The IoT Security Foundation (IoTSF) announces ‘Release 2’ of its IoT Security Compliance Framework following user feedback of the previous release. A significant enhancement is a move to a risk based approach that gives the framework more flexibility and greater applicability beyond earlier versions, which were aimed at consumer-grade products.
The new and improved framework is a practical tool for managers and developers who need to assure security, it could also be used as part of the purchasing function. There are three escalating modes for IoT producers; as an internal assessment reference, a checklist to self-certify against, or by a third party conformity assessment body, potentially as part of an accredited certification scheme. The structured process of questioning and evidence gathering encourages optimal security mechanisms and practices to be implemented regardless of target application. Existing users of the framework will be able to adopt the new release seamlessly as it is backward compatible.
“There are lots of freely available descriptive white papers on IoT security, yet what that means for businesses is often unclear,” says Richard Marshall, plenary chair of IoTSF. “Working with our members, which include security experts and product engineers, the IoTSF Compliance Framework brings system and business facets together to provide a complete view of security. A major improvement in this release is the move to a risk based approach, meaning the framework is as applicable to medical and industrial applications, as it is to the original consumer market. It is not only freely available, it is highly applicable and fully actionable.”
Alongside the framework is a companion questionnaire, which is used to record evidence of conformity. Each tab in the questionnaire corresponds to sections in the Framework, where supporting evidence is referenced. A revised version of the questionnaire accompanies release 2 and includes a simple tool to configure the strength of the three security goals of confidentiality, integrity and availability, which collectively determine the compliance class.
“We’ve received a lot of positive feedback from existing users of the framework, and the great news today is that we’ve just made it a whole lot better,” adds John Moor, IoTSF managing director. “We’re calling on business and industry to ‘make it safe to connect’ – make use of the Framework and our guidance materials and get on the front foot when it comes to security. We’re specifically inviting test labs and the test community to make use of the framework to provide manufacturers with a common reference for third party certification.”
The IoT Security Compliance Framework Revision 2 and the Questionnaire are free to download at: www.iotsecurityfoundation.org/best-practice-guidelines