# GSMA IoT Security Assessment Checklist
| [**GSMA IoT Security Assessment Checklist**](https://www.gsma.com/iot/iot-security-assessment/) | **Description** | [**OWASP IoT Top 10 Mapping**](https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf) |
| ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **CLP11\_5** | 11.5 Risk Assessments | **N/A** |
| **CLP11\_6** | 11.6 Privacy Considerations | **I6 Insufficient Privacy Protection** |
| **CLP11\_7** | 11.7 Secure Development | **I5 Use of Insecure or Outdated Components** |
| **CLP11\_7.2** | 11.7.2 Review the current product or service’s Security Model | **N/A** |
| **CLP12\_5.1** | 5.1 Implement a Service Trusted Computing Base | **I5 Use of Insecure or Outdated Components** |
| **CLP12\_5.2** | 5.2 Define an Organizational Root of Trust | **I7 Insecure Data Transfer and Storage** |
| **CLP12\_5.3** | 5.3 Define a Bootstrap Method | **I9 Insecure Default Settings** |
| **CLP12\_5.4** | 5.4 Define a Security Infrastructure for Systems Exposed to the Public Internet | I2 Insecure Network Services
I7 Insecure Data Transfer and Storage
|
| **CLP12\_5.5** | 5.5 Define a Persistent Storage Model | **I7 Insecure Data Transfer and Storage** |
| **CLP12\_5.6** | 5.6 Define an Administration Model | I3 Insecure Ecosystem Interfaces
I7 Insecure Data Transfer and Storage
|
| **CLP12\_5.7** | 5.7 Define a Systems Logging and Monitoring Approach | **I8 Lack of Device Management** |
| **CLP12\_5.8** | 5.8 Define an Incident Response Model | **I8 Lack of Device Management** |
| **CLP12\_5.9** | 5.9 Define a Recovery Model | **I8 Lack of Device Management** |
| **CLP12\_5.10** | 5.10 Define a Sunsetting Model | **I8 Lack of Device Management** |
| **CLP12\_5.11** | 5.11 Define a Set of Security Classifications | **I8 Lack of Device Management** |
| **CLP12\_5.12** | 5.12 Define Classifications for Sets of Data Types | **I6 Insufficient Privacy Protection** |
| **CLP12\_6.1** | 6.1 Define a Clear Authorization Model | I1 Weak, Guessable, or Hardcoded Passwords
I3 Insecure Ecosystem Interfaces
|
| **CLP12\_6.2** | 6.2 Manage the Cryptographic Architecture | I3 Insecure Ecosystem Interfaces
I7 Insecure Data Transfer and Storage
|
| **CLP12\_6.3** | 6.3 Define a Communications Model | I2 Insecure Network Services
I7 Insecure Data Transfer and Storage
|
| **CLP12\_6.4** | 6.4 Use Network Authentication Services | I2 Insecure Network Services
I7 Insecure Data Transfer and Storage
|
| **CLP12\_6.5** | 6.5 Provision Servers Where Possible | **I8 Lack of Device Management** |
| **CLP12\_6.6** | 6.6 Define an Update Model | **I4 Lack of Secure Update Mechanism** |
| **CLP12\_6.7** | 6.7 Define a Breach Policy for Exposed Data | **I6 Insufficient Privacy Protection** |
| **CLP12\_6.8** | 6.8 Force Authentication Through the Service Ecosystem | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.9** | 6.9 Implement Input Validation | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.10** | 6.10 Implement Output Filtering | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.11** | 6.11 Enforce Strong Password Policy | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **CLP12\_6.12** | 6.12 Define Application Layer Authentication and Authorization | **I3 Insecure Ecosystem Interfaces** |
| **CLP12\_6.13** | 6.13 Default-Open or Fail-Open Firewall Rules and System Hardening | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I8 Lack of Device Management
|
| **CLP12\_6.14** | 6.14 Evaluate the Communications Privacy Model | **I6 Insufficient Privacy Protection** |
| **CLP12\_7.1** | 7.1 Define an Application Execution Environment | **N/A** |
| **CLP12\_7.2** | 7.2 Use Partner-Enhanced Monitoring Services | **I8 Lack of Device Management** |
| **CLP12\_7.3** | 7.3 Use a Private APN for Cellular Connectivity | **N/A** |
| **CLP12\_7.4** | 7.4 Define a Third-Party Data Distribution Policy | I6 Insufficient Privacy Protection
I8 Lack of Device Management
|
| **CLP12\_7.5** | 7.5 Build a Third-Party Data Filter | **N/A** |
| **CLP12\_8.1** | 8.1 Protect Against Rowhammer and Similar Attacks | **N/A** |
| **CLP12\_8.2** | 8.2 Protect Against Virtual Machine Compromises | **N/A** |
| **CLP12\_8.3** | 8.3 Build an API for Users to Control Privacy Attributes | **I6 Insufficient Privacy Protection** |
| **CLP12\_8.4** | 8.4 Define a False Negative/Positive Assessment Model | **I9 Insecure Default Settings** |
| **CLP13\_6.1** | 6.1 Implement an Endpoint Trusted Computing Base | **I9 Insecure Default Settings** |
| **CLP13\_6.2** | 6.2 Utilize a Trust Anchor | **I9 Insecure Default Settings** |
| **CLP13\_6.3** | 6.3 Use a Tamper Resistant Trust Anchor | **I9 Insecure Default Settings** |
| **CLP13\_6.4** | 6.4 Utilise an API for the TCB | I2 Insecure Network Services
I9 Insecure Default Settings
|
| **CLP13\_6.5** | 6.5 Defining an Organizational Root of Trust | I3 Insecure Ecosystem Interfaces
I10 Lack of Physical Hardening
|
| **CLP13\_6.6** | 6.6 Personalize Each Endpoint Device Prior to Fulfilment | I1 Weak, Guessable, or Hardcoded Passwords
I9 Insecure Default Settings
|
| **CLP13\_6.7** | 6.7 Minimum Viable execution Platform | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_6.8** | 6.8 Uniquely Provision Each Endpoint | I1 Weak, Guessable, or Hardcoded Passwords
I9 Insecure Default Settings
|
| **CLP13\_6.9** | 6.9 Endpoint Password Management | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **CLP13\_6.10** | 6.10 Use a Proven Random Number Generator | **I9 Insecure Default Settings** |
| **CLP13\_6.11** | 6.11 Cryptographically Sign Application Images | **I9 Insecure Default Settings** |
| **CLP13\_6.12** | 6.12 Remote Endpoint Administration | **I8 Lack of Device Management** |
| **CLP13\_6.13** | 6.13 Logging and Diagnostics | **I8 Lack of Device Management** |
| **CLP13\_6.14** | 6.14 Enforce Memory Protection | **N/A** |
| **CLP13\_6.15** | 6.15 Secure Bootloaders | **I9 Insecure Default Settings** |
| **CLP13\_6.16** | 6.16 Locking Critical Sections of Memory | I7 Insecure Data Transfer and Storage
I9 Insecure Default Settings
|
| **CLP13\_6.18** | 6.18 Perfect Forward Secrecy | **I7 Insecure Data Transfer and Storage** |
| **CLP13\_6.19** | 6.19 Endpoint Communications Security | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I7 Insecure Data Transfer and Storage
|
| **CLP13\_6.20** | 6.20 Authenticating an Endpoint Identity | **I1 Weak, Guessable, or Hardcoded Passwords** |
| **CLP13\_7.1** | 7.1 Use Internal Memory for Secrets | **I7 Insecure Data Transfer and Storage** |
| **CLP13\_7.2** | 7.2 Anomaly Detection | **I8 Lack of Device Management** |
| **CLP13\_7.3** | 7.3 Use Tamper Resistant Product Casing | **I10 Lack of Physical Hardening** |
| **CLP13\_7.4** | 7.4 Enforce Confidentiality and Integrity to/from the Trust Anchor | **I9 Insecure Default Settings** |
| **CLP13\_7.5** | 7.5 Over the Air Application Updates | **I4 Lack of Secure Update Mechanism** |
| **CLP13\_7.6** | 7.6 Improperly Engineered or Unimplemented Mutual Authentication | I1 Weak, Guessable, or Hardcoded Passwords
I3 Insecure Ecosystem Interfaces
|
| **CLP13\_7.8** | 7.8 Privacy and Unique Endpoint Identities | I3 Insecure Ecosystem Interfaces
I6 Insufficient Privacy Protection
|
| **CLP13\_7.9** | 7.9 Run Applications with Appropriate Privilege Levels | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_7.10** | 7.10 Enforce a Separation of Duties in the Application Architecture | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_7.11** | 7.11 Enforce Language Security | **I5 Use of Insecure or Outdated Components** |
| **CLP13\_7.12** | 7.12 Implement Persistent Pentesting | **N/A** |
| **CLP13\_8.1** | 8.1 Enforce Operating System Level Security Enhancements | I5 Use of Insecure or Outdated Components
I9 Insecure Default Settings
|
| **CLP13\_8.2** | 8.2 Disable Debugging and Testing Technologies | I9 Insecure Default Settings
I10 Lack of Physical Hardening
|
| **CLP13\_8.3** | 8.3 Tainted Memory via Peripheral-Based Attacks | I7 Insecure Data Transfer and Storage
I9 Insecure Default Settings
I10 I10 Lack of Physical Hardening
|
| **CLP13\_8.4** | 8.4 User Interface Security | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_8.6** | 8.6 Utilize a Private APN | **I9 Insecure Default Settings** |
| **CLP13\_8.7** | 8.7 Implement Environmental Lock-Out Thresholds | **I3 Insecure Ecosystem Interfaces** |
| **CLP13\_8.8** | 8.8 Enforce Power Warning Thresholds | **I10 Lack of Physical Hardening** |
| **CLP13\_8.9** | 8.9 Environments Without Back-End Connectivity | I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|
| **CLP13\_8.10** | 8.10 Device Decommissioning and Sunsetting | **I8 Lack of Device Management** |
| **CLP13\_8.11** | 8.11 Unauthorized Metadata Harvesting | **I6 Insufficient Privacy Protection** |
| **CLP13\_9.1** | 9.1 Intentional and Unintentional Denial of Service | I2 Insecure Network Services
I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|
| **CLP13\_9.2** | 9.2 Safety Critical Analysis | **I8 Lack of Device Management** |
| **CLP13\_9.3** | 9.3 Defeating Shadowed Components and Untrusted Bridges | **I10 Lack of Physical Hardening** |
| **CLP13\_9.4** | 9.4 Defeating a Cold Boot Attack | **I10 Lack of Physical Hardening** |
| **CLP13\_9.5** | 9.5 Non-Obvious Security Risks (Seeing Through Walls) | **N/A** |
| **CLP13\_9.6** | 9.6 Combating Focused Ion Beams and X-Rays | **N/A** |
| **CLP13\_9.7** | 9.7 Consider Supply Chain Security | I5 Use of Insecure or Outdated Components
I10 Lack of Physical Hardening
|
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.