What's your definition of a kiosk?

Why would one need special guidance?  Restrict its access (and those who use it) to the minimum required to do the assigned task.  Treat it with the same level of trust that you would give me if I were to bring my laptop to your office, or maybe even less.

On-kiosk controls should be present and used to defend the kiosk, but you also need external controls to protect your company from a compromised kiosk.  My current thought is to put all IoT devices (including kiosks and guests) on a  Private VLAN (or three) and then use a firewall or other network controls to allow only authorized communications.  That way, I don't have a mess on my hands when the devices get compromised. 

It would depend what underlying technology the Kiosk was built on.  It could be a Linux, Windows, iOS or Android device after all.  Generally speaking you'll be looking at reducing the attack surface to the minimum possible, by either not installing or not starting services that you're Kiosk application doesn't use and configuring those services it does use securely.  You'll also need to look very closely at the physical security of your kiosk housing to ensure you have no ports, cables or buttons exposed that users could interfere with.  If your kiosk is tacking payments then you'll need to examine PCI DSS carefully.  At a network level you'll at least need your kiosks on a separate VLAN from your internal systems.