Extending the IIC IoT Security Maturity Model to Trustworthiness
Scope
Industry and System scope are progressively
narrower and more specific.
Scope reflects the degree of fit to the
industry or system needs. This captures the
degree of customization of the security
measures that support security maturity
Domains, Sub-Domains and Practices. Such
customizations are typically required to
address industry-specific or system-specific
constraints of the IoT system.
Process and Usage
We expect most organizations to follow the
IoT Security Maturity Model process 4
whereby a maturity target is established
first. Once a target has been created or a
relevant
industry profile identified,
organizations would conduct an assessment
to capture the current maturity state. The
security maturity of the target and current
state can be compared to identify gaps and
opportunities for improvement. As a result
of the comparison of the security maturity
target and current security maturity state,
business and technical stakeholders can
establish a roadmap, take actions, and
measure the progress towards the security
maturity target. Once enhancements are
The scope measurement captures the extent
to which the specifics of an application,
network or system of interest are taken into
account during the implementation of the
security practice.
There are three levels of scope for each
security practice: General, Industry Specific
and System Specific. The General scope is, as
its name indicates, the most general;
Figure 2: IoT Security Maturity Model Process
4 https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
- 104 -
IIC Journal of Innovation