Application and Ecosystem Design about iot-security-verification-standard-isvs HOT 4 CLOSED

Chapter 1 implicitly covers this through the following two requirements:
1.1.3 Verify the use of threat modeling as part of each product introduction design (i.e. new and mature) and security-relevant feature changes to identify likely threats and facilitate appropriate risk responses to guide security testing.
1.1.4 Verify that the location where sensitive data is stored in the ecosystem is clearly identified and separated from unprivileged storage locations.

The ISVS aims for every requirement to be verifiable / actionable (they all start with very that). Can you create a proposal for a new requirement or an updated 1.1.4 reuirement?

from iot-security-verification-standard-isvs.

Sure, will do. Please clarify where to create proposal or edit the requirement (1.1.4).

from iot-security-verification-standard-isvs.

I removed 1.1.4 since it should be included as part of threat modeling. I'm not sure how beneficial granular data collection from devices would be since local regulations may have their own requirements. We do have authorization covered in chapter 2 and are working to update authentication requirements.

from iot-security-verification-standard-isvs.

Through the authorization section in chapter 2 we have this covered from the perspective of the IoT system (device). Through 1.1.3, we have this indirectly covered from other perspectives as well (for example, through other applications used by personnel for maintenance etc).

Given the fact that the ISVS is (mainly) written from the perspective of an IoT system (device) that is part of an IoT ecosystem. I'm not sure whether we have to be more granular here.

from iot-security-verification-standard-isvs.