Standards for Technologies Prohibited by Regulation : Information Security Office : Texas State University

Purpose

This standard establishes (1) a non-exhaustive record of technologies and technology service providers from which the university is prohibited from using and/or acquiring and (2) a non-confidential explanation of technical and administrative controls implemented in the furtherance of related compliance goals. Prohibitions highlighted in this standard correspond to state and federal laws, directives, executive orders, and other regulatory requirements applicable to the university. The absence of an otherwise prohibited item from this Standard does not imply a means by which the item is authorized.

The contents of this standard are additive overlays that incorporate, detail, and extend requirements set by the TSUS Information Technology Policies, institutional policies, other institutional standards, procedures, and guidelines, and additional prohibitions, such as the “Debarred Vendor List” maintained by the Texas Comptroller of Public Accounts.

Pursuant to section 552.139 of Texas Government Code (“Public Information”), some descriptions of technical security controls, procedures, and practices will be abbreviated to avoid disclosure of confidential information pertaining to the security posture of the university’s information resources.

Scope

This standard generally applies to all university-owned information systems, devices, networks, and other information resources that are within the custodianship of the university regardless of location. As detailed within, certain sections of this standard may also be applicable to university personnel (e.g., university officers, employees, contractors), locations (e.g., campuses, properties), and some personally owned devices (e.g., those used to conduct state or university business).

Summary

This section provides an overview of the requirements of this standard. This summary is provided for reference purposes and does not take the place of the full text below. If you have questions regarding this standard, please visit the FAQ section of the Division of IT Prohibited Technologies webpage.

Prohibited Technologies and Covered Applications designated by the State of Texas are prohibited on university-owned devices
Prohibited Technologies will be blocked on university networks.
The university will enhance management capabilities for university-owned devices.
This standard includes procedures for addressing technologies prohibited by regulation in use by the university.
No Exceptions may be authorized for Covered Applications
Exceptions to Prohibited Technologies may only be granted by the university's president.

Publication and Updates

This standard was first published on 12/9/2022. This section will be updated when any updates or changes are made to this standard.

Date	Summary of Changes
12/9/2022	First Published
4/11/2024	Updated to align with the expanded requirements from DIR/DPS model plan for Prohibited Technologies and TGC §620 concerning Covered Applications

Date

Summary of Changes

12/9/2022

First Published

4/11/2024

Updated to align with the expanded requirements from DIR/DPS model plan for Prohibited Technologies and TGC §620 concerning Covered Applications

Technologies Prohibited by The State of Texas

Regulatory Source: Prohibited Technologies

On February 6, 2023, the Governor released a model plan as required by a December 7, 2022, directive banning all state agencies from using TikTok on government-issued devices. This model plan included additional prohibited technologies and detailed objectives intended to protect the state’s information resources and infrastructure. The model plan requires each state agency to develop its own policies and procedures to implement the plan and its objectives.

For further information, see the following pages:

Governor’s December 7, 2022 announcement
Governor’s December 7, 2022 directive
Governor’s February 6, 2023 announcement
Department of Information Resources’ list of prohibited technologies
Texas State University System's Technologies Prohibited by Regulation Policy

Regulatory Source: Covered Applications

Effective June 14, 2023, Texas Government Code Chapter 620 requires state agencies to prohibit the installation or use of covered applications on any device owned or leased by the governmental entity and requiring the removal of covered applications from those devices. Covered applications are social media applications or services specified by proclamation of the governor under Section 620.005. For further information, see the following:

Prohibition Statements

All university Personnel are prohibited from:

Downloading or using any Prohibited Technologies or Covered Applications on university-owned devices;
Conducting university-business on personally owned devices with Prohibited Technologies installed;
Entering Sensitive Locations with a Prohibited Technology-enabled personal device; and/or
Acquiring or reimbursing the purchase of Prohibited Technologies.

Exceptions to Covered Applications

Exceptions for Covered Applications may only be approved to enable law-enforcement or information security measures. No other exceptions may be authorized for Covered Applications.

Exceptions to Prohibited Technologies

Pursuant to the Governor’s directive, exceptions to this prohibition may only be approved by the university’s president.

Exceptions for Investigations

These exceptions are legitimate uses of prohibited technologies for the express purpose of performing investigations required by state, federal, or industry regulations:

Law-enforcement investigations
Cybersecurity incident investigations
Student investigations conducted by the Dean of Students
Title IX and discrimination investigations
Legal Discovery

Exceptions for the Severance of Prohibited Technologies

This exception allows business units in coordination with the Information Security Officer to perform data retrieval, account configuration(s), and other activities necessary to reduce the risk of cyber-attacks:

Temporary maintenance of dormant, high-value data or accounts already in use on a prohibited technology

Exceptions for Residential Internet Services

The following exception is considered a legitimate use of prohibited technologies for the express purpose of providing Internet services to residents’ personal devices while living in university housing:

University residential Internet services transiting through a separate network and used exclusively by residents on personal devices for personal use unrelated to university business.

Technical Controls

A series of technical controls will be used to enforce the prohibition of technologies subject to this standard. Technical controls include, but may not be limited to, the following:

All university-owned devices will be managed to detect and remove Prohibited Technologies and Covered Applications.
All university-owned mobile devices will be enrolled in Mobile Device Management (MDM) software.
The university will block access to Prohibited Technologies and Covered Applications on all university-owned networks to prevent the download, installation, and/or communication of devices to prohibited technologies.

Administrative Controls

Measures that have been or will be taken include, but may not be limited to, the following:

Issuance of this standard;
As necessary and based on the level of risk presented to the university, removal of content on university webpages referencing and/or linking to Prohibited Technologies or Covered Applications other than those used to communicate and facilitate compliance with the orders, such as this standard;
Development of procurement procedures and review of institutional procurement activities to restrict the acquisition of Prohibited Technologies and Covered Applications;
Reviews of institutional research activity and grants regarding Prohibited Technologies and Covered Applications and development of procedures to avoid such activities without an authorized exception;
Development of procedures to identify and remediate Prohibited Technologies or Covered Applications controlled by the university and external parties on behalf of the university;
Communication to multiple stakeholder groups;
Establishment and reporting of exceptions authorized by the university president;
Identification and designation of Sensitive Locations;
Updates to university cybersecurity awareness programs to include information concerning Prohibited Technologies and Covered Applications; and
Updates to applicable contracts and contract addenda to reflect the prohibitions of this standard and the TSUS Technologies Prohibited by Regulation Policy.

Procedures

Personnel

The following general procedures should be followed by Personnel who are aware of the use of a Prohibited Technology, Covered Application, or Unauthorized Device to conduct university business.

Stop using the Prohibited Technology, Covered Application, or Unauthorized Device.
Report the use of a Prohibited Technology or Covered Applications at our reporting form if the technology is:
- Installed on or accessed from a university-owned device,
- Incorporated as part of a department’s or unit’s business or otherwise represents the university, or
- A component of the university’s infrastructure.
For personal devices:
- Remove the Prohibited Technology or Covered Application, or
- Cease using the personal device for university business.

Procedures for Specific Prohibited Technologies Prohibited by Regulation

Procedures to Disable TikTok Accounts

Prior to the 12/7/22 order, parts of the university used TikTok as a component of social media strategies. In order to mitigate the likelihood of username reclamation and subsequent impersonation by threat actors, the following procedures are to be implemented by the respective information resource owner and information resource custodian of university-managed TikTok accounts:

Archive copies of content posted to the account and store the archived copies in an authorized location (e.g., university fileshare, SharePoint, YuJa) in compliance with the records retention schedule.
Remove all content from each account.
De-brand each account by removing all institutional logos, contact information, and similar details.
Set the account to private.
Leave the account active and maintain it under TXST control by storing the credentials in LastPass Enterprise .
Remove any remaining instances of TikTok applications from university-owned devices.
Confirm the account has been registered with the Division of Information Technology and do not use it further.

Additional procedures may include temporarily logging on to the account from an authorized source to prevent deactivation of the account and loss of the account’s reserved username after a period of approximately 170 days of inactivity. These procedures may be activated based on several factors, including risk analysis, shifts in the threat landscape, and the status of authorized exceptions.

Procedures for Exceptions to Technologies Prohibited by Regulation

The following procedures should be followed by personnel seeking an exception.

Exceptions may be requested by completing the Technologies Prohibited By Regulation Exception Request form.
Exceptions must include a detailed business justification.
Additional information may be requested to determine if an exception is possible.
Exceptions may only be approved by the university's president.
Approved exceptions will be reported to the Texas Department of Information Resources.
Approved exceptions may be subjected to review by the Office of the Governor, the Texas Legislature, or others appointed to review.

If you have any questions regarding this Standard, please review the FAQs found on the Division of IT's Technologies Prohibited by Regulation webpage.

Definitions

Terms used in this standard have the meaning ascribed in the Information Security Glossary (see https://infosecurity.txst.edu/work/information-security-glossary.html) unless otherwise clarified in this section.

Covered Application: A social media application or service specified by proclamation of the governor under Section 620.005 including the social media service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited.
DIR: Initialism for the Texas Department of Information Resources
DPS: Initialism for the Texas Department of Public Safety
Institutional User: A privileged or non-privileged user of an information system who holds an active affiliation (e.g., faculty, staff, student) with Texas State University.
ISO: Initialism for Texas State’s “Information Security Office”
Logical Device: Logical equivalents of Devices, such as virtual Servers and virtualized versions of Networks
Non-privileged User: See “User"
OOG: Initialism for the Texas Office of the Governor
Organizational User: See “Institutional User”
Personnel: Employees or contractors of the university, including faculty, staff, interns, and contractors.
Prohibited Technology: Any technologies listed on the Department of Information Resources’ Prohibited Technologies List, including, but not limited to, certain software, hardware, companies, telecommunications devices, and equipment.
Sensitive Location: Any physical or logical (such as video conferencing or electronic meetings) location designated by the TSUS or a component institution that is routinely used by Personnel to discuss confidential or sensitive information.
TGC §620: Initialism for Texas Government Code Section 620, Use of Certain Social Media Applications And Services On Governmental Entity Devices Prohibited.
University Business: Employees or contractors accessing component-owned information resources including, but not limited to, data, information systems, email accounts, non-public facing communications, telecommunication systems, and video conferencing.
Unauthorized Devices: Devices containing prohibited technologies regardless of ownership. Examples include personally owned smart phones with a prohibited technology installed.