Tarleton Office of Innovative Technology Solutions (OITS)
Internet of Things (IoT) Standard

Effective: April 10, 2022

Revised: April 25, 2025

Procedure Summary

This standard ensures the security of Tarleton State University’s (Tarleton or university) infrastructure by proactively managing Internet of Things (IoT) devices.

This standard ensures the confidentiality, integrity, and availability of the university’s information resources by regulating the use and network connectivity of IoT devices. Adhering to this standard enables the University to reduce or eliminate potential exploitation of IoT technology.

Procedures and Responsibilities

IoT Security Protocols
- IoT devices must be connected to a specific segregated and controlled network segment;
- Default credentials must be changed;
- Passwords must adhere to Tarleton’s password policy;
- If possible, disable the administrator account and create a custom admin account. The custom account name should not reflect administrator rights (Example: admin, adm, administrator, superuser, etc.);
- The administrator account should only be used for admin functions and not standard operations;
- All IoT devices should be updated as patches are released by the vendor;
- UPnP connections are not allowed on Tarleton’s network;
- If possible, do not use MAC-based authentication;
- Disable PAN network capability if it is not required for functionality;
- Disable Wi-Fi SSID broadcasting or any feature that allows for Wi-Fi network broadcasting;
- Disable any unused interfaces such as the ability to be used as a hub or bridge;
- Tarleton’s Office of Innovative Technology Solutions (OITS) staff reserve the right to remove any IoT device from the university’s network if network traffic received by or transmitted from the device is a threat to the university’s digital landscape; and
- IoT devices that must adhere to this standard also include:
  - Non-Tarleton devices owned by individuals or departments;
  - Devices that only require internet access for functionality;
  - Non-enterprise or consumer grade devices that are maintained by vendors;
  - Non-enterprise or consumer grade devices that are not maintained;
  - Devices with limited firmware and software support including limited or no updates; and
  - Devices with limited security capabilities. These devices may focus on functionality and not security.
Exceptions
- In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions.
- Any exceptions to this standard must be reviewed and approved by the Tarleton Information Security Officer (ISO)/Chief Information Officer (CISO).

Definitions

Internet of Things (IoT) – Physical objects that may be user or industrial devices that are connected to the internet and are embedded with sensors, controllers, software and other technologies for the purpose of connecting and exchanging data with other devices and systems.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

MAC – Media Access Control. A unique hardware identification number that identifies each device on the network.

PAN – Personal Area Network. Provides communication between devices and connection to higher level networks.

SSID – Service Set Identifier. The name assigned to a Wi-Fi (wireless) network.

TAC 202 – Texas Administrative Code 202. Outlines the minimum information security and cybersecurity responsibilities and roles at Texas state agencies and institutions of higher education.

UPnP – Universal Plug and Play. Network protocols that allow networked devices such as wireless access points, printers, and laptops to discover each other’s presence on the network and to establish functional network services.