Broadband Internet Technical Advisory Group

- Encryption by default
- Encryption of local sensitive data
- Avoid weak encryption methods

- Supports automatic software updates (for security)
- Consideration of device replacement options

- Secured by default
- Avoid common user names/passwords

- Only with notice at time of purchase

N/A

- Policies should be easy to understand and locate

- Controls "may be important to some end-users."

- Provide continued support for a device over its
lifecycle

- Alert consumers to what they should expect from
the device's function at the end of the lifespan

- Recognition of supply chain security vulnerabilities
affecting the final product and the need for final
manufacturers to secure the entire chain

Open Web Application Security Project

- Encryption in transit

- Supports alerts and notification to user of security
events

- Require strong passwords
- Enable password security options (2FA)

N/A

- Support for data minimization strategies, including
affirmative mention of de-identification
- Support for data retention policies

N/A

- Controls for data collected "beyond what is
needed"

- Design all stages of the lifecycle to be evolutionary
so improvements can be added to a system or
device

N/A

IoT Security Foundation

- Promotes strong encryption

- Authenticate update/patching sources
- Users should be able to see device update status

- Promotes strong passwords

- Encourages inventorying and isolating data to
avoid leakage
- Highlights change of ownership issues

N/A

N/A

- Promotes managed access via IoT data hubs
- Highlights change of ownership issues

- Consider that IoT devices may change owership
over their lifecycle and so developers should provide
options to secure data

N/A

Online Trust Alliance

- Promotes deployment of strong encryption
practices

- Promotes automated updates based on user
approval

- Promotes strong passwords and authentication
protocols

- No independent third-party sharing and implement
contractual controls on vendors

- Encourages data minimization

- Promotes easily readable and discoverable policies
prior to purchase

- User controls should be carefully explained
(particularly where opt-outs lead to service
reduction)

- Disclose lifecycle update expectations to the
consumer prior to purchase

- Supply chain management and security risk
assessments should be undertaken regularly

Cloud Security Alliance

- Promotes encryption at-rest and in-transit

- Promotes secure update capabilities
- Encourages automatic updates

- Promotes end-to-end authentication, authorization,
and access controls

- Cautions against third parties have extensive data
access

- Promotes FTC data minimization and retention
guidance

N/A

- End-user controlled features are critical

- Consider security during the entire device lifecycle,
from initial assembly through expected product
support lifecycle

- Examine and monitor supply chain for attacks
relevant to purchased components

Charith Perera et al.

- Promotes encryption "wherever possible."

N/A

N/A

- Limit third-party access to data

- Recommends minimizing the number of data
source used by each IoT application.

N/A

- Encourages end-user controls ("some kind of
default set of options" are critical)

- Provide full support and protetion for the complete
data lifecycle

N/A

U.S. Department of Homeland Security

- Encourages use of hardware that incorporates
security features including encryption

- Supports ongoing vulnerability management

- Require strong passwords
- Require device authentication

N/A

N/A

N/A

N/A

- Developers should communicate to manufactureres
and consumers expectations regarding the device
and risks of using a device beyond its usability date

- Know the supply chain and whether there are any
associated vulnerabilities with upstream hardware or

software components

New York City, Office of Tech & Innovation

N/A

- Promotes audit-based and continuous system
monitoring

- Stresses identity and access management controls

- Information should be easily sharable via open
standards (APIs/SDKs)

- Encourages data minimization

N/A

N/A

N/A

N/A

GSM Alliance

- Calls for strong (and evolving) encryption practices

- Encourages over-the-air firmware updates

- Highlights authentication challenges in IoT devices

- Calls on third parties to "respect context" of data
collection when using/sharing

- Calls on organizations to engage in a PIA

- Promotes "raising consumer awareness" of
potential issues

- Suggests trust can be promoted by offering
controls

- Security lifecycle needs to be monitored for the
whole duration of the device's use. Environments
should be reviewed consistently to ensure security
measures are appropriate

N/A

www.iotmanifesto.com

N/A

- High level commitment to security

N/A

- Encourages notice/consumer education of third
party ecosystem

- Encourages "deliberate" data collection that serves
"utility of the product or service"

- Promotes raising consumer awareness of potential
issues

- Explicitly encourages development of user-controls

- Lifespans of physical products and digital services
need tob e aligned and products should be designed
as a single durable entity

N/A