An IoT device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates. This includes devices such as printers, security cameras, smart speakers, smart lights, industrial controls, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, conference room systems, and digital signage. These standards apply to all such devices that are connected to a Stanford network or used in support of Stanford services.
Devices or systems that would not have an adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
Systems that could have a mildly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
*Actual printer risk classification may be higher or lower depending on highest risk classification of output and implementation, i.e. location, connection method, user population.
Systems that could have a significantly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
Standards | recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|---|
Inventory | Recurring Task |
Maintain an inventory of devices and associated risk classifications. All devices must be individually registered in NetDB. Review and update records quarterly. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Network Isolation |
Under development |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data | |
Credentials and Access Control | Recurring Task | Change passwords from the default. Password length should be 15+ characters (if supported). | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Vulnerability Management | Recurring Task | Perform a monthly internal Qualys scan of the device. Mitigate any identified severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Patching | Recurring Task |
If any of the above are not fully implemented, then apply high severity security patches (including firmware updates) within seven days of publish and all other security patches within 90 days. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Centralized Logging | Forward logs to a remote log server (if supported). University IT Splunk service is recommended. | Required for Moderate Risk Data | Required for High Risk Data | ||
Security, Privacy, and Legal Review |
Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. |
Required for High Risk Data | |||
Regulatory Compliance Obligations |
Implement PCI DSS, HIPAA, export controls, or other regulatory compliance requirements as applicable. |
Required for High Risk Data |