Extending the IIC IoT Security Maturity Model to Trustworthiness
implemented, organizations can conduct another assessment to determine the new maturity state. The stakeholders work together to repeat this cycle according to the available resources and timeline set by the established roadmap and ensure that the appropriate security target is always maintained in an ever-changing threat landscape.
Establishing a target maturity level, while taking into account industry and systemspecific considerations, facilitates generation of security profiles. These profiles capture target security maturity states of systems and can act as templates for evaluating security maturity of a specific area of use, common use-case or system of interest.
Extensibility
The IoT Security Maturity Model is specifically designed to be extensible across a wide array of industries and systems. The initial model addresses the general scope, which looks at common security maturity best practices in the industry. There is an opportunity to add industry specific and system specific scope to any or all of the practices.
The IIC will be collaborating with a wide range of industry groups to encourage development of profiles- practice 5 tables that go beyond general scope and include industry- and / or system-specific requirements for different comprehensiveness levels. For example, a retail group may create profiles of some or all practices that include best practices and regulatory requirements specific to the retail industry; they may also create systemspecific profiles for commonly used devices such as card readers or security cameras. A health care profile may include specific guidance related to Health Insurance Portability and Accountability Act( HIPAA), while a system-specific profile could address considerations for, say, US Food and Drug Administration( FDA) pre- and post- market guidance for implanted medical devices.
Note that industry and system profiles need not be created for every practice in the model. An industry may decide that the general scope is sufficient for most of the governance-related practices but that a few of the enablement practices necessitate an industry level point of view. In that case, they may produce industry profiles for only a handful of practices and deem that sufficient for their requirements.
APPLYING THE IOT SECURITY MATURITY MODEL TO TRUSTWORTHINESS
The IIC defines trustworthiness as the“ degree of confidence one has that the system performs as expected with characteristics including safety, security, privacy, reliability and resilience in the face of environmental disturbances, human
5
In terms of the IoT Security Maturity Model, security practices define typical activities associated with the means of obtaining security priorities and identified at the planning level.
September 2018- 105-