Regulation on Prohibiting Unauthorized Upgrades and Connections

Why a ban is needed and what exactly is prohibited

A ban on unauthorized upgrades and connections is not about "control for control’s sake"—it’s to keep equipment predictable and responsibilities clear. When someone changes configuration without approval, the company risks losing warranty coverage, exposing data, and incurring downtime. The rule is simple: any hardware changes and device connections are done only through an agreed procedure.

Unauthorized actions are those that alter the equipment composition or add new points of risk. Most often these are:

• replacing or adding RAM, SSD/HDD, power supplies, graphics cards and other boards;
• connecting any USB storage or “smart” gadgets (flash drives, phones, modems);
• installing printers, scanners, webcams and other peripherals without IT approval;
• connecting unaccounted devices to the network (switches, access points, mini-PCs);
• using non-standard chargers, extension cords, adapters and powering devices “as convenient”.

The risk is not theoretical. After an unauthorized component swap, warranty may be voided or servicing complicated, especially if opening a case or breaking seals is outside policy. The second problem is security: a single unknown USB device can introduce malware or cause data leakage. The third is downtime: incompatibility, overheating, incorrect drivers and unstable behavior often appear at the worst moment.

Who the ban applies to: all employees, contractors on company premises, and also IT and procurement (for example, when peripherals are bought "at a department's request" and connected without consideration).

Important: the regulation does not forbid improvements per se. It forbids doing them without approval. If an upgrade or new device is needed, it goes through IT under an approved process: compatibility check, recording serial numbers and updating the inventory. This is especially important for equipment under manufacturer support. For example, with locally produced PCs and servers (including GSE.kz) a transparent change history helps avoid warranty disputes and speeds diagnostics.

Terms and scope: avoid arguing about wording

If terms aren’t defined, any ban quickly turns into an argument: "I just plugged it in", "this isn’t an upgrade, it’s a small repair." Start with a short glossary that employees, IT and security understand the same way.

Mini-glossary for the regulation

Five to seven definitions on one page are enough. For example:

• Upgrade: any change to hardware configuration (memory, disk, board, power supply), except replacements requested by IT.
• Repair: restoring operability after failure with a record of cause and replaced parts.
• Peripherals: input-output devices (keyboards, mice, printers, scanners, monitors), including docking stations.
• Removable media: USB flash drives, external drives, memory cards and adapters.
• Network devices: access points, routers, switches, modems, including "home" repeaters.

After the glossary, set the boundaries: which devices are corporate and which are personal. It helps to divide connections into temporary (for a meeting, one day) and permanent (assigned to a workstation), because control and consequences differ.

Also separate changes into software and hardware, and into planned and emergency. An emergency does not mean "do it yourself"—it means an accelerated approval process and work performed by authorized personnel.

Exceptions to define in advance

To avoid slowing work, list common exceptions and who approves them. These usually include medical equipment and diagnostic suites, training rooms and exam labs, specialized stands and laboratories, and temporary workstations at events.

Example: an employee brings a “harmless” USB Wi‑Fi adapter to "improve the connection." By your definitions this is a network device and a permanent change to the connection scheme. It therefore requires IT approval and a security check; otherwise it’s easy to violate security requirements and warranty terms.

Roles and responsibilities: employee, IT, InfoSec, manager

For the ban to work, it must be clear not only "what is forbidden" but also "who is responsible for what." Then the regulation becomes a normal work procedure.

It’s convenient to describe roles with a simple RACI on one page: who initiates the request, who approves, who performs the work and who accepts the result. In the text you can fix a straightforward scheme:

• Employee (workstation owner): initiates the request, reports problems, does not connect or change anything themselves.
• Department manager: confirms the need, prioritizes, ensures team compliance with rules.
• IT: assesses compatibility and impact, performs changes, updates inventory and configuration.
• InfoSec: checks risks (USB, network, access), gives permission or conditions (for example, only certified peripherals).
• Procurement or service partner: supplies, repairs, and performs warranty work according to agreed rules.

Also specify responsibility zones by location. Equipment at a workstation is usually assigned to the employee, but any changes are made by IT. Server rooms have stricter rules: access by list, work only under a work order, often in the presence of a responsible person (IT and InfoSec if needed), and mandatory acceptance testing.

Contractors cause most “accidental” violations. A minimal rule set helps: admission by request and documents, work only in agreed windows, accompaniment by an IT employee (and InfoSec if needed), prohibition of "parallel improvements" without separate approval, documentation of work and return of replaced parts.

Simple example: an employee brings a purchased SSD and asks to "install it quickly." By roles they can initiate the request, the manager confirms the need, IT checks compatibility and warranty conditions, InfoSec assesses risks, then IT performs the replacement and records the change in inventory.

Connecting devices: USB, network, power and peripherals

Unauthorized connections most often break security not by dramatic hacks but by small things: a contractor’s flash drive, a USB modem "just in case", a home router added to the office Wi‑Fi. Connection rules should be described separately because they affect InfoSec, warranty and operational stability.

USB: what counts as a device and when it’s forbidden

Treat not only flash drives as USB devices, but also phones in storage mode, external drives, USB-to-Ethernet adapters, USB modems, dongles and adapters. A good rule for employees: only company-issued devices or those explicitly approved by IT are allowed.

Usually prohibited without approval: external drives and flash drives (including promotional ones), phones and tablets for file transfer (even "for a minute"), USB modems, USB‑Ethernet and Wi‑Fi adapters, and universal USB hubs and docking stations without registration (they add interfaces and complicate control).

Network and power: quiet sources of incidents

For the network, explicitly ban unauthorized installation of routers, access points, switches and Wi‑Fi printers. These create “rogue” network segments and bypass controls. State that only IT (or an authorized contractor by request) may connect to Ethernet sockets and configure network equipment.

For power, describe basic hygiene: extension cords, UPS units, chargers and adapters. Allow only certified models from an IT-approved list and specify that connecting servers and workstations through "home" extension cords or unknown UPS devices is prohibited. This matters for both safety and preserving warranties.

Labeling and inventory of approved peripherals

To avoid arguments about what’s allowed, introduce simple labeling: a sticker or tag with an inventory number on approved mice, keyboards, headsets, printers, docking stations and UPS units. In inventory record the model, serial number, who it’s issued to, where it’s used and the issue date.

If an employee needs to connect a device, the scenario should be short: describe the task and time frame, provide model and serial number (if available), name the workstation and computer or server, wait for IT/InfoSec decision, and have IT perform the connection and record it in inventory.

Example: an employee brings an external drive "to transfer a presentation." By rules they do not connect it themselves but submit a request. IT suggests the corporate storage or issues an inventoried drive, then accepts it back and closes the record. This reduces infection risk and avoids warranty problems.

Upgrades and component replacement: what’s allowed and what isn’t

Unauthorized upgrades usually harm two areas: warranty and security. Even a seemingly harmless SSD swap can void seals, cause incompatibility, break encryption, or leave IT unaware of the workstation’s configuration.

An upgrade is allowed when there is a clear reason and it goes through IT: increased load (e.g., accounting needs more memory during reporting season), standardizing the fleet, replacement after an incident (failing disk, noisy fan), or repurposing a machine (PC becomes a CAD workstation).

What is allowed and what is forbidden

Allow only what IT can verify and record.

• Allowed only by request and executed by IT (or an authorized contractor): adding or replacing RAM, SSD/HDD, power supplies, graphics cards, network adapters, RAID batteries (for servers).
• Forbidden without IT: opening the case, breaking seals, changing disks and memory, swapping components between PCs, bringing personal parts.
• Do not install components "by eye": changes must follow a list of approved models and compatibility requirements.
• Do not dispose of or take away old parts: they are returned to IT as company property and as evidence for warranty claims.

A list of approved components should be a separate appendix: memory types, minimum SSD specs, approved manufacturers, firmware and driver requirements. For equipment where manufacturer warranty matters, it’s critical not to violate installation and tracking rules.

Separate rules for servers and workstations

For servers and high-end workstations the bar is higher: any changes only in a maintenance window, with a rollback plan, monitoring checks and recording serial numbers of removed and installed parts. For office PCs, typical upgrades can be allowed by standard, but still through IT and with inventory records: what was replaced, why, and where the old part went.

Process: how to file a request and perform changes

A ban is ineffective without a clear legal path. An employee must know how to connect a device or perform an upgrade without risking security or warranty.

Requests are submitted via the service desk (or a prescribed form). Include what is planned (connect USB device, replace disk, install memory), why, for how long, which workstation and serial number, and what will count as a successful result.

The request then goes through a short IT and InfoSec check: is there a risk of infection, data leakage or policy bypass, and will it violate manufacturer terms. Even a "simple" laptop SSD swap can void warranty if the case is opened by unauthorized staff.

Sequence of work

A typical order is enough:

• Submit request with reason, timeframe and asset data (inventory number, model, serial number).
• InfoSec and warranty impact assessment: what’s allowed, restrictions, and required measures (for example, only certified USB drives).
• Budget and maintenance window agreement.
• Work performed by authorized IT staff or an authorized service (critical for warranty-covered equipment).
• Acceptance: testing, user confirmation, update inventory configuration.

Also specify what to do with removed parts: storage period, location (IT warehouse), labeling rules and decisions about their fate (exchange pool, write-off or disposal following internal rules).

Short example

An employee needs more RAM for reports. They create a request to increase workstation RAM, InfoSec confirms it doesn’t require personal devices, IT verifies compatibility and agrees an evening window. An authorized specialist performs the upgrade, then updates the asset record and notes where the removed stick is stored. For warranty-covered equipment (for example, PCs and servers with official support, including solutions from GSE.kz) this discipline helps keep service rights and speeds problem resolution.

Documentation and records: preserve warranty and control

Without recording changes, disputes start with: "What was here originally?" Minimal records protect the company, IT and the user, and help preserve warranty.

In the device record and the change request, record basic data. Then any upgrade or connection can be verified in 1–2 minutes:

• model and serial number, inventory number;
• original configuration (RAM, disk, network modules, OS);
• what was changed and to what, with date and basis (request, approval);
• who performed the work (name, department, contractor);
• configuration after work (including driver or firmware versions if important).

Keep confirmations where they won’t disappear when staff change: in the ticketing system or a central IT register. Attach scans of work acts, photos of seals and labels, and test results after work. For warranty cases these materials often resolve the question of who and when opened a case.

After any work, run a short, consistent set of checks. It doesn’t replace full diagnostics but catches common problems immediately: OS boots without errors, disk check, network and access to required resources, critical peripherals (keyboard, printer, scanner).

If warranty is lost or at risk, the decision must be made by a designated responsible person (usually the IT manager together with InfoSec), not by the on-site technician. Log the reason, approver, accepted risks and chosen measures (paid repair, device replacement, increased monitoring).

Mark devices with special security modes separately: USB disabled, operation only in a closed network, presence of seals, and requirements for media tracking. Then employees immediately see that "just plugging in" is not allowed, even if the port exists.

Common mistakes and pitfalls when implementing the ban

The most frequent problem is a ban written too broadly: "don’t connect or change anything." People still need to work and then start bypassing rules. Better to define clear boundaries from the start: what’s allowed without a request (for example, a standard mouse or a company-issued headset) and what needs IT approval (USB storage, printers, adapters, network adapters).

The second trap is not mentioning personal devices at all. Then employees plug in a phone to charge, use a personal flash drive to transfer files, or add a home router to "improve Wi‑Fi" thinking it’s fine. Simple rule: personal devices are forbidden by default, and exceptions are formalized and purpose-specific.

"We made the upgrade" but no one owns the outcome

If you don’t assign acceptance and testing responsibility after an upgrade, changes become a lottery. Everything may appear fine, but a week later errors, crashes, overheating or network issues pop up.

Specify who checks compatibility and installation correctness, basic tests (boot, network, printing, updates), seals and serial numbers, and impact on warranty and support. For organizations where warranty and security matter (workstations and servers), avoid "garage" replacements. For vendors and integrators like GSE.kz controlled configurations and documented work are often tied to how quickly and under what terms service is provided.

Deferred record-keeping becomes no record at all

Without component records, incident investigation becomes impossible: when and by whom was the new SSD installed, where did the Wi‑Fi adapter come from, why did the configuration change? Minimal records suffice: what changed, why, who approved, who performed it, serial numbers, date and test result.

Another trap is verbal approvals. An employee agrees with IT in a corridor, connects the device, but there’s no record. Later IT staff change, the computer moves, an incident occurs and nobody can prove it was approved. A simple rule works best: no record means no permission.

Short checklist for employees and IT

This memo is handy to print and give to newcomers. It saves time in incident analysis and reduces the urge to "do it myself."

Note for employees

What not to do on the spot:

• do not connect unknown USB drives, cables, adapters or "gift" flash drives;
• do not bring or connect personal Wi‑Fi/4G devices (routers, access points, modems);
• do not open cases or change components in PCs/servers without IT permission;
• do not connect peripherals "for testing" if they are not company-issued and inventoried;
• do not access network sockets and patch panels in server rooms and cabinets without authorization.

If a device or upgrade is truly needed:

• create a request in IT with purpose and timeframe (what to connect or change and why);
• wait for confirmation and follow instructions, including scheduled work time.

Checklist for IT (before and after)

Before connecting a device, verify origin (who owns it, where it came from), intended use, approval, labeling or inventory record. If the device cannot be identified, do not connect it.

Before an upgrade, check compatibility with the model, impact on warranty, maintenance window (to avoid disrupting the workday), and a rollback plan (how quickly to restore the original configuration if something goes wrong).

After the work, perform basic tests (boot, network, peripherals, temperature), update the configuration record, and return removed parts to storage or the repair pool. For equipment where origin and configuration matter (workstations and servers) record serial numbers and component lists.

If there is any sign of risk, escalate immediately to InfoSec: unknown media, any Wi‑Fi device, suspicious pop-ups, suspected infection or attempts to bypass rules.

Practical example: "plugged in and forgot"

In accounting, an employee connected a personal external drive to quickly transfer scans. They copied files, unplugged and forgot. The next day the PC failed a security check: antivirus found a suspicious file and InfoSec detected an unaccounted connected drive.

The problem was not just infection risk. Inventory was broken and IT couldn’t quickly prove whether data leaked or the workstation configuration changed. This is precisely why a regulation is needed: it records what cannot be done without approval, and what to do if it already happened.

How it should have gone: the employee files a short request (why the transfer is needed, size, timeframe). IT issues a corporate, labeled drive (and encrypts it if required), and records the issuance. After return, the drive is checked and data moved to an approved storage location.

When the incident occurred, IT followed standard procedure: isolate the PC from the network, collect initial data (what was connected, when, which processes ran), run checks and cleanup, restore from a trusted image if needed, reinstate access only after control, and report to InfoSec and the manager with causes and measures.

After the case the rules were strengthened, but without overreach. A short induction for new employees was introduced, labels on approved media and a reminder in the support request: personal drives and flash drives are forbidden. Where justified, port control and connection logging were implemented.

A separate question concerned the external drive: diagnostics showed errors and they wanted to replace it "on the spot." To preserve warranty, the agreed rule was: any drive replacements are done only by IT under an approved procedure, documenting serial numbers and installing compatible components. This is especially important for corporate PCs and servers supplied as supported solutions, for example from GSE.kz.

Next steps: implement the regulation without conflicts

To make the regulation work, roll it out as a service, not a punishment. Employees must know exactly what is forbidden, why, and how quickly they can get a legitimate solution.

Start with an inventory of reality. Every organization has a "standard set": flash drives, external disks, USB modems, headsets, printers, docking stations, and typical upgrades like adding RAM or replacing a drive. Once fixed, rules become specific rather than "we forbid everything."

Then help people avoid mistakes. Appoint a process owner (usually IT) and an InfoSec approver for contentious cases. Prepare a simple request form: what to connect or change, why, on which device, and for how long. Approve templates (work acceptance act, configuration change note, employee memo). Create "fast lanes" for typical requests (standard mouse or certified headset). And most importantly—set a clear response time so employees aren’t tempted to "do it themselves."

Also review your equipment fleet and warranty terms by model and series. Conflicts often start when someone "upgraded" a PC and support is then in question. Define in advance which changes are allowed only by IT and which require supplier agreement.

If mass updates are planned, lock down standard configurations and supported supply. This reduces ad-hoc modifications and disputed upgrades. For example, when procuring PCs, all-in-ones and servers, define baseline configurations and maintenance procedures. For vendors and integrators like GSE.kz (gse.kz), which both supply equipment and provide support, this approach usually simplifies inventory and ongoing service.

A short training solves more than bans: 15 minutes in onboarding and a quarterly reminder. After that, instead of "plugged in and forgotten," people more often ask in advance, and conflicts decrease.