ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Twelve IoT Controls

Twelve IoT Controls

Marcin Jekot, CISSO, ISO 27001 LA, SSP, and Yiannis Pavlosoglou, Ph.D., CISSP
| Published: 12/28/2017 8:43 AM | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)

Marcin Jekot and Yiannis PavlosoglouNot too far in the future, Internet of Things (IoT) devices will carry a white-goods-equivalent rating scale, similar to washing machines and refrigerators. Instead of being measured on energy usage, manufacturers will be measured on the number and type of security controls they have implemented for their devices. We wrote our recent Journal article to provide a simple way to audit IoT devices, based on their environment of use. The article identifies 12 simple IoT controls that almost no manufacturer completely implements today.‎ Hopefully, this method will serve as the motivation to start the journey toward standardization of IoT controls.

We selected the number 12 to avoid discussions of “security theater” and focus instead on a dozen critical security controls as things that matter in IoT. Expecting this number to be criticized, we have built our audit methodology with the intention to use the audit output as a method for the security classification of IoT devices. Those 12 controls were selected in an effort to make them comprehensive for everyone—including the consumers of IoT devices.

Furthermore, we tried to build on existing standards so as not to reinvent the wheel. For turning a large technical problem into smaller environment of use problem, we glued together the layers of Transmission Control Protocol/Internet Protocol (TCP/IP) with the US National Institute of Standards and Technology (NIST) pyramid for organizational/business process/IT system tiers. This allowed us to see what control fits where and for what reason. It also helped identify overlap and reduce the total number of controls to just 12.

Finally, manufacturers seeking an independent objective assessment of their products could use this method. The same 12 controls can also be applied to a corporate environment. By certifying IoT devices against these controls, you can assess what data classes the device can process or what business activities can be supported.

Read Marcin Jekot and Yiannis Pavlosoglou’s recent Journal article:
An IoT Control Audit Methodology,” ISACA Journal, volume 6, 2017.

Comments

There are no comments yet for this post.
Email