Chapter V –Security Control and Management of the Internet of Things (IoT) Equipment |
| Article 21 | (Definition and scope of application for directions on IoT equipment)
For purpose of these directions, IoT equipment refers to an embedded system (with a small operating system) enabling Internet connection that is connected to the Internet or Intranet (the “equipment”), including automated office (OA)(such as digital recorder, IP-PBX (Private Branch eXchange), fax machine, audio recorder, copy machine, and surveillance system), and detectors without remote operation and control interface.
|
|
| Article 22 | (Equipment inventory and evaluation)
An organization shall prepare the management list of the IoT equipment that should be updated at least once a year for identification of purpose of equipment, online setups (including online IP, connection method and port in use), storage location and managers, and evaluate appropriate physical environment control and management measures and access/authorization control.
|
|
| Article 23 | (Equipment and software control and management)
The IoT equipment installed by an organization shall have a security updating system and updates should be made regularly to maintain the functions and integrity of the equipment.
|
|
| Article 24 | (Control and management of access to equipment)
The IoT equipment installed by an organization shall have an identity verification system or pairing and bondingsystem, and requires a change to the initial password. Authorization of users should be granted on a minimal basis to ensure only authorized users may access data, manage the equipment and have security updates.
|
|
| Article 25 | (Control and management of equipment connection)
An organization shall turn off or disable unnecessary online connection and services of the IoT equipment and avoid uses of an Internet location open to the public. If the equipment is using a public Internet location, a firewall at the front of the equipment should be in place for protection, and accesses should be filtered based on a white list. If the equipment connects to the Internet via a wireless network, a wireless access point with the encryption protocol should be used for the Internet connection, and only the network interface cards with their number on the white list may access the equipment or other protection measures should be taken.
|
|
| Article 26 | (Control and management of equipment purchases)
Before purchasing the IoT equipment, an organization shall perform evaluations and tests in accordance with Articles 23 and 25. It is preferable to purchase the IoT equipment with the information security certification mark.
|
Info |
| Article 27 | (Supplier management)
If an organization signs a purchase agreement with the IoT equipment supplier, the agreement should include terms and conditions on information and communication security, stating the relevant responsibilities (e.g. undertakings of services, period for security updates, voluntary reporting known information security loopholes in the equipment and providing relevant action plans) to ensure the equipment has no known security loopholes.
|
|
| Article 28 | (Control and management of awareness of IoT)
An organization shall regularly provide information security trainings to the staff who are using and managing the IoT equipment.
|
|
| Article 29 | (Control and management of exceptions)
When becoming aware that the IoT equipment has known defects that cannot be corrected via update, or the requirements under Articles 23 to 25 cannot be met due to limitations on equipment functions, an organization shall disconnect the connection of the equipment to the Internet, or have the equipment connected to the Internet only when necessary and make a plan to obsolete and replace the equipment. Prior to the replacement, the equipment should be placed at an independent network segment and separated from the Intranet.
|
Info |
| Article 30 | (Control and management of sensors without management functions)
While sensors of the IoT equipment without management functions have simpler functions and involve less risks, an organization shall still follow the requirements under Articles 22, 25, 26, 27, 28 and 29 of these directions.
|
Info |