All IoT devices must support authentication mechanisms to prevent unauthorized access.

Unique credentials must be assigned to each device; default passwords must be changed before deployment.

Multi-Factor Authentication (MFA) must be enabled where supported.

Access to IoT devices must be restricted based on least privilege principles.

All data transmitted to and from IoT devices must be encrypted using industry-standard protocols (e.g., TLS 1.2+ or IPsec).

Sensitive data stored on IoT devices must be encrypted at rest.

IoT communications should be segmented from the corporate network using VLANs or dedicated networks.

All IoT devices must be regularly updated with security patches and firmware updates.

Automated patching mechanisms should be enabled where possible.

Devices that cannot be updated must be reviewed for potential replacement or mitigation strategies.

IoT devices must be isolated from critical business systems through network segmentation.

Anomaly detection and logging must be enabled to monitor device activity for security threats.

Unauthorized IoT devices detected on the network must be immediately investigated and, if necessary, removed.

IoT devices must be physically secured to prevent tampering.

An asset inventory must be maintained for all IoT devices, including device details, firmware versions, and ownership.

Decommissioned devices must be securely wiped or destroyed before disposal.

IoT devices must be compliant with Speak AI’s Network Security Policy and Vulnerability Management Policy.

Regular security audits must be conducted to identify and mitigate IoT-related risks.

Non-compliant devices must be removed or remediated immediately.

Speak AI Network Security Policy: https://help.speakai.co/en/articles/9363486-network-security-policy

Speak AI Vulnerability Management Policy: https://help.speakai.co/en/articles/9369290-vulnerability-management-policy

Speak AI Asset Management Policy: https://help.speakai.co/en/articles/9376593-asset-management-policy