|
Last published: 1/31/2024 |
Operating Policy and Procedure
HSC OP: 56.06, Prohibited Technologies
PURPOSE: To address the requirements set forth by the Governor of Texas, (12/7/2022) to protect critical state infrastructure and to comply with the Lone Star Infrastructure Protection Act, ÍâÍøÌìÌà is adopting this Prohibited Technologies Policy.
All state agencies are prohibited from using of the video-sharing application TikTok on state-owned and state-issued devices or on networks managed by ÍâÍøÌìÌÃ. ÍâÍøÌìÌà reserves the right to add software and hardware considered to pose security risks to a list of prohibited technologies in accordance with the state of Texas’s continually updated list of identified technologies.
DEFINITION As outlined in the ÍâÍøÌìÌà IT Authorized and Unauthorized Hardware/Software Standard, Prohibited Technologies include, but are not limited to:
i. Any technologies that are not properly licensed;
ii. Any technologies that violate federal, state, or local laws or ÍâÍøÌìÌà policies;
iii. Any technologies that are considered by the state government of Texas to be a threat to local, state, or national security; or
iv. Any technologies identified on the Department of Information Resources (DIR)’s page.
SCOPE This policy applies to all ÍâÍøÌìÌà full and part-time employees including contractors, paid or unpaid interns, and users of state networks. All ÍâÍøÌìÌà employees are responsible for complying with the terms and conditions of this policy.
REVIEW: This OP will be reviewed annually by the ÍâÍøÌìÌà President.
POLICY:
1. ÍâÍøÌìÌÃ-Managed Devices
The use or download of Prohibited Technologies is not permitted on ÍâÍøÌìÌÃ-managed devices, including cell phones, tablets, desktop and laptop computers, and other internet-capable devices. ÍâÍøÌìÌà must identify, track, and control state-owned devices to prohibit the installation of or access to Prohibited Technologies. This monitoring includes prohibited applications for mobile, desktop, or other internet-capable devices.
ÍâÍøÌìÌà must manage all state-issued mobile devices by implementing the security controls listed below:
a. Restrict access to Prohibited Technologies.
b. Maintain the ability to remotely wipe non-compliant or compromised ÍâÍøÌìÌÃ-managed mobile devices.
c. Maintain the ability to remotely uninstall unauthorized software from ÍâÍøÌìÌÃ-managed mobile devices.
d. Deploy secure baseline configurations for ÍâÍøÌìÌÃ-managed mobile devices, as determined by ÍâÍøÌìÌÃ.
2. Personal Devices Used for ÍâÍøÌìÌà Business
ÍâÍøÌìÌà business includes any interaction that requires access to or use of ÍâÍøÌìÌÃ-owned or managed networks, data, applications, email accounts, non-public facing communications, email, VoIP, SMS, or video conferencing. Employees and contractors are required to remove all Prohibited Technologies on any personal device that is used to conduct ÍâÍøÌìÌà business. Employees and contractors may request that their device be enrolled in the ÍâÍøÌìÌÃ’s Bring Your Own Device (BYOD) program which ensures endpoint management on all ÍâÍøÌìÌà devices.
3. Identification of Sensitive Locations
A sensitive location is any area, physical, or logical (such as video conferencing, or electronic meeting rooms) that is used to discuss confidential or sensitive information, including information technology configurations, criminal justice information, financial data, personally identifiable data, sensitive personal information, or any data protected by federal or state law.
a. Non-ÍâÍøÌìÌÃ-managed devices such as personal cell phones, tablets, or laptops that have Prohibited Technologies may not enter locations labeled as sensitive, including any electronic meeting labeled as a sensitive location.
b. Visitors granted access to secure locations are subject to the same limitations as contractors and employees and may not bring unauthorized personal devices that have Prohibited Technologies into secure locations.
4. Network Restrictions
ÍâÍøÌìÌà will implement additional network-based restrictions to include:
a. Firewalls configured to block access to Prohibited Technologies on all institutional technology infrastructures, including local networks, WAN, and VPN connections.
b. Not allowing devices with Prohibited Technologies to connect to ÍâÍøÌìÌà networks.
5. Ongoing and Emerging Technology Threats
a. ÍâÍøÌìÌà will regularly monitor and evaluate additional technologies posing concerns following recommendations from DIR and DPS.
b. All ÍâÍøÌìÌà Prohibited Technologies inclusive of state-mandated Prohibited Technologies, can be found in the ÍâÍøÌìÌà IT Authorized and Unauthorized Hardware and Software Standard.
c. ÍâÍøÌìÌà IT is responsible for blocking or removing any Prohibited Technologies.
6. Purchasing Restriction
ÍâÍøÌìÌà will not purchase or reimburse the purchase of any Prohibited Technologies, unless an exception has been approved.
7. Policy Compliance
a. All employees must annually acknowledge and confirm their understanding of this policy.
b. Compliance with this policy will be verified through various methods, including but not limited to, IT/security system reports and feedback to ÍâÍøÌìÌà leadership.
c. An employee found to have violated this policy may be subject to disciplinary action, including termination of employment.
8. Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. ÍâÍøÌìÌà reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.
9. Exceptions
Exceptions to the policy will only be considered when the use of Prohibited Technologies is required for a specific business need, and will be evaluated on a case-by-case basis.
a. To the extent practicable, exception-based use should only be performed on devices that are not used for other ÍâÍøÌìÌà business and on non-ÍâÍøÌìÌà networks.
b. Exceptions to the ban on Prohibited Technologies may be approved by the President of ÍâÍøÌìÌÃ. This authority may not be delegated.
c. All approved exceptions to this policy will be reported to DIR.
10. Relevant Policies
The following ÍâÍøÌìÌà policies support the requirements of this HSC OP by implementing controls that ensure state-recognized security baselines for information and information resource management as it applies to the above-mentioned Prohibited Technologies:
• HSC OP 56.01 Acceptable Use
•
•
•
•
•
•
• ÍâÍøÌìÌà IT Threat Awareness Program (available by request)
•
Document Approval Details and Revision History can be found on PDF.