Data Protection

See also the technical counterpart to this section

The management and operational controls to support securing IoT device data according to organizationally-defined requirements.

Policies and procedures for IoT device data security roles.

Policies and procedures provide the details necessary to implement management and operational controls for establishing roles and responsibilities for IoT device data security. Actions that may be necessary:

Manufacturer:

• Provide IoT device customers with documentation describing the IoT device capabilities for role-based controls, to establish different roles within the IoT device.

Agency:

• Use the manufacturer documentation to establish policies and procedures for IoT device data security and privacy organizationally-defined roles and responsibilities. Some examples: Roles to authorize IoT devices, roles to audit IoT devices, etc.
• Create and provide training to those who will be responsible for using the IoT devices to teach them how to set and change the role-based settings.

Policies and procedures for IoT device data integrity.

Policies and procedures provide the details necessary to implement management and operational controls to support IoT device and associated systems data integrity, including establishing the purpose, scope, roles, responsibilities, management commitment, and coordination of IoT devices among organizational entities, and the associated compliance activities. Actions that may be necessary:

Manufacturer:

• Provide information to the IoT device customer for the role or position within the organization that is responsible for determining the security and privacy regulatory requirements with which the IoT device capabilities must comply.

Agency:

• Implement IoT device and associated systems information integrity policies and procedures that govern establishing the purpose, scope, roles, responsibilities, management commitment, and coordination of IoT devices among organizational entities, and the associated compliance activities.
• Provide training covering the IoT device purpose, scope, roles, responsibilities, management commitment, and coordination of IoT devices among organizational entities, and the associated compliance activities.
• Perform periodic audits to ensure compliance with the policies and procedures.

Policies and procedures to establish IoT device data integrity controls.

Policies and procedures provide the details necessary to implement management and operational controls that support secure implementation of the IoT device and associated systems data integrity controls. Actions that may be necessary:

Manufacturer:

• Provide the IoT device customers with documentation describing the data integrity controls built into the IoT device and how to use them.
• If there are no data integrity controls built into the IoT device, explain to IoT device customers the ways to achieve IoT device data integrity.

Agency:

• Document the data integrity capabilities for each of the associated IoT devices, such as for validating accuracy of input data, and how to ensure data integrity if this action is not part of the device’s technical capabilities.

Policies and procedures for maintaining IoT device data integrity during software modifications.

Policies and procedures provide the details necessary to implement management and operational controls for reviewing and updating the current IoT device and associated systems while preserving data integrity. Actions that may be necessary:

Manufacturer:

• Provide information to IoT device customers detailing the trigger events that result in updates to their IoT devices.
• Establish a process to consistently provide communications about updates and possible impacts to data integrity (e.g., alerting users if an update will delete data) to their IoT device.

Agency:

• Implement a policy and procedure to review and update the current IoT device and associated systems at a minimum-established organizationally-defined frequency, and following organizationally-defined trigger events while preserving data integrity.

Policies and procedures for IoT device data handling and retention.

Policies and procedures provide the details necessary to implement management and operational controls for securely handling and retaining IoT device data, associated systems data, and data output from the IoT device, in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Actions that may be necessary:

Manufacturer:

• Provide documentation to IoT device customers describing how to wipe/delete data from the IoT device.
• Provide information to IoT device customers describing how to protect device data from being accidentally modified.

Agency:

• Implement policies and procedures establishing the requirements for:
  • Securely handling IoT devices to prevent loss, theft and damage.
  • Physical access security to IoT devices.
  • Allowing for removable storage devices to be inserted into IoT devices.
  • Securely retaining IoT devices, and associated systems, after they are no longer used, along with documentation detailing the associated retention time requirements.
  • Securely retaining IoT device data within the associated information systems, and data output from the IoT device, in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
  • Appropriately marking or labeling device hardware to support distribution, handling, or dissemination of IoT devices throughout the organization.
• Implement policies and procedures for secure disposal of IoT device hardware, software and data following expiration of the established retention periods.
• Provide training to those responsible for IoT device retention and disposal.
• Perform periodic audits for the IoT device retention and disposal policies and procedures.

Policies and procedures establishing IoT data backup.

Backup and recovery policies and procedures detail how to make backups of IoT device data and software as applicable. Actions that may be necessary:

Manufacturer:

• Provide instructions describing how to backup data on the IoT device.
• Communicate and demonstrate (e.g., directly in person, in videos, in an online webinar) how to backup up the IoT device.

Agency:

• Incorporate the requirements for creating IoT device backups into the existing organizational computing and storage device backup policies.
• Incorporate the procedures for including IoT device backups into the existing set of organizational backup procedures.

Policies and procedures for removing all data from IoT devices prior to maintenance and repairs.

Policies and procedures provide the details necessary to implement management and operational controls for when and how to remove all data from IoT devices prior to removing the devices from facilities for offsite maintenance or repairs. Actions that may be necessary:

Manufacturer:

• Provide information about how to use the IoT device capabilities to remove all data from the device.
• Provide clear communications about the IoT device these capabilities and procedures to customers.

Agency:

• Implement policies and procedures governing the timeframes within which data must be removed from IoT devices prior to being removed from organizational facilities.
• Implement procedures to follow to remove all data from IoT devices