GSMA IoT Security Assessment Checklist
Description | ||
CLP11_5 | 11.5 Risk Assessments | N/A |
CLP11_6 | 11.6 Privacy Considerations | I6 Insufficient Privacy Protection |
CLP11_7 | 11.7 Secure Development | I5 Use of Insecure or Outdated Components |
CLP11_7.2 | 11.7.2 Review the current product or service’s Security Model | N/A |
CLP12_5.1 | 5.1 Implement a Service Trusted Computing Base | I5 Use of Insecure or Outdated Components |
CLP12_5.2 | 5.2 Define an Organizational Root of Trust | I7 Insecure Data Transfer and Storage |
CLP12_5.3 | 5.3 Define a Bootstrap Method | I9 Insecure Default Settings |
CLP12_5.4 | 5.4 Define a Security Infrastructure for Systems Exposed to the Public Internet | I2 Insecure Network Services I7 Insecure Data Transfer and Storage |
CLP12_5.5 | 5.5 Define a Persistent Storage Model | I7 Insecure Data Transfer and Storage |
CLP12_5.6 | 5.6 Define an Administration Model | I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage |
CLP12_5.7 | 5.7 Define a Systems Logging and Monitoring Approach | I8 Lack of Device Management |
CLP12_5.8 | 5.8 Define an Incident Response Model | I8 Lack of Device Management |
CLP12_5.9 | 5.9 Define a Recovery Model | I8 Lack of Device Management |
CLP12_5.10 | 5.10 Define a Sunsetting Model | I8 Lack of Device Management |
CLP12_5.11 | 5.11 Define a Set of Security Classifications | I8 Lack of Device Management |
CLP12_5.12 | 5.12 Define Classifications for Sets of Data Types | I6 Insufficient Privacy Protection |
CLP12_6.1 | 6.1 Define a Clear Authorization Model | I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces |
CLP12_6.2 | 6.2 Manage the Cryptographic Architecture | I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage |
CLP12_6.3 | 6.3 Define a Communications Model | I2 Insecure Network Services I7 Insecure Data Transfer and Storage |
CLP12_6.4 | 6.4 Use Network Authentication Services | I2 Insecure Network Services I7 Insecure Data Transfer and Storage |
CLP12_6.5 | 6.5 Provision Servers Where Possible | I8 Lack of Device Management |
CLP12_6.6 | 6.6 Define an Update Model | I4 Lack of Secure Update Mechanism |
CLP12_6.7 | 6.7 Define a Breach Policy for Exposed Data | I6 Insufficient Privacy Protection |
CLP12_6.8 | 6.8 Force Authentication Through the Service Ecosystem | I3 Insecure Ecosystem Interfaces |
CLP12_6.9 | 6.9 Implement Input Validation | I3 Insecure Ecosystem Interfaces |
CLP12_6.10 | 6.10 Implement Output Filtering | I3 Insecure Ecosystem Interfaces |
CLP12_6.11 | 6.11 Enforce Strong Password Policy | I1 Weak, Guessable, or Hardcoded Passwords |
CLP12_6.12 | 6.12 Define Application Layer Authentication and Authorization | I3 Insecure Ecosystem Interfaces |
CLP12_6.13 | 6.13 Default-Open or Fail-Open Firewall Rules and System Hardening | I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I8 Lack of Device Management |
CLP12_6.14 | 6.14 Evaluate the Communications Privacy Model | I6 Insufficient Privacy Protection |
CLP12_7.1 | 7.1 Define an Application Execution Environment | N/A |
CLP12_7.2 | 7.2 Use Partner-Enhanced Monitoring Services | I8 Lack of Device Management |
CLP12_7.3 | 7.3 Use a Private APN for Cellular Connectivity | N/A |
CLP12_7.4 | 7.4 Define a Third-Party Data Distribution Policy | I6 Insufficient Privacy Protection I8 Lack of Device Management |
CLP12_7.5 | 7.5 Build a Third-Party Data Filter | N/A |
CLP12_8.1 | 8.1 Protect Against Rowhammer and Similar Attacks | N/A |
CLP12_8.2 | 8.2 Protect Against Virtual Machine Compromises | N/A |
CLP12_8.3 | 8.3 Build an API for Users to Control Privacy Attributes | I6 Insufficient Privacy Protection |
CLP12_8.4 | 8.4 Define a False Negative/Positive Assessment Model | I9 Insecure Default Settings |
CLP13_6.1 | 6.1 Implement an Endpoint Trusted Computing Base | I9 Insecure Default Settings |
CLP13_6.2 | 6.2 Utilize a Trust Anchor | I9 Insecure Default Settings |
CLP13_6.3 | 6.3 Use a Tamper Resistant Trust Anchor | I9 Insecure Default Settings |
CLP13_6.4 | 6.4 Utilise an API for the TCB | I2 Insecure Network Services I9 Insecure Default Settings |
CLP13_6.5 | 6.5 Defining an Organizational Root of Trust | I3 Insecure Ecosystem Interfaces I10 Lack of Physical Hardening |
CLP13_6.6 | 6.6 Personalize Each Endpoint Device Prior to Fulfilment | I1 Weak, Guessable, or Hardcoded Passwords I9 Insecure Default Settings |
CLP13_6.7 | 6.7 Minimum Viable execution Platform | I3 Insecure Ecosystem Interfaces |
CLP13_6.8 | 6.8 Uniquely Provision Each Endpoint | I1 Weak, Guessable, or Hardcoded Passwords I9 Insecure Default Settings |
CLP13_6.9 | 6.9 Endpoint Password Management | I1 Weak, Guessable, or Hardcoded Passwords |
CLP13_6.10 | 6.10 Use a Proven Random Number Generator | I9 Insecure Default Settings |
CLP13_6.11 | 6.11 Cryptographically Sign Application Images | I9 Insecure Default Settings |
CLP13_6.12 | 6.12 Remote Endpoint Administration | I8 Lack of Device Management |
CLP13_6.13 | 6.13 Logging and Diagnostics | I8 Lack of Device Management |
CLP13_6.14 | 6.14 Enforce Memory Protection | N/A |
CLP13_6.15 | 6.15 Secure Bootloaders | I9 Insecure Default Settings |
CLP13_6.16 | 6.16 Locking Critical Sections of Memory | I7 Insecure Data Transfer and Storage I9 Insecure Default Settings |
CLP13_6.18 | 6.18 Perfect Forward Secrecy | I7 Insecure Data Transfer and Storage |
CLP13_6.19 | 6.19 Endpoint Communications Security | I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage |
CLP13_6.20 | 6.20 Authenticating an Endpoint Identity | I1 Weak, Guessable, or Hardcoded Passwords |
CLP13_7.1 | 7.1 Use Internal Memory for Secrets | I7 Insecure Data Transfer and Storage |
CLP13_7.2 | 7.2 Anomaly Detection | I8 Lack of Device Management |
CLP13_7.3 | 7.3 Use Tamper Resistant Product Casing | I10 Lack of Physical Hardening |
CLP13_7.4 | 7.4 Enforce Confidentiality and Integrity to/from the Trust Anchor | I9 Insecure Default Settings |
CLP13_7.5 | 7.5 Over the Air Application Updates | I4 Lack of Secure Update Mechanism |
CLP13_7.6 | 7.6 Improperly Engineered or Unimplemented Mutual Authentication | I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces |
CLP13_7.8 | 7.8 Privacy and Unique Endpoint Identities | I3 Insecure Ecosystem Interfaces I6 Insufficient Privacy Protection |
CLP13_7.9 | 7.9 Run Applications with Appropriate Privilege Levels | I3 Insecure Ecosystem Interfaces |
CLP13_7.10 | 7.10 Enforce a Separation of Duties in the Application Architecture | I3 Insecure Ecosystem Interfaces |
CLP13_7.11 | 7.11 Enforce Language Security | I5 Use of Insecure or Outdated Components |
CLP13_7.12 | 7.12 Implement Persistent Pentesting | N/A |
CLP13_8.1 | 8.1 Enforce Operating System Level Security Enhancements | I5 Use of Insecure or Outdated Components I9 Insecure Default Settings |
CLP13_8.2 | 8.2 Disable Debugging and Testing Technologies | I9 Insecure Default Settings I10 Lack of Physical Hardening |
CLP13_8.3 | 8.3 Tainted Memory via Peripheral-Based Attacks | I7 Insecure Data Transfer and Storage I9 Insecure Default Settings I10 I10 Lack of Physical Hardening |
CLP13_8.4 | 8.4 User Interface Security | I3 Insecure Ecosystem Interfaces |
CLP13_8.6 | 8.6 Utilize a Private APN | I9 Insecure Default Settings |
CLP13_8.7 | 8.7 Implement Environmental Lock-Out Thresholds | I3 Insecure Ecosystem Interfaces |
CLP13_8.8 | 8.8 Enforce Power Warning Thresholds | I10 Lack of Physical Hardening |
CLP13_8.9 | 8.9 Environments Without Back-End Connectivity | I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings |
CLP13_8.10 | 8.10 Device Decommissioning and Sunsetting | I8 Lack of Device Management |
CLP13_8.11 | 8.11 Unauthorized Metadata Harvesting | I6 Insufficient Privacy Protection |
CLP13_9.1 | 9.1 Intentional and Unintentional Denial of Service | I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings |
CLP13_9.2 | 9.2 Safety Critical Analysis | I8 Lack of Device Management |
CLP13_9.3 | 9.3 Defeating Shadowed Components and Untrusted Bridges | I10 Lack of Physical Hardening |
CLP13_9.4 | 9.4 Defeating a Cold Boot Attack | I10 Lack of Physical Hardening |
CLP13_9.5 | 9.5 Non-Obvious Security Risks (Seeing Through Walls) | N/A |
CLP13_9.6 | 9.6 Combating Focused Ion Beams and X-Rays | N/A |
CLP13_9.7 | 9.7 Consider Supply Chain Security | I5 Use of Insecure or Outdated Components I10 Lack of Physical Hardening |
Last updated