Internet of Things policy
These guidelines cover the procurement, usage, and administration of IoT devices, whether provided by the company or employee owned.
From the policy:
The Internet of Things (or IoT) refers to network- or internet-connected devices, such as appliances, thermostats, monitors, sensors, and portable items that can measure, store, and transmit information.
IoT devices may be business oriented (e.g., RFID tags to track inventory) consumer based (such as Fitbits), or a hybrid of both (like the Raspberry Pi, which offers an array of uses across the two sectors). The devices may be company-provided or employee-owned, such as through a BYOD policy.
IoT devices continue making inroads in the business world, so organizations should have a defined IoT structure in place to ensure that data and operations are properly secured.
IoT device procurement
In general, IoT devices that are to be used for company operations should be purchased and installed by organizational personnel.
It is allowable for employee-owned IoT devices to be used for business purposes, but they must be used in accordance with the organization’s Bring Your Own Device (BYOD) policy.
The use of all IoT devices, whether company-provided or employee-owned, should be requested via the IoT Device Usage Request Form (see Appendix A), which must be submitted to the IT department for approval. Only manager-level employees and above may request the usage and/or procurement of IoT devices.
The IT department is responsible for identifying compatible platforms, purchasing equipment, and supporting organization-provided and authorized IoT devices. The IT department is not responsible for allocating funds to pay for the devices, accessories, and/or service fees (if applicable). Requesting managers must allocate funds from their department’s operating budget (where applicable) to cover costs arising from the device request.