Chapter V –Security Control and Management of the Internet of Things (IoT) Equipment |
| Article 21 | (Definition of IoT equipment)
Imbedded system and equipment that connects to the Internet and its peripheral connecting devices (e.g. sensors).
|
|
| Article 22 | (Scope of application for directions on IoT equipment)
For purpose of these directions, an IoT refers to automated office (OA) equipment that connects to the Internet and can connect to the external or internal network, such as digital recorder, IP-PBX (Private Branch eXchange), fax machine, audio recorder, copy machine, and surveillance system.
|
|
| Article 23 | (Equipment inventory and evaluation)
An organization shall prepare the management list of the IoT equipment that should be updated at least once a year for identification of purpose of equipment, online setups, storage location and managers, and evaluate appropriate physical environment control and management measures and access/authorization control.
|
|
| Article 24 | (Equipment and software control and management)
The IoT equipment installed by an organization shall have a security updating system and updates should be made regularly to maintain the functions and integrity of the equipment.
|
|
| Article 25 | (Control and management of access to equipment)
The IoT equipment installed by an organization shall have an identity verification system or pairing and bondingsystem, and requires a change to the initial password. Authorization of users should be granted on a minimal basis to ensure only authorized users may access data, manage the equipment and have security updates.
|
|
| Article 26 | (Control and management of equipment connection)
An organization shall turn off or disable unnecessary online connection and services of the IoT equipment and avoid uses of an Internet location open to the public. If the equipment is using a public Internet location, a firewall at the front of the equipment should be in place for protection, and accesses should be filtered based on a white list. If the equipment connects to the Internet via a wireless network, a wireless access point with the encryption protocol should be used for the Internet connection, and only the network interface cards with their number on the white list may access the equipment or other protection measures should be taken.
|
|
| Article 27 | (Control and management of equipment purchases)
Before purchasing the IoT equipment, an organization shall perform evaluations and tests in accordance with Articles 24 and 26. It is preferable to purchase the IoT equipment with the information security certification mark.
|
Info |
| Article 28 | (Supplier management)
If an organization signs a purchase agreement with the IoT equipment supplier, the agreement should include terms and conditions on information and communication security, stating the relevant responsibilities (e.g. undertakings of services, period for security updates, voluntary reporting known information security loopholes in the equipment and providing relevant action plans) to ensure the equipment has no known security loopholes.
|
|
| Article 29 | (Control and management of awareness of IoT)
An organization shall regularly provide information security trainings to the staff who are using and managing the IoT equipment.
|
|
| Article 30 | (Control and management of exceptions)
When becoming aware that the IoT equipment has known defects that cannot be corrected via update, or the requirements under Articles 24 to 25 cannot be met due to limitations on equipment functions, an organization shall disconnect the connection of the equipment to the Internet, or have the equipment connected to the Internet only when necessary and make a plan to obsolete and replace the equipment. Prior to the replacement, the equipment should be placed at an independent network segment and separated from the Intranet.
|
Info |
| Article 31 | (Control and management of sensors without management functions)
While sensors of the IoT equipment without management functions have simpler functions and involve less risks, an organization shall still follow the requirements under Articles 23, 26, 27, 28. 29 and 30 of thesedirections.
|
Info |