Due Diligence, vendor assessments, etc.

[Frank Barton <bartonf () HUSSON EDU>]

Good morning folks,
 I've been following the discussions around the HECVAT, and was wondering
if there anybody was using a similar type of assessment tool/checklist when
selecting vendors for physical/on-prem devices. Specifically for devices
that might be considered "IoT" or other "black-box" type devices where we
as the end-user/admin have somewhat limited access to the underlying systems
some of the devices that have recently come across my radar for this type
of assessment include

   - Security Cameras
   - Access Control Systems/Networked Locks
   - HVAC/Building controls
   - Electrical monitoring equipment
   - Digital signage
   - Medical Equipment

Some of the questions that have come up for us include:

   - Lifecycle (end-of-sale, end-of-life, end-of-support)  questions
   - availability of firmware/security updates
   - process for updating firmware (manual, automatic, OTA, serial/usb,
   etc.)
   - notification of update availability
   - ability to factory reset
   - what data is stored on device
   - remote support capabilities
   - remote support tunnels

Thank You all
Frank

-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University