Responsible Office: Office of Cybersecurity |
Last Review: 03/01/2025 Next Review: 03/01/2027 |
Contact: Chris Madeksho |
Phone: 901.448.1579 Email: mmadeksh@uthsc.edu |
Purpose
To ensure the confidentiality, integrity, and availability of the University’s IT Resources by regulating the controlled use of Internet of Things (IoT) devices and connecting them to the appropriate University network.
Scope
All IoT devices that reside on the University of Tennessee Health Science Center (UTHSC) network (wired and wireless).
Definitions
IT Resources – Computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Internet of Things – Physical objects (e.g., vehicles, appliances, lab or medical equipment, and other items embedded with electronics, software, sensors, actuators) that communicate, sense, or interact with their internal states or the external environment via network connectivity.
- University-owned IoT devices must adhere to NISTIR 8259A IoT Cybersecurity Capability Core Baseline.
- IoT devices must be installed and maintained using the Information Security Requirements Guidance.
- IoT devices must comply with all University information security standards such as, but not limited to, Network Security, Access Control, Data & System Categorization, Vulnerability Management, and Password Management.
- IoT devices will be connected to the appropriate controlled network segment.
- IoT networks must be monitored to identify abnormal traffic and emergent threats.
Policy History
Version # | Effective Date |
1 | 03/31/2021 |
2 | 10/19/2023 |
3 | 03/01/2025 – new naming convention |
References
- IT0102-Information Technology Asset Management
- IT0005-HSC-A-Data & System categorization
- IT0311-HSC-A-Access Control
- IT0506-HSC-A.01-Password Management and Complexity
- IT4912-HSC-B-Network Security
- IT7810-HSC-A-Vulnerability Management
- IoT Device Cybersecurity Capability Core Baseline (nist.gov)
- Information Security Requirements