🤖 AI Summary
This work proposes the first scalable, experience-agnostic, risk-based security auditing framework for Internet of Things (IoT) devices widely deployed in enterprise environments. Addressing the critical gap in existing literature, the framework integrates established cybersecurity control standards with IoT-specific characteristics to establish a structured audit process. It is designed to be universally applicable across diverse industry sectors and accessible to both internal and external auditors regardless of their prior expertise. By systematically aligning audit procedures with device-level risk factors, the framework significantly enhances the identification, assessment, and mitigation of security risks associated with IoT deployments, thereby eliminating a persistent blind spot in organizational cybersecurity risk evaluations.
📝 Abstract
The use of Internet of Things (IoT) devices is growing at a rapid rate. While much of this growth is consumer devices, IoT devices are also commonly found in corporate and industrial environments, as well. These devices can be organization-owned and managed by an information technology unit, deployed organizationally without the knowledge and involvement of technology staff or brought in to the corporate environment by user-owners. In each case, these devices may have access to corporate networks and data and are, thus, important to consider as part of organizational cybersecurity risk assessment. Despite the prevalence of these devices, there is little literature about how to audit their security. This paper presents a risk-based auditing framework which can be used by both internal and external auditors, of any experience level and in any industry, to assess IoT devices.