As part of its responsibilities outlined in the GLET Information Security Policy and Procedure manual, the Technology Services department has developed the following technical standards to which all GLET personnel are expected to follow. These standards were developed with security and safety of all GLET staff and students in mind, along with obligations from applicable state and federal laws.

All existing hardware, software, and services are subject to re-evaluation to ensure they meet GLET security and privacy standards. Should a re-evaluation indicate an issue with an existing item, Technology Services will communicate the risk with the owner and inform them of what steps may be taken to comply with the standards.

Re-evaluations may include, though not be limited by, the standards listed below:

• The end-of-life (EOL) and/or end-of-support (EOS) date of the item. Items more than one
  (1) year past the last available security patch will not be allowed to connect to any trusted GLET resource. Examples of this are printers, cameras, and projectors.
• The threat surface of the item. If an in-use product is found to have an unacceptable threat surface (meaning that it poses an immediate risk to GLET resources), it may be removed/disabled until such time as the risk has been mitigated. A potential example of this is software that collects student data in a manner inconsistent with FERPA guidance.
• Product misuse. If an approved product is found to be used in a manner contrary to its intended purpose and approval, it may be removed/disabled until compliance can be confirmed.
• Dependence on a deprecating resource. If an item requires the use of another resource that is scheduled for retirement, the item(s) may be unavailable until such time as the dependence on that resource can be removed. An example of this would be a resource that connects to an GLET database service that can no longer be supported due to lack of security support.
• A new version is released. If a vendor substantially updates its product, it may be necessary to re-evaluate it to ensure it maintains compliance with GLET security and privacy standards.
• Unsanctioned software/hardware. If unsanctioned items are discovered to be used by GLET personnel and/or used on the trusted network, access may be restricted until such time as compliance can be ensured. An example of this would be smart speakers – they violate many data privacy laws and cannot be used in any capacity within GLET.
• Duplication of a sanctioned service. If the item duplicates a pre-existing and sanctioned service, owner may be required to utilize approved service at the natural end of the contract of the unsanctioned service. If no contract is active, the shift to the sanctioned service must occur no later than the beginning of the upcoming fiscal year.

Though Technology Services will make a reasonable effort to notify owners of any non- compliant items, it is the sole responsibility of the item owner to stay informed and ensure compliance. Additionally, unless otherwise agreed, it is the responsibility of the owner to replace non-complying item(s).