As IoT goes through massive growth, it has the tremendous potential to revolutionize the way we live and work. Yet there is the risk of connected devices flipping lives upside down if proper security, safety and privacy measures are not implemented.The ISTA was designed to address these risks by harmonizing global efforts and providing a risk-assessment and scoring model to aid device manufactures prioritize their development efforts. The principles are built on the belief that independent of a device’s price point they can and should be engineered to help prevent security and safety risks and misuse of users’ personal data.
"The ISTA provides a blueprint to embrace security and privacy by design," said Craig Spiezle, Managing Director of the Agelight Advisory Group. “Organizations that adopt the ISTA can maximize user safety and peace of mind, while making security and privacy a part of their brand promise.”
The ISTA takes a pragmatic view based on a weighted scoring model that incorporates six core issues impacting developers today. Based on an organization’s risk tolerance, engineering efforts can be ranked and prioritized. Scoring criteria includes:
1) The impact to the user
2) The impact to the ecosystem and society at large
3) Financial and performance impact
4) Hazardization, physical and life safety risks
5) Development costs and impact to market timing
6) Regulatory and liability risk
“The ISTA is a common-sense risk-assessment tool for innovators who want to create the next generation of IoT devices,” said Morgan Reed, President of ACT | The App Association. “Tools like Agelight’s are accessible for small manufacturers, yet sophisticated and carefully calibrated to global security norms and current best practices. Assessing risk is never easy, but the ISTA is a valuable arrow in the quiver for nimble and innovative IoT companies as they seek to exceed consumer expectations with top notch security and privacy practices.”
UPCOMING OPPORTUNITIES TO LEARN MORE -
Thursday April 12th, 10 AM PST / 1 PM EST. Online briefing & Demo Register >
RSA Conference 2018 / San Francisco
When: Tuesday, April 17 / 4 pm – 5 pm
CSO’s Guide To Managing IoT Risk
Where: RSA Conference Broadcast Alley, lobby of Moscone West
- Greg Crabb, VP, Chief Information Security Officer, U.S. Postal Service
- Cheri McGuire, Group Chief Information Security Officer, Standard Chartered Bank
- Sam Kassoumeh, COO and co-founder, Security Scorecard
- Craig Spiezle, Managing Director, Agelight Advisory Group
The Promise of IoT Best Practices, Testing & Hazards of Inaction
Where: Moscone North 2
- Justin Brookman, Director of Privacy and Technology Policy, Consumers Union
- Patricia Adair, Director for Risk Management, Consumer Product Safety Commission;
- Terrell McSweeny, Commissioner, Federal Trade Commission
- Craig Spiezle, Managing Director, Agelight Advisory Group
Objectives of the ISTA
- Provide a risk assessment and prioritization toolkit customized by an organization’s risk tolerance
- Promote security and privacy by design when products ship and through their life
- Accelerate adoption of high-impact security and privacy practices
- Drive industry self-regulation promoting innovation and serving as a foundation for safe-harbor
- Serve as an incentive for companies to invest in security and privacy by design
"Developers and device manufacturers are overwhelmed with the challenges of delivering IoT-ready products that are safe, secure and private, both when they ship and throughout their lifecycle," said Darron Antill, CEO of Device Authority. "The ISTA provides an actionable blueprint for the industry to realize the promise of IoT.
“As IoT devices become integrated within an organization, the ability to manage and access the risks can be overwhelming. The ISTA is not only a road map for developers but can be used for companies when evaluating the risks of products, they are using and planning to purchase,” said Alex Yampolskiy, CEO of SecurityScorecard.
Developed through a multi-stakeholder process, the ISTA reviewed more than 300 recommendations and incorporates many practices advocated by the U.S. Federal Trade Commission (FTC), European Union’s General Data Protection Regulation (GDPR), the EU Agency for Network and Information Security (ENISA), the U.K. government, the U.S. Consumer Products Safety Commission (CPSC), the U.S. Department of Commerce, the National Telecommunication and Information Administration (NTIA) the National Institute of Standards and Technology (NIST) and by other global efforts.
“As a global organization working to advance smart home and building automation, we continually hear about the complexity of the security, safety and privacy landscape,” said Ronald J. Zimmer, CABA president and CEO. “Agelight’s work harmonizing best practices, standards and regulations is a significant step forward in assisting industry stakeholders. While there is no perfect security or privacy solution, the ISTA provides a common-sense approach toward creating more secure, sustainable and private smart devices for home, work and play.”
"Our world is becoming increasingly interconnected, and while that offers consumers numerous benefits, the shadow of risks looms large. Self-regulatory mechanisms that harmonize and focus the efforts of industry and government, are essential for enhanced cybersecurity and privacy,” said Ryan Hagemann, director of technology policy at Niskanen Center. “Voluntary guidelines such as the ISTA help address the risks without relying on overly prescriptive and ineffective regulatory mandates. Efforts like these can incentivize companies to deal with threats today rather than running the risk of litigation or heavy-handed regulation tomorrow."
The ISTA incorporated many practices advocated by leading organizations including the ACT - The App Association, Consumer Reports, Center for Democracy & Technology, Continental Automated Buildings Association, the Internet Society, Niskanen Center, Online Trust and Integrity Council and Underwriters Laboratory, as well as related efforts supported by Device Authority, Microsoft, SecurityScorecard and Symantec.
About The Agelight Advisory Group
The Agelight Advisory Group helps organizations accelerate the adoption of security- and privacy-enhancing practices and policies and navigate the complex regulatory environment while promoting innovation and the importance of self-regulation. Agelight’s Managing Director Craig Spiezle offers more than two decades of product development and management expertise and is recognized as an authority on the intersection of online trust, security, privacy and product safety. For information on IoT consulting services including licensing the IoT Safety & Trust Design Architecture © visit https://Agelight.com/iot.html or email info(at)Agelight(dot)com.