IOT Non-Technical Security and Privacy Controls

Non-technical security and privacy controls include such actions and things as:

• Administrative
  • Policies, procedures and standards for the full range of information security and privacy domains
  • Assigned responsibilities
  • Workforce security and privacy (ensuring appropriate access authorizations, separation of duties, clearance to data, onboarding practices, offboarding practices, appraisals, etc.)
  • Training
  • Risk assessments
  • Risk management activities
  • Backup, disaster recovery and contingency plans
  • Emergency mode operations
  • Systems and applications development lifecycles (including testing, revision, change controls, etc.)
  • Vendor management
• Physical
  • Facility access controls
  • Contingency operations (allowing for access to facilities, devices, etc., as part of disaster recovery and emergency mode operations)
  • Maintenance records
  • Workstation/work area use
  • Workstation/work area security and privacy
  • Computing device and digital storage device controls (privacy screens/filters, theft alarms, device physical locks, etc.)
  • Disposal
  • Media re-use
  • Accountability for hardware and software movements, use, etc.
  • Data backup storage

These types of non-technical security and privacy controls and activities should be considered for the use of IOT devices within organizational systems.

Throughout this document references to policies and procedures include the need to have them documented and maintained, even if not explicitly stated.