What security certifications are required for a Digital Signage Product?

Xchange Member Question
What security certifications are required for a Digital Signage Product?
Like

Share this post

Choose a social network to share with.

This is a representation of how your post may appear on social media. The actual post will vary between social networks

Xchange Members,

@Harish040 has posted a question in the Q&A. He's wanting to know what security certifications are required for a Digital Signage Product. 

I bet we have some folks here that can help!

Please sign in

If you are a registered user on AVIXA Xchange, please sign in

Go to the profile of Bobby Owens
over 1 year ago

All good!!!

Go to the profile of Aviad Cohen
over 1 year ago

It really depends on how the customer wants to setup the signage solution:

1. Is it a separate network ?

2. Will it have access to sensitive data ?

3. Should it allow employees to upload content to it ?

etc.

Off the top of my head I would have the following security measures as a baseline:

SSL, SFTP (for file transfer), AD authentication service, HTTPS access only

With more information it would be possible to recommend further security measures.

Go to the profile of Harish040
over 1 year ago

Thanks Aviad Cohen

Go to the profile of Samantha Davis
over 1 year ago

If they're planning on hosting the CMS on a remotely hosted virtual server things like Cyber Essentials accreditation will be needed (according to the data centre's policies), which some proprietary solutions might not have.

Assuming it is just a display (no interactive) then in the US there are the usual. If nothing else FCC approval and ideally UL sticker are start point.

One problem area is with media players/engines. They have storage as a rule and you need to make sure they are secure. Maybe you have a camera capturing data. If it is stored then you can be liable especially in certain states.

There are national standards + state standards that should be reviewed.

State (or Federal) projects always come with a lengthy "compliance" list. Sometimes 30 or 40 items they want a check next to (before they send you a check). 

International standards are CCC, FCC, CE, UL, and ROHS

In US -- ADA standards apply to digital signage under conditions

FCC emission approval - much like CE in Europe

UL regs enter in - think LinkNYC "outdoor" or Wind related (up to 180 mph)

Made in America can apply if selling to certain

Hurricane codes come into play from FEMA

WCAG comes into play as does HIPAA or Medical rated (60601)

NEMA for outdoor

Dark Sky comes into play

Biometrics comes into play (see Illinois court docket)

Canada is different

Asia is different

Europe is different

The standards page on kioskindustry.org lists just the more common ones. I should add the other 30 or 40 that come up for agencies.

https://kioskindustry.org/standards/

CMS hosting along with any network credentials/connections are a separate category (and lengthy) for me. 

Go to the profile of Lisa Matthews, CTS - AVIXA
over 1 year ago

Thanks, @Aviad Cohen , @Samantha Davis , and @Kiosk Manufacturer Association for sharing your expertise with the community! Great question, @Harish040 !

There seem to be many nuances around this and questions to be addressed. Is there any type of best practices "checklist" when approaching a project? 

Go to the profile of Aviad Cohen
over 1 year ago

You could take notes from the mentioned above, as far as I know there is no specific checklist as customers differ from one to another. Government is different from HiTech as per regulations, finance has very strict rules and regulations (compliance is a nightmare in some cases). 

If you're coming to ise2023 and wish to discuss anything particular - let me know and we'll try to meet there. 

All the best

That's a good suggestion Lisa and people love a good checklist.  I have one for ADA that covers the "low-hanging fruit" that you don't consider at your own peril. And it is different in verticals and different in countries.

In the self-service world, there is the hardware, the software, the devices, connections, data and along with all that is installation, warranty, service and maintenance (software & hardware). And any and all regulations be them federal and/or state that are in play.

My wife was getting her passport photo at FedEx yesterday and of course I spent my time in benevolent hacker mode at the internet stations. Fairly easy to "intrude."

For digital signage media players running a consumer-grade Windows OS is a consideration all to itself given patch cycles/etc. People do that to save money.

Maybe add a separate section to evaluate all the "money-saving" initiatives of budget, and take an honest look at the resultant liabilities (and subsequent costs).

I spoke with Wendys at NRF and I guess they went "immediate term economical" on signage and kiosks only to find out a year later that downtime and lack of monitoring is taking a big chunk of money every month (and units not serving customers).  

Ironic how "went cheap" is usually a synonym for "longterm more costly".