Implementation and Outlook
Detailing the areas
The Zero Outage Security Taxonomy for IoT consists of 32 areas arranged in an architectural manner. The Taxonomy provides an overview.
- For each area, its subject, related security issues and challenges are to be described.
- Then, a few security objectives are derived and stipulated or specified unambiguously.
- Dependencies to other areas in the Taxonomy (a) as well as
limitations and obligations (b) are outlined.
- Based on this, it is recommended to stipulate about 15 security measures for each area in a standardized manner.
Hence, there will be about 500 security measures for well-defined subjects. The security measures are derived from security objective for the area which in turn are derived from security issues and challenges such as addressing threats.
Important note: For each area in the Taxonomy, Zero Outage Industry Standard plans to publish a specification with the focus on
- security objectives (No. 2 above) and
- dependencies to other areas in the Taxonomy (No. 3a above).
A structure (template) for such a specification is provided in Annex B. Readers may want to additionally specify the solution to be implemented. It is highly recommended to do this based on the security objective definition developed before and using the structure (template) provided in Annex C.
With these about 500 security measures it is possible to manage IT security in a complex environment. However, security standards (all documentation) must not be monolithic. The Zero Outage Security Taxonomy for IoT requests to maintain 32 individual standards and detail all of them in numerous other security standards (documents) in a hierarchical manner. To this end, the Refinement Pyramid of Standards is used with the so-called Orchestration Layer in the middle. There are general policies in the layer above which are detailed by the 32 security standards with means of about 500 security measures in the Orchestration Layer. These security standards are in turn detailed by numerous security standards in the implementation layer below. Through this approach, two things are achieved: There is overview and a means to manage IT security in a way that combines individual security measures in an integrated, mutually supportive manner. All security standards are specific for a subject or target group which is a precondition that they are actually observed.
The Zero Outage Security Taxonomy for IoT is built in a way that other proven and tested methodologies from ESARIS can be used. This includes but is not limited to managing security in the supplier network (internal and beyond) and establishing a Joint Security Management (JSM), or parts of it, for balancing between buyers and providers and to realize the necessary cooperation.