Internet of Things Self Assessment
As you answer these questions, think about the ways things could go wrong – it does not need to be anything elaborate. Those are the risks posed to your device and the University: your device is going on the internet. Could it be attacked? Could data be lost? Could someone be hurt? Could the device being damaged harm a grant or other research?
Who owns the device and will maintain it?
The device should have a clear owner who will be updating its software, setting its passwords, and replacing it if it stops working. Do you have a plan for what happens if that owner leaves? Unmanaged devices can be forgotten and pose a risk.
What is the device’s purpose?
The device should have a clear purpose not already fulfilled by a University service or function. If you are installing your own door locks or key card access, consider talking to Facilities or the Department of Safety and Security first.
Consider documenting the following:
- Platform functionality, such as data access, device management, data management, analytics, security.
- Deployment options, including intranet, hybrid, cloud, and edge scenarios.
- Integration with both the systems that generate IoT data and the back-end systems that this data must integrate with.
Documentation can help if you leave for a new position or new members join your lab, team, or unit.
Will the device control any processes or equipment that could harm the life or safety of another individual?
if the answer to this question is yes, complete the rest of your risk assessment and then immediately contact the IT Risk team at firstname.lastname@example.org. Do not deploy your device.
What kind of data will the device process? Is any of it Restricted Information? Is there an IRB protocol or other agreement governing the data this device gathers? See the University’s Data Classification Guideline for more about what constitutes Restricted Information.
if your device isn’t handling any sensitive data, it poses substantially less risk if it’s broken into by a hacker or taken offline. If it does process Restricted Information, don’t worry, IT Services can help place the device in the proper location on the network for you so it’s not publicly accessible and adequately protected. Err on the side of caution if you are uncertain – contact the IT Risk team at email@example.com or by calling the Information Security team at 773-702-2378.
Is the device configured correctly for use?
IoT devices often have default passwords, updates to their software, services they expose to the network that need to be protected, and may not have logging or backup options available. They need to be actively maintained. The device should have strong usernames and passwords configured, different accounts for casual users and administrators, a plan for routine updates, the ability to log any changes or interactions, monitoring to ensure the device is running normally, and a clearly documented configuration process.
IoT devices do not always support robust security features, but if a given device does, consider enabling any of the following:
- Access control: so that data cannot be stolen from the device or the device taken over. Services should be restricted from unauthorized access and the public.
- Updates and patching: so that any discovered security flaws can be fixed in a timely manner.
- Monitoring or logging: so that any unauthorized access, changes, or outages can be noticed and corrected.
Once you have completed your self-assessment, do you feel that:
- The answers are clear, concise, and can be explained to others?
- The management of the device is properly resourced and that the device will be well-supported?
- The device supports the purpose it was purchased for?
- The device has enough security features that it will accomplish its purpose safely?
- Any risks or gaps you identified can be resolved, either by configuring the device or by some other mechanism, like a firewall?
If so, your device is safe to deploy. If you have any concerns you cannot resolve, before deploying your device, consult the IT Risk team for assistance at firstname.lastname@example.org.