|
Last published: 1/31/2024 |
Operating Policy and Procedure
HSC OP: 56.06, Prohibited Technologies
PURPOSE: To address the requirements set forth by the Governor of Texas, (12/7/2022) to protect critical state infrastructure and to comply with the Lone Star Infrastructure Protection Act, Ï㽶ֱ²¥ is adopting this Prohibited Technologies Policy.
All state agencies are prohibited from using of the video-sharing application TikTok on state-owned and state-issued devices or on networks managed by Ï㽶ֱ²¥. Ï㽶ֱ²¥ reserves the right to add software and hardware considered to pose security risks to a list of prohibited technologies in accordance with the state of Texas’s continually updated list of identified technologies.
DEFINITION As outlined in the Ï㽶ֱ²¥ IT Authorized and Unauthorized Hardware/Software Standard, Prohibited Technologies include, but are not limited to:
i. Any technologies that are not properly licensed;
ii. Any technologies that violate federal, state, or local laws or Ï㽶ֱ²¥ policies;
iii. Any technologies that are considered by the state government of Texas to be a threat to local, state, or national security; or
iv. Any technologies identified on the Department of Information Resources (DIR)’s page.
SCOPE This policy applies to all Ï㽶ֱ²¥ full and part-time employees including contractors, paid or unpaid interns, and users of state networks. All Ï㽶ֱ²¥ employees are responsible for complying with the terms and conditions of this policy.
REVIEW: This OP will be reviewed annually by the Ï㽶ֱ²¥ President.
POLICY:
1. Ï㽶ֱ²¥-Managed Devices
The use or download of Prohibited Technologies is not permitted on Ï㽶ֱ²¥-managed devices, including cell phones, tablets, desktop and laptop computers, and other internet-capable devices. Ï㽶ֱ²¥ must identify, track, and control state-owned devices to prohibit the installation of or access to Prohibited Technologies. This monitoring includes prohibited applications for mobile, desktop, or other internet-capable devices.
Ï㽶ֱ²¥ must manage all state-issued mobile devices by implementing the security controls listed below:
a. Restrict access to Prohibited Technologies.
b. Maintain the ability to remotely wipe non-compliant or compromised Ï㽶ֱ²¥-managed mobile devices.
c. Maintain the ability to remotely uninstall unauthorized software from Ï㽶ֱ²¥-managed mobile devices.
d. Deploy secure baseline configurations for Ï㽶ֱ²¥-managed mobile devices, as determined by Ï㽶ֱ²¥.
2. Personal Devices Used for Ï㽶ֱ²¥ Business
Ï㽶ֱ²¥ business includes any interaction that requires access to or use of Ï㽶ֱ²¥-owned or managed networks, data, applications, email accounts, non-public facing communications, email, VoIP, SMS, or video conferencing. Employees and contractors are required to remove all Prohibited Technologies on any personal device that is used to conduct Ï㽶ֱ²¥ business. Employees and contractors may request that their device be enrolled in the Ï㽶ֱ²¥â€™s Bring Your Own Device (BYOD) program which ensures endpoint management on all Ï㽶ֱ²¥ devices.
3. Identification of Sensitive Locations
A sensitive location is any area, physical, or logical (such as video conferencing, or electronic meeting rooms) that is used to discuss confidential or sensitive information, including information technology configurations, criminal justice information, financial data, personally identifiable data, sensitive personal information, or any data protected by federal or state law.
a. Non-Ï㽶ֱ²¥-managed devices such as personal cell phones, tablets, or laptops that have Prohibited Technologies may not enter locations labeled as sensitive, including any electronic meeting labeled as a sensitive location.
b. Visitors granted access to secure locations are subject to the same limitations as contractors and employees and may not bring unauthorized personal devices that have Prohibited Technologies into secure locations.
4. Network Restrictions
Ï㽶ֱ²¥ will implement additional network-based restrictions to include:
a. Firewalls configured to block access to Prohibited Technologies on all institutional technology infrastructures, including local networks, WAN, and VPN connections.
b. Not allowing devices with Prohibited Technologies to connect to Ï㽶ֱ²¥ networks.
5. Ongoing and Emerging Technology Threats
a. Ï㽶ֱ²¥ will regularly monitor and evaluate additional technologies posing concerns following recommendations from DIR and DPS.
b. All Ï㽶ֱ²¥ Prohibited Technologies inclusive of state-mandated Prohibited Technologies, can be found in the Ï㽶ֱ²¥ IT Authorized and Unauthorized Hardware and Software Standard.
c. Ï㽶ֱ²¥ IT is responsible for blocking or removing any Prohibited Technologies.
6. Purchasing Restriction
Ï㽶ֱ²¥ will not purchase or reimburse the purchase of any Prohibited Technologies, unless an exception has been approved.
7. Policy Compliance
a. All employees must annually acknowledge and confirm their understanding of this policy.
b. Compliance with this policy will be verified through various methods, including but not limited to, IT/security system reports and feedback to Ï㽶ֱ²¥ leadership.
c. An employee found to have violated this policy may be subject to disciplinary action, including termination of employment.
8. Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Ï㽶ֱ²¥ reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.
9. Exceptions
Exceptions to the policy will only be considered when the use of Prohibited Technologies is required for a specific business need, and will be evaluated on a case-by-case basis.
a. To the extent practicable, exception-based use should only be performed on devices that are not used for other Ï㽶ֱ²¥ business and on non-Ï㽶ֱ²¥ networks.
b. Exceptions to the ban on Prohibited Technologies may be approved by the President of Ï㽶ֱ²¥. This authority may not be delegated.
c. All approved exceptions to this policy will be reported to DIR.
10. Relevant Policies
The following Ï㽶ֱ²¥ policies support the requirements of this HSC OP by implementing controls that ensure state-recognized security baselines for information and information resource management as it applies to the above-mentioned Prohibited Technologies:
• HSC OP 56.01 Acceptable Use
•
•
•
•
•
•
• Ï㽶ֱ²¥ IT Threat Awareness Program (available by request)
•
Document Approval Details and Revision History can be found on PDF.