Standards for Technologies Prohibited by Regulation

Purpose

This standard establishes (1) a non-exhaustive record of technologies and technology service providers from which the university is prohibited from using and/or acquiring and (2) a non-confidential explanation of technical and administrative controls implemented in the furtherance of related compliance goals. Prohibitions highlighted in this standard correspond to state and federal laws, directives, executive orders, and other regulatory requirements applicable to the university. The absence of an otherwise prohibited item from this Standard does not imply a means by which the item is authorized.

The contents of this standard are additive overlays that incorporate, detail, and extend requirements set by the TSUS Information Technology Policies, institutional policies, other institutional standards, procedures, and guidelines, and additional prohibitions, such as the “Debarred Vendor List” maintained by the Texas Comptroller of Public Accounts.

Pursuant to section 552.139 of Texas Government Code (“Public Information”), some descriptions of technical security controls, procedures, and practices will be abbreviated to avoid disclosure of confidential information pertaining to the security posture of the university’s information resources.

Scope

This standard generally applies to all university-owned information systems, devices, networks, and other information resources that are within the custodianship of the university regardless of location. As detailed within, certain sections of this standard may also be applicable to university personnel (e.g., university officers, employees, contractors), locations (e.g., campuses, properties), and some personally owned devices (e.g., those used to conduct state or university business).

Summary

This section provides an overview of the requirements of this standard. This summary is provided for reference purposes and does not take the place of the full text below. If you have questions regarding this standard, please visit the FAQ section of the SHSU Prohibited Technologies webpage.

  • Prohibited Technologies and Covered Applications designated by the State of Texas are prohibited on university-owned devices.
  • Prohibited Technologies will be blocked on university networks
  • The university will enhance management capabilities for university-owned devices.
  • This standard includes procedures for addressing technologies prohibited by regulation in use by the university.
  • No Exceptions may be authorized for Covered Applications
  • Exceptions to Prohibited Technologies may only be granted by the university's president.

Publication and Updates

This section will be updated when any updates or changes are made to this standard.
Date and Summary of Changes

  • 12/9/2022:  First published
  • 05/31/2023: Updated to align with expanded requirements from the Governor’s 2/7/2023 press release and the DIR/DPS model plan.
  • 08/09/2024: Updated Prohibited Technologies Exceptions and TGC §620 concerning Covered Applications

Technologies Prohibited by The State of Texas

Regulatory Source

On February 6, 2023, the Governor released a model plan as required by a December 7, 2022, directive banning all state agencies from using TikTok on government-issued devices. This model plan included additional prohibited technologies and detailed objectives intended to protect the state’s information resources and infrastructure. The model plan requires each state agency to develop its own policies and procedures to implement the plan and its objectives.

For further information, see the following pages:

Regulatory Source: Covered Applications

Effective June 14, 2023, Texas Government Code Chapter 620 requires state agencies to prohibit the installation or use of covered applications on any device owned or leased by the governmental entity and requiring the removal of covered applications from those devices. Covered applications are social media applications or services specified by proclamation of the governor under Section 620.005. For further information, see the following:

  • Texas Government Code Chapter 620
  • Texas State University System’s Technologies Prohibited by Regulation Policy

Prohibition Statements

All university Personnel are prohibited from:

  • Downloading or using any Prohibited Technologies or Covered Applications on university-owned devices;
  • Conducting university-business on personally owned devices with Prohibited Technologies installed;
  • Entering Sensitive Locations with a Prohibited Technology-enabled personal device; and/or
  • Acquiring or reimbursing the purchase of Prohibited Technologies.

Exceptions to Covered Applications

Exceptions for Covered Applications may only be approved to enable law-enforcement or information security measures. No other exceptions may be authorized for Covered Applications.

Exceptions to Prohibited Technologies

Pursuant to the Governor’s directive, exceptions to this prohibition may only be approved by the university’s president.

Exceptions for Investigations

These exceptions are legitimate uses of prohibited technologies for the express purpose of performing investigations required by state, federal, or industry regulations:

  • Law-enforcement investigations
  • Cybersecurity incident investigations
  • Student investigations conducted by the Dean of Students
  • Title IX and discrimination investigations
  • Legal Discovery

Exceptions for the Severance of Prohibited Technologies

This exception allows business units in coordination with the Information Security Officer to perform data retrieval, account configuration(s), and other activities necessary to reduce the risk of cyber-attacks:

  • Temporary maintenance of dormant, high-value data or accounts already in use on a prohibited technology

Exceptions for Residential Internet Services

The following exception is considered a legitimate use of prohibited technologies for the express purpose of providing Internet services to residents’ personal devices while living in university housing:

  • University residential Internet services transiting through a separate network and used exclusively by residents on personal devices for personal use unrelated to university business.

Technical Controls

A series of technical controls will be used to enforce the prohibition of technologies subject to this standard. Technical controls include, but may not be limited to, the following:

  • All university-owned devices will be managed to detect and remove Prohibited Technologies and Covered Applications.
  • All university-owned mobile devices will be enrolled in Mobile Device Management (MDM) software.
  • The university will block access to Prohibited Technologies and Covered Applications on university-owned networks to prevent the download, installation, and/or communication of devices to prohibited technologies.

Administrative Controls

Measures that have been or will be taken include, but may not be limited to, the following:

  • Issuance of this standard;
  • As necessary and based on the level of risk presented to the university, removal of content on university webpages referencing and/or linking to Prohibited Technologies or Covered Applications other than those used to communicate and facilitate compliance with the orders, such as this standard;
  • Development of procurement procedures and review of institutional procurement activities to restrict the acquisition of Prohibited Technologies and Covered Applications;
  • Reviews of institutional research activity and grants regarding Prohibited Technologies and Covered Applications and development of procedures to avoid such activities without an authorized exception;
  • Development of procedures to identify and remediate Prohibited Technologies or Covered Applications controlled by the university and external parties on behalf of the university;
  • Communication to multiple stakeholder groups;
  • Establishment and reporting of exceptions authorized by the university president;
  • Identification and designation of Sensitive Locations;
  • Updates to university cybersecurity awareness programs to include information concerning Prohibited Technologies and Covered Applications; and
  • Updates to applicable contracts and contract addenda to reflect the prohibitions of this standard and the TSUS Technologies Prohibited by Regulation Policy.

Procedures

Personnel

The following general procedures should be followed by Personnel who are aware of the use of a Prohibited Technology, Covered Application, or Unauthorized Device to conduct university business.

  1. Stop using the Prohibited Technology, Covered Application, or Unauthorized Device.
  2. Report the use of a Prohibited Technology at the SHSU Report-IT webpage if the Prohibited Technology is:
    • Installed on or accessed from a university-owned device,
    • Incorporated as part of a department’s or unit’s business or otherwise represents the university, or\
    • A component of the university’s infrastructure.
  3. For personal devices:
    • Remove the prohibited technology, or
    • Cease using the personal device for university business.

Procedures for Specific Prohibited Technologies Prohibited by Regulation

Procedures to Disable TikTok Accounts

Prior to the 12/7/22 order, parts of the university used TikTok as a component of social media strategies. In order to mitigate the likelihood of username reclamation and subsequent impersonation by threat actors, the following procedures are to be implemented by the respective information resource owner and information resource custodian of university-managed TikTok accounts:

  • Review and download copies of any videos that you may need for reference or records retention
  • Delete all content, branding, and data from the account and profile page
  • Make profile private
  • Submit this brief form to account for all your SHSU related TikTok accounts
  • Do NOT delete the TikTok account(s) at this time.
  • Remove any remaining instances of TikTok applications from university-owned devices.

Additional procedures may include temporarily logging on to the account from an authorized source to prevent deactivation of the account and loss of the account’s reserved username after a period of approximately 170 days of inactivity. These procedures may be activated based on several factors, including risk analysis, shifts in the threat landscape, and the status of authorized exceptions.

Procedures for Exceptions to Technologies Prohibited by Regulation

The following procedures should be followed by personnel seeking an exception.

  1. Exceptions may be requested by completing the Technologies Prohibited By Regulation Exception Request form.
  2. Exceptions must include a detailed business justification.
  3. Additional information may be requested to determine if an exception is possible.
  4. Exceptions may only be approved by the university's president.
  5. Approved exceptions will be reported to the Texas Department of Information Resources.
  6. Approved exceptions may be subjected to review by the Office of the Governor, the Texas Legislature, or others appointed to review.
  7. If you have any questions regarding this Standard, please review the FAQs found on the SHSU Prohibited Technologies webpage.

Definitions

Terms used in this standard have the meaning ascribed in the Information Security Glossary (see https://docs.gato.txst.edu/322755/TSUS%20IT%20Policy%20-%202022.pdf) unless otherwise clarified in this section.

  • Covered Application: A social media application or service specified by proclamation of the governor under Section 620.005 including the social media service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited.
  • DIR: Initialism for the Texas Department of Information Resources
  • DPS: Initialism for the Texas Department of Public Safety
  • Institutional User: A privileged or non-privileged user of an information system who holds an active affiliation (e.g., faculty, staff, student) with Sam Houston State University.
  • ISO: Initialism for Sam Houston State University’s “Information Security Office”
  • Logical Device: Logical equivalents of Devices, such as virtual Servers and virtualized versions of Networks
  • Non-privileged User: See “User"
  • OOG: Initialism for the Texas Office of the Governor
  • Organizational User: See “Institutional User”
  • Personnel: Employees or contractors of the university, including faculty, staff, interns, and contractors.
  • Prohibited Technology: Any technologies listed on the Department of Information Resources’ Prohibited Technologies List, including, but not limited to, certain software, hardware, companies, telecommunications devices, and equipment.
  • Sensitive Location: Any physical or logical (such as video conferencing or electronic meetings) location designated by the TSUS or a component institution that is routinely used by Personnel to discuss confidential or sensitive information.
  • TGC §620: Initialism for Texas Government Code Section 620, Use of Certain Social Media Applications And Services On Governmental Entity Devices Prohibited.
  • University Business: Employees or contractors accessing component-owned information resources including, but not limited to, data, information systems, email accounts, non-public facing communications, telecommunication systems, and video conferencing.
  • Unauthorized Devices: Devices containing prohibited technologies regardless of ownership. Examples include personally owned smart phones with a prohibited technology installed.