Internet of Things Policy
Purpose
The purpose of this policy is to ensure the confidentiality, integrity, and availability of the University’s IT Resources by regulating the use of Internet of Things (IoT) devices and connecting them to the appropriate University network.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- In support of University functions, the Faculty/Staff must make an official request to use an IoT device or collection of devices as specified in the Internet of Things for Faculty/Staff Networks procedure.
- All other Users must request IoT device connections per the procedures in the Internet of Things for Public Networks.
- The University has classified the IoT networks into the following groups:
- Administrative/Restricted (i.e., University owned and managed devices, contracted services),
- Building management systems (e.g., specialized instruments, HVAC, elevators), or
- Community devices owned and operated by faculty or staff (e.g., televisions, Apple TV®, Chromecast™).
- Faculty/Staff IoT device requests must be reviewed and connected to the appropriate network as deemed necessary by the University Information Security Office (UISO) and Network Engineering and Operations (NEO).
- IoT devices must only be connected to a segregated and controlled network segment.
- IoT networks must be monitored to identify abnormal traffic and emergent threats.
- IoT devices should have a process for updating software firmware as stated in the Vulnerability Management Policy, as applicable.
Definitions
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
The Internet of Things are physical objects (e.g., vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators) that communicate, sense, or interact with their internal states or the external environment via network connectivity.
Related Policies and Procedures
- Internet of Things Procedure for Faculty/Staff
- Internet of Things Procedure for Public Network
- Vulnerability Management Policy
Implementation Information
| Review Frequency | Annual |
|---|---|
| Responsible Person | Director, IT Risk and Data Integrity |
| Approved By | CISO |
| Approval Date | 09/12/2018 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 09/12/2018 | Final |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.