Purpose

To ensure the confidentiality, integrity, and availability of the University’s IT Resources by regulating the controlled use of Internet of Things (IoT) devices and connecting them to the appropriate University network.

Scope

All IoT devices that reside on the UTHSC network (wired and wireless).

Definitions

IT Resources – Computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Internet of Things – Physical objects (e.g., vehicles, appliances, lab or medical equipment, and other items embedded with electronics, software, sensors, actuators) that communicate, sense, or interact with their internal states or the external environment via network connectivity.

Standard

University-owned IoT devices must adhere to NISTIR 8259A IoT Cybersecurity Capability Core Baseline.
IoT devices must be installed and maintained using the Information Security Requirements Guidance.
IoT devices must comply with all University information security standards such as, but not limited to, Network Security, Access Control, Data & System Classification, Vulnerability Management, and Password Management.
IoT devices will be connected to the appropriate controlled network segment.
IoT networks must be monitored to identify abnormal traffic and emergent threats.