IoTSF announces major update to security compliance framework
The IoT Security Foundation (IoTSF) has announced Release 2 of its IoT Security Compliance Framework, following user feedback on the previous release. A significant enhancement is a move to a risk-based approach that gives the framework more flexibility and greater applicability beyond earlier versions, which were aimed at consumer-grade products.
The new and improved framework is a practical tool for managers and developers who need to ensure security, and could also be used as part of the purchasing function. There are three escalating modes for IoT producers: as an internal assessment reference; as a checklist to self-certify against; or for a third-party conformity assessment body, potentially as part of an accredited certification scheme. The structured process of questioning and evidence-gathering encourages optimal security mechanisms and practices to be implemented regardless of target application. Existing users of the framework will be able to adopt the new release seamlessly as it is backward compatible.
“There are lots of freely available descriptive white papers on IoT security, yet what that means for businesses is often unclear,” said Richard Marshall, Plenary Chair of IoTSF. “Working with our members, which include security experts and product engineers, the IoTSF Compliance Framework brings system and business facets together to provide a complete view of security. A major improvement in this release is the move to a risk-based approach, meaning the framework is as applicable to medical and industrial applications, as it is to the original consumer market. It is not only freely available, it is highly applicable and fully actionable.”
Alongside the framework is a companion questionnaire, which is used to record evidence of conformity. Each tab in the questionnaire corresponds to sections in the framework, where supporting evidence is referenced. A revised version of the questionnaire accompanies Release 2 and includes a simple tool to configure the strength of the three security goals of confidentiality, integrity and availability, which collectively determine the compliance class.
“We’ve received a lot of positive feedback from existing users of the framework, and the great news today is that we’ve just made it a whole lot better,” added John Moor, IoTSF Managing Director. “We’re calling on business and industry to ‘make it safe to connect’ — make use of the framework and our guidance materials and get on the front foot when it comes to security. We’re specifically inviting test labs and the test community to make use of the framework to provide manufacturers with a common reference for third-party certification.”
The IoT Security Compliance Framework Revision 2 and the questionnaire are free to download here.
Schneider Electric's launch of its first smart factory in the US demonstrates how a legacy...
Companies can accelerate the transition from document-based to digital workflows, improving both...
A new cybersecurity course developed in partnership with industry is set to arm people with the...