|
Article 22
|
(Equipment inventory and evaluation)
An organization shall prepare the management list of the IoT equipment that should be updated at least once a year for identification of purpose of equipment, online setups (including online IP, connection method and port in use), storage location and managers, and evaluate appropriate physical environment control and management measures and access/authorization control.
|
|
Article 25
|
(Control and management of equipment connection)
An organization shall turn off or disable unnecessary online connection and services of the IoT equipment and avoid uses of an Internet location open to the public. If the equipment is using a public Internet location, a firewall at the front of the equipment should be in place for protection, and accesses should be filtered based on a white list. If the equipment connects to the Internet via a wireless network, a wireless access point with the encryption protocol should be used for the Internet connection, and only the network interface cards with their number on the white list may access the equipment or other protection measures should be taken.
|
|
Article 26
|
(Control and management of equipment purchases)
Before purchasing the IoT equipment, an organization shall perform evaluations and tests in accordance with Articles 23 and 25. It is preferable to purchase the IoT equipment with the information security certification mark.
|
|
Article 27
|
(Supplier management)
If an organization signs a purchase agreement with the IoT equipment supplier, the agreement should include terms and conditions on information and communication security, stating the relevant responsibilities (e.g. undertakings of services, period for security updates, voluntary reporting known information security loopholes in the equipment and providing relevant action plans) to ensure the equipment has no known security loopholes.
|
|
Article 28
|
(Control and management of awareness of IoT)
An organization shall regularly provide information security trainings to the staff who are using and managing the IoT equipment.
|
|
Article 29
|
(Control and management of exceptions)
When becoming aware that the IoT equipment has known defects that cannot be corrected via update, or the requirements under Articles 23 to 25 cannot be met due to limitations on equipment functions, an organization shall disconnect the connection of the equipment to the Internet, or have the equipment connected to the Internet only when necessary and make a plan to obsolete and replace the equipment. Prior to the replacement, the equipment should be placed at an independent network segment and separated from the Intranet.
|