Extending the IIC IoT Security Maturity Model to Trustworthiness
W HAT IS THE IIC I O T S ECURITY
M ATURITY M ODEL ?
O VERVIEW
Business investment requires decisions that
include tradeoffs based on delivering
functionality, addressing risks, ensuring
business continuity, managing costs and
reputation. Addressing risks appropriately
by investing in controls and organizational
changes when faced with a sea of choices
and possibilities can be difficult, especially
when considering all the aspects of
trustworthiness including safety, security,
reliability, resilience and privacy. The
Industrial Internet Consortium (IIC) has
developed an IoT Security Maturity Model 1
that provides an approach to address risk.
This approach initially covers only security
issues. This article suggests how this model
can be extended and used to consider all the
aspects of trustworthiness, enabling
organizations to assess their current position
with regard to trustworthiness aspects of
safety, security, reliability, resilience and
privacy against where they need to be, and
make appropriate investments taking into
account tradeoffs and required investments.
Security maturity is the degree of confidence
that the current security state meets all
organizational needs and security-related
requirements. Security maturity level is a
measure of the understanding of the current
security level, its necessity, benefits and cost
of its support. Deciding where to focus
limited security resources is a challenge for
most organizations given the complexity of a
constantly changing security landscape. The
IoT Security Maturity Model provides a path
for Internet of Things (IoT) providers to know
where they need to be and how to invest in
security mechanisms that meet their
requirements without over-investing.
The IoT Security Maturity Model provides a
conceptual framework to help organizations
consider the myriad of options and make an
informed decision to select and implement
appropriate
security
controls.
The
framework helps an organization decide
what their security maturity target state
should be and what their current state is.
Repeatedly comparing the target and
current states identifies where further
improvement can be made.
The intent of this article is to raise awareness
of the approach, encourage discussion and
suggest next steps to raise the bar of
trustworthiness in applications by enabling
the use of the IoT Security Maturity Model
for trustworthiness.
The IoT Security Maturity Model allows
organizations to determine the priorities that
drive security enhancements and the maturity
required to achieve differing needs and
different strengths of protection mechanisms.
Purpose & Benefits
To drive proper investment and avoid simply
applying technologies to a problem, the IoT
1
IoT Security Maturity Model: Description an Intended Use, IIC:PUB:IN15:V1.0:PB:20180409IoT,
http://www.iiconsortium.org/pdf/SMMSecurity Maturity Model_Description_and_Intended_Use_2018-04-09.pdf
September 2018
- 101 -