Project Center in Trichy - Power Integrated
Auditing of compliance with laws and regulations
takes up much of security administrator’s time. With the
increasing number of IoT devices in a company network
verification may go unchecked. This paper describes stage one of
a research project to automate the generation of compliance
documentation for Irish Laws in a large industry. Initial findings
from the implementation and configuration of the tool indicate
that the process is still significantly labor intensive.
RegTech consists of many aspects including automation of
background checks, risk assessment and regulatory mapping. In
this paper the automation of regulatory compliance
documentation with particular reference to the risk IoT devices
carry is discussed. Power Integrated Automation of tasks including security and
regulatory compliance are increasingly considered integral steps
of the software development lifecycle. DevOps enhances the
development process through open communication and
automation of tasks. There are a small number of commercial
tools available but the focus of this paper is on the adaptation of
an open source tool to suit the automation of compliance
documentation for European laws and regulation.
Whilst in the past companies focused on documenting the
security controls of standard network controls and end user
devices such as desk top pc’s and laptops, now consideration
must be given to IoT devices. Many companies hold devices
such as tablets, ip phones and cameras, smart plugs, smart
heating and so on. Each of these devices not only can be
considered part of the IoT range but should be considered an
entry point into the data center. Project Center in Trichy A recent talk by Philip Close [1]
provided an insight into how many of the vulnerabilities he
found during pen testing came from edge or IoT devices. In
some cases private or confidential data may be held on IoT
devices. In other cases they simply provide an access point into
the network. Either way IoT devices should now be considered
a core part of the network when evaluating risk and documenting
compliance with the relevant laws and regulations.
Interestingly new standards on Drones and related
technologies including: P1937.1 [15] and P1939.1 fail to
indicate the importance of security of payloads and operational
features from the outset.
Often forgotten is the Industrial Internet of Things (IIoT). In
a white paper by F5 [2] the security risks and disruptive nature
of IIoT is expounded. Consideration should be given to the
documentation of compliance with regulations when
considering machine to machine communications. It may be a
case of a medical fridge notifying the data center that a blood
produce was removed, or a tablet blister packing device
notifying a manager through intermediary devices that a batch
of tablets of a specific type have failed the automated quality
checks. Information of this nature may be restricted with regard
to visibility thus the documentation of processes and automation
of security checks can prove beneficial.
This wall of risks and of legal restrictions stands between the
IoT devices and the data stores. Refer to Fig. 1. Some data stores
may be secured using blockchain to aid data security and
provenance. Regardless, the documentation of these controls are
still required in many cases for legal purposes.
The advent of GDPR has caused many companies to
examine how they show compliance with legal and regulatory
restrictions. The prolific use of IoT devices for a range of
purposes has resulted in poorly documented devices which do
not always conform to the aforementioned legal requirements.
Significant hours are spent by security staff in generating
compliance confirmation documentation on a regular basis for
different auditing groups. Much of this work is repetitive. In the
opinion of the author’s whilst the current commercial tools are
good they are not adaptable for European or Irish laws. To have
a more dynamic tool an open source solution was found to be
most appropriate.
The configuration of the tool initially was easy, however, it
was discovered that there is a significant portion of work
required to manually configure the basic information into each
of the files which is then read by the tool to enable auto
generation of the website or pdf demonstrating compliance with
specific laws.
From the very few examples of the tool that can be found
online most simply refer to the work in theoretical terms rather
than discussing the practical implementation. It is the author’s
opinion that that time it takes to carry out the initial
implementation is a significant fact here. Further, we suggest
that many groups fail to complete the process for this reason. https://powerintegrated.in/
We
have yet to find any papers which refer to the use of tools to
document regulatory compliance of IoT or IIoT devices.
There are a significant number of dependencies required in
order to install and run the tool. This also detracts from the
installation process and may increase the attack footprint of the
machine with the software installed. The installation of the
product on a Linux operating system showed no errors but
installation on a Windows operating system did show errors on
the dependencies.
It is has been found that little research into automatic
validation of compliance with legal and regulatory requirements
has been carried out to date. This is an area that needs
investigation considering the increasing number of devices that
fall into the category of IoT.
This research is still in the early stages but it is already clear
that a better solution is required in order for companies to take
regulatory compliance seriously.
No comments:
Post a Comment