3.6: Methodology - Design and Variables

Last updated
Save as PDF

Page ID: 85368

Thomas P. Dover
Butler County Community College

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

Note

The MIoT Assessment tool is designed in a similar manner as the Security Assessment using NIST.SP 800-171r2/172.

Microsoft Excel was used to create the MIoT Security Assessment Workbook (Figure 2). The workbook utilizes NIST SP.800-213A Capabilities, sub-Capabilities, Requirements and sub-Requirements to establish a quantitative framework for assessing MIoT cybersecurity and privacy protection compliance. In addition to specific Requirements the workbook provides references to associated NIST publications (SP.800-53r5) for each requirement.

The assessment process consists of determining compliance with the Requirement/sub-Requirement, and providing proof of compliance via validation process or tool (Figure 1).

Assessment Page View Figure 1: Validation Tool\Survey

SURVEY VARIABLES

Variables are Compliance(value), Validation Process/Tool and Comments:

Compliance	Value	Definition
Yes	1	The MIoT device complies with the Requirement\sub-Requirement
No	0	The MIoT device does not comply with the Requirement\sub-Requirement
Does Not Apply	1	Requirement\sub-Requirement does not apply to the device (requires explanation)
Alternate Approach	1	An alternate approach is used to comply with the Requirement\sub-Requirement
Unknown	0	it is unknown if compliance with Requirement\sub-Requirement is possible or available

Numerical values (0-1) are automatically added to the value column based on compliance value. Values are summed and used to determine overall level of MIoT cybersecurity and privacy protection compliance (with SP.800-213A Capabilities).

PROOF-OF-COMPLIANCE/VALIDATION PROCESS/TOOL
This variable represents a process, procedure or tool (manual or automated) which is used as auditable proof or evidence that the Requirement is being satisfied.

For example, for DEVICE IDENTIFICATION/Identifier Management Support: Ability to uniquely identify the IoT device logically the validation process may be a short statement such as “device ID/SN can be read by IT Asset Management System” with a tool reference to ABC Asset Management program or application¹ Validation is to provide sufficient supplementary or complementary information proving that the Requirement is being met.

COMMENTS
This variable provides for additional information.

[1] Short, concise statements are preferred for clarity and readability.