First Steps: Framework

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
8 hours 10 minutes
Difficulty
Advanced
CEU/CPE
8
Video Transcription
00:02
Hi, I'm Matthew Clark. And this is module three, secure by design.
00:10
Congratulations. We've completed module to
00:13
this slide. Shows our progress towards our certificate of completion.
00:23
Let's begin. Our new module with less than 3.1 1st steps their framework.
00:32
In this lesson, we'll look at secure by design.
00:35
We will discuss frameworks in general
00:37
and introduce the I O T. Foundation framework. So let's get started.
00:43
So what is secured by design?
00:46
A good answer might be that it's building in security capabilities that will cover the lifetime of the device.
00:53
The next question is, Well, how do you do that when there's so many different standards out there like ISO and NIST and insa?
01:00
And they're rapidly involving legal landscape like G D, P R and C C P. A. And the California I. O T law.
01:08
And the industry has very specific regulations like HIPPA and fisma. Um, and all of that. We have to consider it the same time the business is continuing to move forward, designing and manufacturing i o t products, and they're not waiting. In fact, no one's waiting
01:26
to stop until everything is perfect before moving forward.
01:30
So what do you do? Well, you could be dramatic like this picture here. Have you ever heard the phrase you can't boil the ocean?
01:38
Well, if you ever really tried to and were successful, which is highly doubtful,
01:45
then all the steam from boiling the ocean when end up covering your vision and you would be able to see whether you're successful or not.
01:52
And of course, you probably in life is we know it as well. But this saying makes more sense. And then you have to implement something and the train has already left the station. Or maybe better yet, the boat is love the harbor, so to speak.
02:07
You do what you can. You start a little and you plan your activities. But the important thing is that you act.
02:14
The important thing is that when we act, we act with a purpose,
02:19
and frameworks help us to define what to focus on.
02:23
There are many different types of frameworks and standards and requirements out there
02:27
from industry and non profit organizations and government regulators, and this is really just a short list. You have the see ECE coyote security controls framework,
02:38
the UK Code of practice for consumer i o t Security,
02:42
the G s m A I ot security guidelines
02:45
and various guidelines from nest and ISO in the Tripoli organization.
02:53
So let's introduce the I. O. T. Security Foundation
02:55
and this information is pulled directly from their about us page.
03:00
They are a non profit organization which are dedicated to driving secure I o T.
03:06
They're collaborative and vendor neutral
03:08
and member driven,
03:10
and they have an ongoing program that's designed to propagate good security practice, increase the doctor knowledge and raise user confidence.
03:21
Well, I'm just, you know, I don't have any personal connection with, uh with the foundation. The company I currently work with is a member, and so I'm very familiar with the framework,
03:30
but I have any personal affiliation with them,
03:34
So this information is directly from their mission.
03:38
Um, the I. O. T. Security Foundation composes and maintains a comprehensive compliance framework of recommended steps for securing I ot products and services, and we're gonna take a look at that framework and learn how to use them. And we're gonna take examples from it and apply it to the lessons as we learn them.
03:57
They also promote the adoption of the compliance framework. The I O T service and product providers i o T systems specify IRS purchasers and and policy makers
04:08
in the O. T Security Foundation. Composes and promote security. Best practice. Guidance. Um, we're gonna take a look at that pretty deeply. In Module six
04:17
without E Security Foundation helps to arrange security assurance processes to demonstrate add to products and services meet requirements.
04:26
Let's discuss the i. O. T. Security compliance framework.
04:30
Um, this leads a practitioner through a structured process of questioning and evidence gathering
04:34
and ensure suitable security mechanisms and practices are implemented.
04:40
This compliance framework concludes. Very comprehensive checklist on dpoint out evidence that could be used to declare conformance with those best practices on the I. O. T. Security Foundation has a best practice user mark that, um, companies can put on their products and services that state that they comply.
04:59
They still certified
05:00
with the i. O. T. Security compliance framework.
05:05
So how do you use the compliance framework? Well, there's a worksheet that you could download that walks you through the process, but it's very simple. This is it. In a nutshell. First, you conduct a risk analysis on the product in the target environment.
05:19
The i. O. T. S f points out that this is a prerequisite for using their framework because context is everything.
05:27
He then create a risk register and determined the CIA triad security objectives.
05:32
Next, you determine the compliance class for each product will discuss these in the next slide. But the compliance classes, based on the confidentiality, integrity and availability of each product,
05:45
the target areas of the framework that match the specific products compliance class are then are then determined. So you complete the checklist and you gather evidence for the compliance purposes.
05:59
The I O T. Security Foundation framework defines five compliance classes,
06:04
and these classes air from class zero through Class four,
06:09
with class zero having the least impact in class four having the greatest impact and also includes up to personal injury.
06:17
Class zero is where compromise to the data generated or loss of control is likely to result in little discernible impact on an individual or organization.
06:30
And Class four is inclusive of all the controls in the lower classes, plus additional controls where compromise to the data generated or loss of control have the potential to affect critical infrastructure or caused personal injury.
06:46
So on the right hand side, you'll see an example set of criteria from the I. O. T s F compliance Questionnaire spreadsheet.
06:57
So this slide list the high level sections of the I. O. T s F compliance questionnaire and we're not gonna read each one of these. You can look at them, but you can see how they're tailored toward i o. T. To buy security
07:09
in this course. We're going to touch on the majority of these topics. Really, With the exception, just a few of them will talk less about Web user interfaces and mobile application security. And, ah, lot of the mawr. Intricate, um, cloud configuration security parts
07:28
ah, linked to the I. O T Security Foundation is included in the reference materials,
07:34
and additionally, the foundation has many different guides and policies that air helpful in different areas of I O. T. And this just represents a few of them.
07:43
We will, As I said earlier in Module six, we're going to go over the secure design best practices.
07:53
In this video, we discussed security by design. We identified frameworks to achieve security by design goals. We took a deep dive into the unknown world of I O. T s F compliance framework.
08:05
Specifically, we looked at the mission and framework the organization process compliance classes and compliance questionnaire.
Up Next
IoT Product Security

This course will focus on the fundamentals of how to set up a functioning IoT product security program from the perspective of a company that designs, manufactures, and sells IoT and IIoT devices for consumer or industrial use.

Instructed By