The IIC IoT Security Maturity Model (SMM) Practitioner’s Guide has recently been updated to version 1.2. The associated introductory SMM Description and Intended Use white paper has also been updated as well.

This Security Maturity Model (SMM) provides a way of understanding the areas that impact security maturity by structuring the practices into the domains of governance, enablement, and hardening (think of governance, security by design and secure operations). Subdomains structure this more finely, into topics such as security program management, threat modeling, establishing and maintaining identities, physical protection, patch management and monitoring practice, to name only a few of the eighteen practices described in the Security Maturity Model (SMM) Practitioner’s Guide.

The Security Maturity Model (SMM) has a table for each of the 18 practices defining objectives, and the description, actions and indicators of accomplishment for the various maturity levels. These include minimum (1), ad hoc (2), consistent (3) and formalized (4). Importantly the model does not assume that a higher number is better, but rather describes a process toward achieving the right match to the needs and situation. The model also allows for extensibility to provide guidance for an industry or system, when appropriate to go beyond the general guidance. An example (to discuss in a different blog post) is the IoT SMM: Retail Profile for Point-of-Sale Devices which was developed jointly by the IIC SMM team and the OMG Retail Task Group.

There is much more to the IIC IoT Security Maturity Model (SMM) Practitioner’s Guide, such as discussion of the process of setting targets and performing an assessment.

This new version of the SMM improves the clarity and usefulness of the Practitioner’s Guide by adding new guidance to the numerous practice tables, clarifying scoring and the case studies, correcting minor errors and incorporating reader feedback, all without changing the underlying model.