ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Validating IoT

Validating IoT

Ed Moyle, Director, Thought Leadership and Research, ISACA
| Posted at 6:17 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)

Ed MoyleMost practitioners by now are familiar with the concept of the “Internet of Things” (IoT). As it has become more practical and economical to incorporate computing, network, and storage elements into everyday artifacts and objects, there has been a proliferation of devices that have these elements built in. An unintended byproduct of this trend has been the steady incorporation of these devices into the corporate environment.

This incorporation can happen directly, as organizations embrace these devices to better foster business outcomes; for example, an agriculture-based business (such as a vineyard) might incorporate environment sensors to monitor items like humidity, temperature and other growing conditions. It can also happen indirectly and “under the radar” – for example a smart television in a conference room or a network-connected fire alarm or thermostat.

Whether inadvertent or deliberate, incorporation of these technologies into the business landscape has an impact on the risk equation. Some organizations are leveraging these devices to gain competitive advantage. Others are discovering that these technologies can represent a source of potential risk under the wrong circumstances.

As with any technology, there are both potential risks as well as potential business value benefits that use of the technology (intentional or otherwise) can bring about. The equation is complex, though: businesses can gain potential value from their use (enabling competitiveness), there are risks in their use, and there also is a risk of not adopting – for example, should an organization’s competitors gain advantages through their adoption.

The need for evaluation
From an organizational point of view, then, these complicated risk dynamics increase the importance of systematic validation of the devices, including a risk-aware examination of both the potential risks as well as potential business value. This is, of course, part and parcel of a workmanlike and systematic approach to risk management; however, it becomes increasingly important when the technologies being considered are ones that can easily be adopted “under the radar” or without full visibility by assurance and security personnel.

To help practitioners fully and systematically unpack and evaluate these risk elements, ISACA has released Assessing IoT: IoT Upsides, Downsides and Why We Should Care About Them. This publication examines the rise of IoT: its use, how it can assist businesses, potential risk areas that can arise, potential privacy issues that might arise based on usage, and the need for evaluation and validation of IoT by those with a stake in organizational risk and value for organizations.

The upshot is that organizations absolutely need to systematically evaluate these devices the same way that they would evaluate other technology that supports the business. It is important to recognize that this is not always the “default state” for organizations when usage grows organically; meaning, unless there is an active effort – and an internal champion – to ensure this type of analysis is performed, it is not a given that it will occur. This is particularly true in light of shadow adoption and/or direct adoption within business teams.

The document itself provides an objective viewpoint, highlighting potential risk scenarios that organizations may encounter. There are, of course, almost as many ways to perform risk management as there are organizations themselves; however, a systematic approach to evaluating that risk, including a candid and objective discussion of potential risks, value, as well as competitive impact, is warranted and critical.


About IoT

The newer technologies are definitely raising the bars in terms of higher risks to be managed by organizations. The ISACA publication is a way forward in terms of an organizations preparedness to manage risk.
Atul10 at 12/28/2017 3:14 AM

ISO 27034 and IOT

I am currently working on the ISO 27034 standard and we were approached by ISO SC 41 (IOT) to discuss its applicability to IOT devices and applications. I am particularly interested how distributed ledger technology, ML and the ISO 27034 framework could be used together to develop an auditable and certifiable system to a) determine a devices security profile based on the health of its security controls as documented in its ledger AND b) do a risk based analysis and approval of autonomous transactions between those devices. The individual pieces already exist, we just need to create agreement between ISO member countries on the certification and approval schemes as per ISO standards or common criteria. Have you looked into ISO 27034?
Michael Thiessmeier at 1/2/2018 3:49 PM
You must be logged in and a member to post a comment to this blog.