Minimum Security Standards: Internet of Things (IoT) Devices
Minimum Security Standards: Internet of Things (IoT) Devices
An IoT device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates. This includes devices such as printers, security cameras, smart speakers, smart lights, industrial controls, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, conference room systems, and digital signage. These standards apply to all such devices that are connected to a Stanford network or used in support of Stanford services.
Exclusions:
- Network infrastructure components such as switches, routers, and WiFi access points.
- Devices used entirely for personal use on Stanford residential networks (e.g., ResNet, Stanford West)
- Devices being developed for research purposes
- Low Risk research systems must follow RPH 1.10 (Information Security)
Low Risk
Devices or systems that would not have an adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
- Devices without an IP network-accessible interface
- Smart devices used solely for personal entertainment purposes
- Networked washers and dryers
- Package delivery lockers
Moderate Risk
Systems that could have a mildly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
- Security cameras
- Conference room systems
- Printers*
- Building control systems without immediate critical impact
- Chilled water systems
- Lighting systems
- HVAC systems
- Irrigation systems
*Actual printer risk classification may be higher or lower depending on highest risk classification of output and implementation, i.e. location, connection method, user population.
High Risk
Systems that could have a significantly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.
Examples might include:
- Systems related to safety and critical infrastructure
- Power generation or distribution systems
- Life safety
- Fire alarm/detection systems
- Gas alarm/detection systems
- Biosafety alarm/detection systems
- Physical security systems (electronic door locks)
- Medical devices
- Devices subject to regulatory obligations
- Point of Sale Devices
- Vending Machines
| Standards | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
|---|---|---|---|---|---|
| Inventory | Recurring Task | Maintain an inventory of devices and associated risk classifications. All devices must be individually registered in NetDB. Review and update records quarterly. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
| Network Isolation | Under development | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data | |
| Credentials and Access Control | Recurring Task | Change passwords from the default. Password length should be 15+ characters (if supported). | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
| Vulnerability Management | Recurring Task | Perform a monthly internal Qualys scan of the device. Mitigate any identified severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
| Patching | Recurring Task | If any of the above are not fully implemented, then apply high severity security patches (including firmware updates) within seven days of publish and all other security patches within 90 days. | Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
| Centralized Logging | Forward logs to a remote log server (if supported). University IT Splunk service is recommended. | Required for Moderate Risk Data | Required for High Risk Data | ||
| Security, Privacy, and Legal Review | Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. | Required for High Risk Data | |||
| Regulatory Compliance Obligations | Implement PCI DSS, HIPAA, export controls, or other regulatory compliance requirements as applicable. | Required for High Risk Data |
