IWU Security Policy Standard 07: Standalone Organizational Devices (Non-Networked)

Scope

This standard applies to all organizationally owned devices residing on IWU property that:

• Do not connect to IWU’s wired or wireless networks.
• Do not connect to the public internet.
• Are used to control, monitor, or interact with other local devices (e.g., scientific instruments, lab equipment, industrial controllers).

 

Requirements

1. Identification and Inventory

1.1    All such devices must be recorded in the official IT asset inventory with:

• Physical location
• Responsible owner/department
• Device purpose/use case
• Serial number and IWU Asset Tag
• Inventory must explicitly flag these devices as “Non-Networked / Restricted”.

1.2    The inventory must be readily available to IT Security, Internal Audit, and other authorized stakeholders upon request.

1.3    The inventory must be auditable; IT is responsible for maintaining accuracy and providing evidence of quarterly reviews.
 

2. Network Access Controls

2.1    Administrative action must be taken to disable all networking interfaces (wired, wireless, Bluetooth, etc.) at the OS or BIOS/firmware level.

2.2    The IT Support center must document this control and verify it cannot be reversed by end users within the inventory documentation.

2.3    Any exceptions (if connectivity is required for vendor maintenance) must be explicitly approved by IT Security and logged.
 

3. Login Banner and User Notification

3.1    A persistent login banner must be configured at the OS level stating:

“This device is restricted and is not authorized to connect to the IWU network or the internet. Unauthorized modification of network settings is prohibited and may result in disciplinary action.”

3.2    Banner must appear at every login session.

 

4. Security Baseline (Where Feasible)

4.1    Because these devices cannot have the standard endpoint security stack, the following lightweight baseline controls must be applied:

4.1.1    Local authentication: Unique, non-shared local accounts with strong passwords.

4.1.2    Access control: Default /guest accounts disabled or renamed where possible.

4.1.3    Physical security: Devices must be placed in secure or supervised locations.
 

5. Change Management

5.1    Any changes to these devices (hardware, OS, or configuration) must be reviewed by the IT configuration management team prior to implementation.

5.2    If networking is temporarily re-enabled for vendor support, a change ticket must document the duration, justification, and rollback steps.
 

6. Monitoring and Review

6.1    Support center must audit inventory prior to each semester to confirm devices remain disconnected from IWU networks.

6.2    Audit results must be logged and retained for at least 12 months to demonstrate compliance.

6.3    Security team will annually review this standard and adjust based on evolving threats or compliance requirements.

 

7. Additional Controls / Recommendations

7.1    Labeling: (Config Management Team) Apply a physical label/sticker to the device chassis stating:

“Do not connect to IWU network / internet.”

7.2    USB/Peripheral restrictions: (Config Management Team) Where feasible, disable autorun and restrict USB ports to prevent malware introduction.

7.3    Backups: (Config Management Team) If the device generates critical data, require offline/manual backups to a secured medium.

7.4    Vendor coordination: (Config Management Team) Require vendors who maintain these devices to acknowledge IWU’s restrictions in writing.

7.5    Isolation policy: (NetworkTeam) If network access is ever required (e.g., firmware updates), enforce use of a dedicated, temporary “quarantine” VLAN with full logging and removal afterward.

7.6    Documentation: (ITSupport) Create quick reference guides for IT support and faculty/staff so they understand why the device is restricted and what not to do.