Information Security

Internet-Accessible Device Standard

Last modified 2/26/2026

Purpose

The purpose of the Internet-Accessible1 Device Standard is to limit the University attack surface and to mandate configurations and controls for ISU systems and applications available on the public Internet to ensure they remain secure, stable, and compliant with regulatory requirements through a structured approach to configuration management.

Scope

This standard applies to all Internet-accessible systems owned or managed by or on behalf of the University ("systems"), including but not limited to servers, endpoints, appliances, and network devices. This standard is relevant to all University departments and units that provision Internet-accessibility or manage Internet-accessible systems including utilizing vendor management of these systems.

Standard

University teams and departments ("teams") managing systems within this standard's scope must meet the following criteria:

  1. Teams must maintain a documented inventory of internet-accessible systems.
  2. Internet-accessible systems must enable the local host-based firewall, if present.
  3. Internet-accessible systems must be located in a datacenter2.
  4. Internet-accessible systems must utilize a network firewall at the datacenter network border.
  5. Teams must establish a process for documenting, reviewing, and approving business cases before configuring systems for Internet-accessibility.
  6. Teams must establish a process to periodically review the business need to maintain systems' Internet-accessibility.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office through the University’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

  • The information technology team and functional business units associated with the exception request
  • Systems affected by the exception
  • A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The Information Security Office will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

  1. Internet-Accessible refers to systems that are generally available to connection open network requests (ex: TCP SYN) originating from the Internet. Examples include public IP assignment or accessibility through a proxy/gateway/balancer, such as a Citrix ADC (Netscaler) device.
  2. Datacenters are purpose-built and dedicated facilities for housing computing systems. Datacenters have features including but not limited to battery backup power, power generators, redundant networking, HVAC, physical security, and business continuity plans.

Roles & Responsibilities

Role

Responsibilities

Chief Information Security Officer (CISO)

Oversees configuration management governance and compliance.

System/Application/Endpoint Administrators

Responsible and accountable for configuration management

ISO Team

Monitor threat intelligence, report on configuration compliance, and assesses risks.

Compliance

The Information Security Office will report on remote access status to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

Appropriate Use Policy: https://policy.illinoisstate.edu/technology/9-2/

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

4.3 Implement and Manage a Firewall on Servers: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.

12.2 Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. 

13.4 Perform Traffic Filtering Between Network Segments: Perform traffic filtering between network segments, where appropriate.


Feedback

To suggest an update to this article, ISU students, faculty, and staff should submit an Update Knowledge/Help Article request and all others should use the Get IT Help form.