Application and Ecosystem Design

[aksherif]

Would it be beneficial to explicitly state on the lines of, how the data collected (in general and sensitive) from endpoints should be accessed only by authorized personnel with sufficient access privileges in the entire ecosystem especially when 3rd parties are involved

[cbassem]

Chapter 1 implicitly covers this through the following two requirements: 1.1.3 Verify the use of threat modeling as part of each product introduction design (i.e. new and mature) and security-relevant feature changes to identify likely threats and facilitate appropriate risk responses to guide security testing. 1.1.4 Verify that the location where sensitive data is stored in the ecosystem is clearly identified and separated from unprivileged storage locations.

The ISVS aims for every requirement to be verifiable / actionable (they all start with very that). Can you create a proposal for a new requirement or an updated 1.1.4 reuirement?

[aksherif]

Sure, will do. Please clarify where to create proposal or edit the requirement (1.1.4).

[scriptingxss]

I removed 1.1.4 since it should be included as part of threat modeling. I'm not sure how beneficial granular data collection from devices would be since local regulations may have their own requirements. We do have authorization covered in chapter 2 and are working to update authentication requirements.

[cbassem]

Through the authorization section in chapter 2 we have this covered from the perspective of the IoT system (device). Through 1.1.3, we have this indirectly covered from other perspectives as well (for example, through other applications used by personnel for maintenance etc).

Given the fact that the ISVS is (mainly) written from the perspective of an IoT system (device) that is part of an IoT ecosystem. I'm not sure whether we have to be more granular here.