IoT is here. But be aware: Despite the excitement -- and challenges -- generated by it, IoT technology is still largely a work in progress.
While IT professionals are increasingly intrigued at how IoT can enhance their organizations, they must also be concerned about its risks. One way to address these concerns is to establish a process for compliance with appropriate standards, regulations, benchmarks and controls. Additionally, IT teams must be familiar with the existing IoT compliance standards and how their organization can comply with each of them.
Pay attention to compliance basics
Many internet standards have been in place for years, such as IP -- including IPv6 -- used for communicating via the internet. Devices that link to the internet, regardless of their application, must comply with the established IP. IT professionals generally are not concerned about this kind of compliance because most of the devices in their inventories incorporate the proper IP.
Security standards and protocols must also be factored into anything that uses the internet, as the concern for cybersecurity threats grows daily. Again, these are usually built into security equipment firmware.
Getting to know IoT compliance standards
Several standards have been developed for IoT connectivity, some of which address connectivity of low-power devices -- such as home security systems or Wi-Fi-enabled devices -- to the internet. These include the following:
- Bluetooth Low Energy. This wireless personal area network technology was developed by the Bluetooth Special Interest Group to support applications in healthcare, fitness, security and home entertainment, as well as management systems.
- IEEE 802.11ah. This low-energy wireless networking protocol that extends the range of connectivity for Wi-Fi networks is part of the IEEE 802.11 suite of wireless protocols.
- Thread. Developed by the Thread Group, a consortium of leading technology firms, Thread is a low-power networking protocol designed for IoT products.
- Zigbee. This is an IEEE 802.15.4-based wireless protocol for low-power and low-bandwidth devices used in healthcare, home and personal network applications.
- Z-Wave. This wireless, low-power networking protocol, developed in 1999 by Zensys for use in home automation systems, is currently run by Sigma Designs.
In most cases, wireless devices using these standards have the protocol embedded in firmware. This way, IoT compliance becomes a matter of the approach used by the manufacturer of wireless low-power devices.
IEEE P2413 draft standard
Perhaps the closest thing to an IoT compliance standard is the IEEE P2413 draft standard, which establishes a framework for IoT. The architecture describes IoT domains and identifies areas of commonality among different IoT domains. IEEE has defined dozens of networking protocols that can be applied to IoT applications, including IEEE 802.1, 802.3, 802.11, 802.15, 802.16 and 802.22 series. The P2413 draft standard provides a way to effectively use relevant IEEE standards in a cohesive IoT infrastructure.
Establishing IoT compliance
It is clear that compliance with established IoT standards and protocols is usually automatic. However, this depends on which standards or protocols are built into the devices using an IoT infrastructure. Other IT audit controls, such as IT general controls that address security, access, data integrity and other issues, can also be applied to IoT situations. As IoT devices generally exhibit the same control requirements of other IT systems and data, those control metrics can be applied to IoT system compliance auditing.
When auditing IoT devices and networks, the same IT audit controls should be used to establish and confirm compliance with good IT practices. Compliance with the IEEE P2413 standard -- once it is approved -- may introduce additional controls for auditors to use in their work.
Currently, the challenge for compliance with current IoT standards is a matter of selecting a specific technology or suite of systems that uses one or more protocols. Traditional IT audit controls can be applied to IoT compliance, and the new draft standard from IEEE provides a framework and guidelines from which compliance requirements can be developed.