THREE ACTIONS YOU CAN TAKE NOW TO PREPARE YOUR PROGRAMME FOR THE INTERNET OF THINGS

Whether we like it or not, the Internet of Things (IoT) is here and it’s here to stay. Whether our organisations are public or private, whether we are a service provider or an end user, and regardless of the organisation’s size or industry, connected devices are transforming the landscape of how we do business and how we live our lives, both personally and professionally.

For those of us in the risk and compliance world, this can have some serious implications. First, for many organisations, individuals that make decisions about risk, security, compliance and governance may not be aware of the scope of connected devices coming into the environment – meaning, because they can come in non-centrally and ‘piecemeal’, there may not be an opportunity to systematically evaluate questions like the risk they pose and the impact on compliance posture. Additionally, there can be questions about responsibility for those devices. Consider, for example, the question of who owns connected devices from a support and administration standpoint. Who’s responsible, for example, for patching the IP-connected television in the conference room when a vulnerability is discovered that makes that device a potential target? Who monitors the network-connected smoke detector to ensure that an attacker hasn’t compromised it for the purpose of using it as a launch pad to move laterally through the network? In many organisations, the answer is unclear – or worse yet, it’s ‘nobody’.

Jan-Mar 2016 Issue

ISACA