders. | Mandatory for all classes | Business | Process |
2.4.3.10 | A security threat and risk assessment shall have been carried out using a standard methodology appropriate to IoT products and services, to determine the risks and evolving threats before a design is started -this should cover the entire system being assessed. | Mandatory for Class 1 and above | Business | Process |
2.4.3.11 | As part of the Security Policy, include a specific contact and web page for Vulnerability Disclosure reporting. | Mandatory for all classes | Business | Policy |
2.4.3.12 | As part of the Security Policy, provide a dedicated security email address and/or secure online page for Vulnerability Disclosure communications. | Mandatory for all classes | Business | Policy |
2.4.3.13 | As part of the Security Policy, develop a conflict resolution process for Vulnerability Disclosures. | Mandatory for all classes | Business | Process |
2.4.3.14 | As part of the Security Policy, publish the organisation’s conflict resolution process for Vulnerability Disclosures. | Mandatory for Class 1 and above | Business | Process |
2.4.3.16 | As part of the Security Policy, develop security advisory notification steps. | Mandatory for all classes | Business | Process |
2.4.3.17 | The Security Policy shall be compliant with ISO 30111 or similar standard. | Mandatory for Class 3 and above | Business | Policy |
2.4.3.18 | Where the a device may be used in real-time or high-availability systems, a procedure must be defined for notifying operators of connected components and system management of impending downtime for updates. In such real time or high availability system the end user should be able to decide whether to automatically install updates or to chose to manually install an update at a time of their choosing (or to ignore an update). | Mandatory for Class 2 and above | Business | Process |
2.4.3.19 | Whilst overall accountability for the product or service remains with the person in 2.4.3.1, responsibility can be delegated for each domain involved in any system or device update process, e.g. new binary code to add features or correct vulnerabilities. | Mandatory for Class 2 and above | Business | Responsibility |
2.4.3.20 | Responsibility is allocated for control, logging and auditing of the update process. | Mandatory for Class 2 and above | Business | Process |
2.4.3.21 | There is a point of contact for third party suppliers and open source communities to raise security issues. | Mandatory for Class 1 and above | Business | Process |
2.4.3.22 | Where remote update is supported, there is an established process/plan for validating "updates" and updating devices on an on-going or remedial basis. | Mandatory for Class 2 and above | Business | Process |
2.4.3.22.1 | Users must have the ability to disable updating. | Mandatory for Class 1 and above | Business | Process |
2.4.3.23 | The security update policy for devices with a constrained power source shall be assessed to balance the needs of maintaining the integrity and availability of the device. | Mandatory for Class 2 and above | Business | Policy |
2.4.3.24 | There is a named owner responsible for assessing third party (including open-sourced) supplied components (hardware and software) used in the product | Mandatory for Class 2 and above | Business | Responsibility |
2.4.3.25 | Where a remote software upgrade can be supported by the device, there should be a transparent and auditable policy with a schedule of actions of an appropriate priority, to fix any vulnerabilities in a timely manner. | Mandatory for Class 2 and above | Business | Policy |
2.4.3.26 | As part of the security policy, define a process for maintaining a central inventory of third party components and services, and their suppliers, for each product. | Mandatory for all classes | Business | Policy |
2.4.3.27 | As part of the security policy, define how security requirements on third party components and services (including open-source) will be established and assessed. | Mandatory for all classes | Business | Policy |
2.4.3.28 | As part of the procurement policy, a supplier should be awarded a higher score where they demonstrate that they implement secure design in accordance with industry implementation standards or guidelines. | Mandatory for all classes | Business | Policy |
2.4.3.29 | The organisation retains an enduring competency to revisit and act upon such information during product upgrades or in the event of a potential vulnerability being identified. (Key security design information and risk analysis is retained over the whole lifecycle of the product or service.) | Mandatory for all classes | Business | process |
Footnotes
-
Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html] ↩
-
IoTSF Vulnerability Disclosure Guidelines can be found [https://iotsecurityfoundation.org/best-practice-guidelines] ↩ ↩2