Extending the IIC IoT Security Maturity Model to Trustworthiness
Security Maturity Model allows for both organizational and technological considerations. It allows organizations to answer critical questions, including their current maturity level, given their requirements and threat landscape, what their target should be, and what they need to do to move to a higher maturity target state.
Use of the model fosters effective and productive collaboration among stakeholders. Business stakeholders, such as decision makers, business risk managers and owners of IoT systems, concerned about proper strategy for implementing mature security practices, can collaborate with the analysts, architects, developers, system integrators and other stakeholders who are responsible for the technical implementation.
Maturity is about effectiveness, not the arbitrary use of mechanisms. The IoT Security Maturity Model helps by aligning the comprehensiveness and scope of understanding of trustworthiness with the investment in appropriate practices.
Difference from Related Work
The IoT Security Maturity Model is the first model of its kind to address a need in the marketplace to assess the maturity of organizations in relation to their IoT systems and including governance, technologies, and how to manage them. Analysts have noted that the IoT Security Maturity Model is being produced at the right time to address the need and gap in the market. 2 Other existing models may address part of what is addressed by the model, such as within a particular vertical industry, or addressing IoT but not security, or security but not IoT. The IoT Security Maturity Model covers all the related aspects and points to parts of existing models, where appropriate, to recognize existing work and avoid duplication.
Model
The IoT Security Maturity Model is hierarchical and includes Domains, Sub- Domains and Practices. 3
This hierarchical approach enables the maturity and gap analysis to be viewed at different levels of detail, from the various domains overall to the individual practices.
Domains, Sub-Domains & Practices
The domains of governance, enablement and hardening determine the priorities of security maturity enhancements at the strategic level. Governance influences and informs every security practice including business processes, legal and operational issues, reputation protection and revenue generation. Enablement uses architectural design to address business risks, and hardening defines countermeasures to deal with specific threats before and after the fact. The subdomains reflect the basic means of obtaining the priorities at the tactical level and practices define typical activities associated with subdomains and identified at the planning level.
2 https:// www. iiconsortium. org / press-room / 04-09-18. htm
3 https:// www. iiconsortium. org / pdf / SMM _ Description _ and _ Intended _ Use _ 2018-04-09. pdf
- 102- IIC Journal of Innovation