Internet of Things Configuration Standard 

Purpose 

To outline required configuration settings for any Internet of Things (IoT) devices attached to the university network. 

Scope 

This standard applies to all Internet of Things (IoT) devices that are supported by the university.  This covers all IoT devices purchased with university funds regardless of which funds are used. 

Standard 

Automated system patching 

All IoT devices must be configured to automatically install patches and firmware updates within 90 days of release.  Acknowledging that IoT devices often lose support faster than workstations and servers, IoT devices that are no longer supported by their vendor can still be used on the university network so long as the IoT device is running the last available update and there are no known vulnerabilities for that update. 

Network placement 

All IoT devices will be attached to the university network with guidance from the ITS Networking team.  The ITS Network team has purpose-built subnets for housing IoT devices. IoT devices cannot be placed in a subnet that is accessible to the Internet without written approval from the Chief Information Security Officer and that approval must be renewed annually.  When an IoT device needs to be accessible to the Internet the ports that are made accessible and the IP addresses that can access the IoT device will be minimized as much as possible.  When possible remote access for vendor support will be provided by provisioning a VPN account to the vendor supporting the OT device. 

Exceptions 

All exceptions to this standard require written approval from the Chief Information Security Officer.  All exceptions require annual renewal. 

Revision History 

August 2024 – Standard adopted