Skip to main content

2.4.3 Business Processes

This section's intended audience is those personnel who are responsible for governance of a business developing and deploying IoT Devices. There must be named executive(s) responsible for product security, and privacy of customer information. There are several classes of requirements, which have been identified by a keyword. Each class should be allocated to a specified person or persons for the product being assessed. Further guidance is available from the IoTSF Best Practice Guidelines [ref 44]1. The applicability of each requirement is defined as Advisory or Mandatory for the assessed risk level of any device, the default is Advisory.

Req NoRequirementCompliance Class And ApplicabilityPrimary KeywordSecondary Keyword
2.4.3.1There is a person or role, accountable to the Board, who takes ownership of and is responsible for product, service and business level security, and mandates and monitors the security policy.Mandatory for all classesBusinessResponsibility
2.4.3.2There is a person or role, who takes ownership for adherence to this compliance framework process.Mandatory for all classesBusinessResponsibility
2.4.3.3Intentionally left blank to maintain requirement numbering-
2.4.3.4The company follows industry standard cyber security recommendations.Mandatory for all classesBusinessPolicy
2.4.3.5A policy has been established for interacting with both internal and third party security researcher(s) on the products or services.Mandatory for all classesBusinessPolicy
2.4.3.5.1The third party policy shall be publicly available and include contact information for reporting issues and information on timelines to acknowledge and provide status updates.Mandatory for all classesBusinessPolicy
2.4.3.6A policy has been established for addressing risks that could impact security and affect or involve technology or components incorporated into the product or service provided. At a minimum this should include a threat model, risk analysis and security requirements for the product and its supply chain through its whole stated supported life. This should be maintained, communicated, prioritised and addressed internally as part of product development throughout the product support period.Mandatory for Class 2 and aboveBusinessPolicy
2.4.3.7Processes and plans are in place based upon the IoTSF “Vulnerability Disclosure Guidelines” [ref 19]2, or a similar recognised process, to deal with the identification of a security vulnerability or compromise when they occur.Mandatory for all classesBusinessProcess
2.4.3.8A process is in place for consistent briefing of senior executives in the event of the identification of a vulnerability or a security breach, especially those executives who may deal with the media or make public announcements.Mandatory for all classesBusinessprocess
2.4.3.9There is a secure notification process based upon the IoTSF “Vulnerability Disclosure Guidelines” [ref 19]2, ISO/IEC 29147, or a similar recognised process, for notifying partners/users of any security updates, and what vulnerability is addressed by the update.Mandatory for all classesBusinessProcess
2.4.3.9.1There is a minimum support period during which security updates will be made available to all stakeholders.Mandatory for all classesBusinessProcess
2.4.3.10A security threat and risk assessment shall have been carried out using a standard methodology appropriate to IoT products and services, to determine the risks and evolving threats before a design is started -this should cover the entire system being assessed.Mandatory for Class 1 and aboveBusinessProcess
2.4.3.11As part of the Security Policy, include a specific contact and web page for Vulnerability Disclosure reporting.Mandatory for all classesBusinessPolicy
2.4.3.12As part of the Security Policy, provide a dedicated security email address and/or secure online page for Vulnerability Disclosure communications.Mandatory for all classesBusinessPolicy
2.4.3.13As part of the Security Policy, develop a conflict resolution process for Vulnerability Disclosures.Mandatory for all classesBusinessProcess
2.4.3.14As part of the Security Policy, publish the organisation’s conflict resolution process for Vulnerability Disclosures.Mandatory for Class 1 and aboveBusinessProcess
2.4.3.16As part of the Security Policy, develop security advisory notification steps.Mandatory for all classesBusinessProcess
2.4.3.17The Security Policy shall be compliant with ISO 30111 or similar standard.Mandatory for Class 3 and aboveBusinessPolicy
2.4.3.18Where the a device may be used in real-time or high-availability systems, a procedure must be defined for notifying operators of connected components and system management of impending downtime for updates. In such real time or high availability system the end user should be able to decide whether to automatically install updates or to chose to manually install an update at a time of their choosing (or to ignore an update).Mandatory for Class 2 and aboveBusinessProcess
2.4.3.19Whilst overall accountability for the product or service remains with the person in 2.4.3.1, responsibility can be delegated for each domain involved in any system or device update process, e.g. new binary code to add features or correct vulnerabilities.Mandatory for Class 2 and aboveBusinessResponsibility
2.4.3.20Responsibility is allocated for control, logging and auditing of the update process.Mandatory for Class 2 and aboveBusinessProcess
2.4.3.21There is a point of contact for third party suppliers and open source communities to raise security issues.Mandatory for Class 1 and aboveBusinessProcess
2.4.3.22Where remote update is supported, there is an established process/plan for validating "updates" and updating devices on an on-going or remedial basis.Mandatory for Class 2 and aboveBusinessProcess
2.4.3.22.1Users must have the ability to disable updating.Mandatory for Class 1 and aboveBusinessProcess
2.4.3.23The security update policy for devices with a constrained power source shall be assessed to balance the needs of maintaining the integrity and availability of the device.Mandatory for Class 2 and aboveBusinessPolicy
2.4.3.24There is a named owner responsible for assessing third party (including open-sourced) supplied components (hardware and software) used in the productMandatory for Class 2 and aboveBusinessResponsibility
2.4.3.25Where a remote software upgrade can be supported by the device, there should be a transparent and auditable policy with a schedule of actions of an appropriate priority, to fix any vulnerabilities in a timely manner.Mandatory for Class 2 and aboveBusinessPolicy
2.4.3.26As part of the security policy, define a process for maintaining a central inventory of third party components and services, and their suppliers, for each product.Mandatory for all classesBusinessPolicy
2.4.3.27As part of the security policy, define how security requirements on third party components and services (including open-source) will be established and assessed.Mandatory for all classesBusinessPolicy
2.4.3.28As part of the procurement policy, a supplier should be awarded a higher score where they demonstrate that they implement secure design in accordance with industry implementation standards or guidelines.Mandatory for all classesBusinessPolicy
2.4.3.29The organisation retains an enduring competency to revisit and act upon such information during product upgrades or in the event of a potential vulnerability being identified. (Key security design information and risk analysis is retained over the whole lifecycle of the product or service.)Mandatory for all classesBusinessprocess

Footnotes

  1. Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html]

  2. IoTSF Vulnerability Disclosure Guidelines can be found [https://iotsecurityfoundation.org/best-practice-guidelines] 2