Skip to main content

Internet of Things Policy

Purpose

The purpose of this policy is to ensure the confidentiality, integrity, and availability of the University’s IT Resources by regulating the use of Internet of Things (IoT) devices and connecting them to the appropriate University network.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • In support of University functions, the Faculty/Staff must make an official request to use an IoT device or collection of devices as specified in the Internet of Things for Faculty/Staff Networks procedure.
  • All other Users must request IoT device connections per the procedures in the Internet of Things for Public Networks.
  • The University has classified the IoT networks into the following groups:
    • Administrative/Restricted (i.e., University owned and managed devices, contracted services),
    • Building management systems (e.g., specialized instruments, HVAC, elevators), or
    • Community devices owned and operated by faculty or staff (e.g., televisions, Apple TV®, Chromecast™).
  • Faculty/Staff IoT device requests must be reviewed and connected to the appropriate network as deemed necessary by the University Information Security Office (UISO) and Network Engineering and Operations (NEO).
    • IoT devices must only be connected to a segregated and controlled network segment. 
    • IoT networks must be monitored to identify abnormal traffic and emergent threats.
    • IoT devices should have a process for updating software firmware as stated in the Vulnerability Management Policy, as applicable.

Definitions

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

The Internet of Things are physical objects (e.g., vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators) that communicate, sense, or interact with their internal states or the external environment via network connectivity. 

Related Policies and Procedures

Implementation Information

Implementation Information
Review Frequency Annual
Responsible Person Director, IT Risk and Data Integrity
Approved By CISO
Approval Date 09/12/2018

Revision History

Revision History
Version Date Description
1.0 09/12/2018 Final

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.