An IoT device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates. This includes devices such as printers, security cameras, smart speakers, smart lights, industrial controls, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, conference room systems, and digital signage. These standards apply to all such devices that are connected to a Stanford network or used in support of Stanford services.
Exclusions:
- Network infrastructure components such as switches, routers, and WiFi access points.
- Devices used entirely for personal use on Stanford residential networks (e.g., ResNet, Stanford West)
- Devices being developed for research purposes
- Low Risk research systems must follow RPH 1.10 (Information Security)
Low Risk
Devices or systems that would not have an adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
- Devices without an IP network-accessible interface
- Smart devices used solely for personal entertainment purposes
- Networked washers and dryers
- Package delivery lockers
Moderate Risk
Systems that could have a mildly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
- Security cameras
- Conference room systems
- Printers*
- Building control systems without immediate critical impact
- Chilled water systems
- Lighting systems
- HVAC systems
- Irrigation systems
*Actual printer risk classification may be higher or lower depending on highest risk classification of output and implementation, i.e. location, connection method, user population.
High Risk
Systems that could have a significantly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
- Systems related to safety and critical infrastructure
- Power generation or distribution systems
- Life safety
- Fire alarm/detection systems
- Gas alarm/detection systems
- Biosafety alarm/detection systems
- Physical security systems (electronic door locks)
- Medical devices
- Devices subject to regulatory obligations
- Point of Sale Devices
- Vending Machines
