IoT Network Security Assessment Process

Below are the steps for submitting connected devices into the DoITT Cloud Review Process. All connected devices, management applications, and other digital services leveraged by or developed for the City, must pass the IoT Network Security Assessment Process (IoT NSAP), which is a multi-step process led by the DoITT Cloud Review & NYC Cyber Command teams.

Even the simplest sensor and their device management platforms can have significant vulnerabilities, so the IoT NSAP is critical for ensuring that connected devices & device management platforms are secure prior to deployment within New York City.

The IoT Network Security Assessment Process is required for all connected devices, whether being procured for your Agency, being developed in-house, or with a third-party vendor.


Familiarize Yourself with the City’s Security Policies & Legal Documentation

The City has a number of policies relating to how our digital properties treat data and personal information. Please review these at the start of your assessment.

Note: City security policies also apply to any connected device or service purchased by your Agency, hosted either on-premise or in the Cloud.

See the list of citywide security policies.

The legal agreements below have been approved by DoITT and NYC3 Legal: 

The EULA covers on-premise software, firmware, hardware (including connected devices). The CSA covers hosted services including, but not limited to, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS). Both the EULA and the CSA are the City’s licensing terms for purchasing these types of products.

Please review these documents internally within your Agency’s legal counsel. These agreements can be used by your Agency to either contractually procure and/or incorporate them into your existing Agency contracts. These agreements are important because they are designed specifically to protect the City in the procurement of connected devices.

If your Agency’s legal counsel has any questions about these agreements, you may reach out to DoITT Legal.


Prerequisite: DoITT Cloud Review Process

The DoITT Cloud Review Process applies and leads into all connected device testing. The DoITT Cloud Review team will contact you about your request and schedule a meeting to review your project.

DoITT Cloud Review works with New York City Cyber Command, a member of the DoITT Cloud Review team, to ensure compliance with information security policies and standards with your connected devices and device management platforms.

1. In the DOITT Service Catalog > Professional Services > Cloud Review

  1. Fill out a Request Form:
    1. Service Category: Professional Services
    2. Service Offering: Cloud Review
  2. After submitting the form, you will receive an email with instructions and a KSR number.
  3. Download the IoT Network Security Assessment Questionnaire. Please fill it out prior to the DoITT Cloud Review meeting. If you have questions please fill out the ‘Contact the IoT Team‘ form.

2. Go to Cloud Review Portal and “Start New Review” (use your CSC / credentials to login – if you don’t have one, ask the CityWide Service Desk to reset your username/password (all City employees can get one)). Please fill out to the best of your ability (there are 4 mandatory fields):

  • KSR#:
  • Cloud Review Title:
  • Agency Contact Email:
  • Data Profile:

3. Once the DoITT Cloud Review Team receives the DoITT Review Request. The DoITT Cloud Review Team will then schedule a meeting to review your project.


IoT Network Security Assessment Process

After the DoITT Cloud Review, NYC3 will carry out the detailed IoT NSAP:

  1. Connected Device Pen Testing
  2. Device Management Platform Pen Testing
  3. End-to-End IoT Network Architecture Security Assessment