GSMA IoT Security Assessment Checklist

GSMA IoT Security Assessment Checklist	Description	OWASP IoT Top 10 Mapping
CLP11_5	11.5 Risk Assessments	N/A
CLP11_6	11.6 Privacy Considerations	I6 Insufficient Privacy Protection
CLP11_7	11.7 Secure Development	I5 Use of Insecure or Outdated Components
CLP11_7.2	11.7.2 Review the current product or service’s Security Model	N/A
CLP12_5.1	5.1 Implement a Service Trusted Computing Base	I5 Use of Insecure or Outdated Components
CLP12_5.2	5.2 Define an Organizational Root of Trust	I7 Insecure Data Transfer and Storage
CLP12_5.3	5.3 Define a Bootstrap Method	I9 Insecure Default Settings
CLP12_5.4	5.4 Define a Security Infrastructure for Systems Exposed to the Public Internet	I2 Insecure Network Services I7 Insecure Data Transfer and Storage
CLP12_5.5	5.5 Define a Persistent Storage Model	I7 Insecure Data Transfer and Storage
CLP12_5.6	5.6 Define an Administration Model	I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage
CLP12_5.7	5.7 Define a Systems Logging and Monitoring Approach	I8 Lack of Device Management
CLP12_5.8	5.8 Define an Incident Response Model	I8 Lack of Device Management
CLP12_5.9	5.9 Define a Recovery Model	I8 Lack of Device Management
CLP12_5.10	5.10 Define a Sunsetting Model	I8 Lack of Device Management
CLP12_5.11	5.11 Define a Set of Security Classifications	I8 Lack of Device Management
CLP12_5.12	5.12 Define Classifications for Sets of Data Types	I6 Insufficient Privacy Protection
CLP12_6.1	6.1 Define a Clear Authorization Model	I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces
CLP12_6.2	6.2 Manage the Cryptographic Architecture	I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage
CLP12_6.3	6.3 Define a Communications Model	I2 Insecure Network Services I7 Insecure Data Transfer and Storage
CLP12_6.4	6.4 Use Network Authentication Services	I2 Insecure Network Services I7 Insecure Data Transfer and Storage
CLP12_6.5	6.5 Provision Servers Where Possible	I8 Lack of Device Management
CLP12_6.6	6.6 Define an Update Model	I4 Lack of Secure Update Mechanism
CLP12_6.7	6.7 Define a Breach Policy for Exposed Data	I6 Insufficient Privacy Protection
CLP12_6.8	6.8 Force Authentication Through the Service Ecosystem	I3 Insecure Ecosystem Interfaces
CLP12_6.9	6.9 Implement Input Validation	I3 Insecure Ecosystem Interfaces
CLP12_6.10	6.10 Implement Output Filtering	I3 Insecure Ecosystem Interfaces
CLP12_6.11	6.11 Enforce Strong Password Policy	I1 Weak, Guessable, or Hardcoded Passwords
CLP12_6.12	6.12 Define Application Layer Authentication and Authorization	I3 Insecure Ecosystem Interfaces
CLP12_6.13	6.13 Default-Open or Fail-Open Firewall Rules and System Hardening	I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I8 Lack of Device Management
CLP12_6.14	6.14 Evaluate the Communications Privacy Model	I6 Insufficient Privacy Protection
CLP12_7.1	7.1 Define an Application Execution Environment	N/A
CLP12_7.2	7.2 Use Partner-Enhanced Monitoring Services	I8 Lack of Device Management
CLP12_7.3	7.3 Use a Private APN for Cellular Connectivity	N/A
CLP12_7.4	7.4 Define a Third-Party Data Distribution Policy	I6 Insufficient Privacy Protection I8 Lack of Device Management
CLP12_7.5	7.5 Build a Third-Party Data Filter	N/A
CLP12_8.1	8.1 Protect Against Rowhammer and Similar Attacks	N/A
CLP12_8.2	8.2 Protect Against Virtual Machine Compromises	N/A
CLP12_8.3	8.3 Build an API for Users to Control Privacy Attributes	I6 Insufficient Privacy Protection
CLP12_8.4	8.4 Define a False Negative/Positive Assessment Model	I9 Insecure Default Settings
CLP13_6.1	6.1 Implement an Endpoint Trusted Computing Base	I9 Insecure Default Settings
CLP13_6.2	6.2 Utilize a Trust Anchor	I9 Insecure Default Settings
CLP13_6.3	6.3 Use a Tamper Resistant Trust Anchor	I9 Insecure Default Settings
CLP13_6.4	6.4 Utilise an API for the TCB	I2 Insecure Network Services I9 Insecure Default Settings
CLP13_6.5	6.5 Defining an Organizational Root of Trust	I3 Insecure Ecosystem Interfaces I10 Lack of Physical Hardening
CLP13_6.6	6.6 Personalize Each Endpoint Device Prior to Fulfilment	I1 Weak, Guessable, or Hardcoded Passwords I9 Insecure Default Settings
CLP13_6.7	6.7 Minimum Viable execution Platform	I3 Insecure Ecosystem Interfaces
CLP13_6.8	6.8 Uniquely Provision Each Endpoint	I1 Weak, Guessable, or Hardcoded Passwords I9 Insecure Default Settings
CLP13_6.9	6.9 Endpoint Password Management	I1 Weak, Guessable, or Hardcoded Passwords
CLP13_6.10	6.10 Use a Proven Random Number Generator	I9 Insecure Default Settings
CLP13_6.11	6.11 Cryptographically Sign Application Images	I9 Insecure Default Settings
CLP13_6.12	6.12 Remote Endpoint Administration	I8 Lack of Device Management
CLP13_6.13	6.13 Logging and Diagnostics	I8 Lack of Device Management
CLP13_6.14	6.14 Enforce Memory Protection	N/A
CLP13_6.15	6.15 Secure Bootloaders	I9 Insecure Default Settings
CLP13_6.16	6.16 Locking Critical Sections of Memory	I7 Insecure Data Transfer and Storage I9 Insecure Default Settings
CLP13_6.18	6.18 Perfect Forward Secrecy	I7 Insecure Data Transfer and Storage
CLP13_6.19	6.19 Endpoint Communications Security	I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage
CLP13_6.20	6.20 Authenticating an Endpoint Identity	I1 Weak, Guessable, or Hardcoded Passwords
CLP13_7.1	7.1 Use Internal Memory for Secrets	I7 Insecure Data Transfer and Storage
CLP13_7.2	7.2 Anomaly Detection	I8 Lack of Device Management
CLP13_7.3	7.3 Use Tamper Resistant Product Casing	I10 Lack of Physical Hardening
CLP13_7.4	7.4 Enforce Confidentiality and Integrity to/from the Trust Anchor	I9 Insecure Default Settings
CLP13_7.5	7.5 Over the Air Application Updates	I4 Lack of Secure Update Mechanism
CLP13_7.6	7.6 Improperly Engineered or Unimplemented Mutual Authentication	I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces
CLP13_7.8	7.8 Privacy and Unique Endpoint Identities	I3 Insecure Ecosystem Interfaces I6 Insufficient Privacy Protection
CLP13_7.9	7.9 Run Applications with Appropriate Privilege Levels	I3 Insecure Ecosystem Interfaces
CLP13_7.10	7.10 Enforce a Separation of Duties in the Application Architecture	I3 Insecure Ecosystem Interfaces
CLP13_7.11	7.11 Enforce Language Security	I5 Use of Insecure or Outdated Components
CLP13_7.12	7.12 Implement Persistent Pentesting	N/A
CLP13_8.1	8.1 Enforce Operating System Level Security Enhancements	I5 Use of Insecure or Outdated Components I9 Insecure Default Settings
CLP13_8.2	8.2 Disable Debugging and Testing Technologies	I9 Insecure Default Settings I10 Lack of Physical Hardening
CLP13_8.3	8.3 Tainted Memory via Peripheral-Based Attacks	I7 Insecure Data Transfer and Storage I9 Insecure Default Settings I10 I10 Lack of Physical Hardening
CLP13_8.4	8.4 User Interface Security	I3 Insecure Ecosystem Interfaces
CLP13_8.6	8.6 Utilize a Private APN	I9 Insecure Default Settings
CLP13_8.7	8.7 Implement Environmental Lock-Out Thresholds	I3 Insecure Ecosystem Interfaces
CLP13_8.8	8.8 Enforce Power Warning Thresholds	I10 Lack of Physical Hardening
CLP13_8.9	8.9 Environments Without Back-End Connectivity	I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings
CLP13_8.10	8.10 Device Decommissioning and Sunsetting	I8 Lack of Device Management
CLP13_8.11	8.11 Unauthorized Metadata Harvesting	I6 Insufficient Privacy Protection
CLP13_9.1	9.1 Intentional and Unintentional Denial of Service	I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings
CLP13_9.2	9.2 Safety Critical Analysis	I8 Lack of Device Management
CLP13_9.3	9.3 Defeating Shadowed Components and Untrusted Bridges	I10 Lack of Physical Hardening
CLP13_9.4	9.4 Defeating a Cold Boot Attack	I10 Lack of Physical Hardening
CLP13_9.5	9.5 Non-Obvious Security Risks (Seeing Through Walls)	N/A
CLP13_9.6	9.6 Combating Focused Ion Beams and X-Rays	N/A
CLP13_9.7	9.7 Consider Supply Chain Security	I5 Use of Insecure or Outdated Components I10 Lack of Physical Hardening