Â鶹ÊÓƵ

Standards for Technologies Prohibited by Regulation

Purpose

This standard establishes:

(1) a non-exhaustive record of technologies and technology service providers from which the university is prohibited from using and/or acquiring and

(2) a non-confidential explanation of technical and administrative controls implemented in the furtherance of related compliance goals.

Prohibitions highlighted in this standard correspond to state and federal laws, directives, executive orders, and other regulatory requirements applicable to the university. The absence of an otherwise prohibited item from this Standard does not imply a means by which the item is authorized.

The contents of this standard are additive overlays that incorporate, detail, and extend requirements set by the TSUS Information Technology Policies, institutional policies, other institutional standards, procedures, and guidelines, and additional prohibitions, such as the “Debarred Vendor List” maintained by the Texas Comptroller of Public Accounts.

Pursuant to section 552.139 of Texas Government Code (“Public Information”), some descriptions of technical security controls, procedures, and practices will be abbreviated to avoid disclosure of confidential information pertaining to the security posture of the university’s information resources.

Scope

This standard generally applies to all university-owned information systems, devices, networks, and other information resources that are within the custodianship of the university regardless of location.

As detailed within, certain sections of this standard may also be applicable to university personnel (e.g., university officers, employees, contractors), locations (e.g., campuses, properties), and personally owned devices (e.g., those used to conduct state or university business).

Summary

This section provides an overview of the requirements of this standard. This summary is provided for reference purposes and does not take the place of the full text below.

  • All university employees are prohibited from downloading or using TikTok on any university device or other information resource. Similarly, the installation or use of TikTok on any university-owned device or other information resource is prohibited by any user. Exceptions to this prohibition may only be granted by the university’s president.

Publication and Updates

This standard was first published on 1/2/2023. This section will be updated when any updates or changes are made to this standard and further direction from Tx DIR.

Definitions

  • DIR: Initialism for the Texas Department of Information Resources.
  • DPS: Initialism for the Texas Department of Public Safety.
  • Institutional User: A privileged or non-privileged user of an information system who holds an active affiliation (e.g., faculty, staff, student) with Â鶹ÊÓƵ.
  • ISO: Initialism for “Information Security Office”.
  • Logical Device: Logical equivalents of Devices, such as virtual Servers and virtualized versions of Networks.
  • Non-privileged User: See “Institutional User".
  • OOG: Initialism for the Texas Office of the Governor.
  • Organizational User: See “Institutional User”.

Exceptions to this Standard

The feasibility of exceptions to this standard and processes by which such exceptions may be facilitated will be detailed within the body of this document. Unlike certain security controls, policies, standards, and other requirements of the university, the regulatory nature of the prohibitions described by this standard significantly limits or prevents exceptions from being granted by the university’s agency head, information security officer, individual department heads, or other university personnel.

Prohibition of TikTok [12/7/22 Texas OOG Order]

Regulatory Source

This prohibition stems from an OOG order issued on 12/7/22. As stated in the letter sent to state agency heads:

“…effective immediately, every state agency in Texas shall ban its officers and employees from downloading or using TikTok on any of its government-issued devices. This TikTok ban extends to all state-issued cell phones, laptops, tablets, desktop computers, and other devices capable of internet connectivity, and it must be strictly enforced by your agency’s IT department.”

For further information, see the following pages:

Prohibition

Effective 12/7/22, all university employees are prohibited from downloading or using TikTok on any university-owned or university-issued devices and other university information resources. Further, the installation or use of TikTok on university-owned or university-issued devices and other university information resources by any user, including contractors, students, sponsored student organizations, and non-affiliates, is prohibited.

Exceptions to This Prohibition

Pursuant to the order, exceptions to this prohibition may be made with authorization from the university’s president as the designated state agency head.

As stated in the letter sent to state agency heads:

“As head of your agency, you may grant exceptions to enable law-enforcement investigations and other legitimate uses of TikTok on state-issued devices. This authority may not be delegated. These narrow exceptions must be reported to the Office of the Governor (OOG).”

As of 12/13/2022, the following exceptions have been approved by the university president:

  1. Law-enforcement investigations;
  2. Cybersecurity incident investigations;
  3. Student investigations conducted by Â鶹ÊÓƵ’s student affairs;
  4. Title IX and Discrimination investigations;
  5. Legal discovery; and
  6. Temporary maintenance of dormant, high-value TikTok handles to reduce the risk of cyber-attacks.

Technical Control

In response to this prohibition of the use of the TikTok social media service on university-owned devices, a series of technical controls will be used. Technical controls include, but may not be limited to, the following:

  • Blocking the use of TikTok software and access to TikTok services on university-managed endpoints and networks via technology-based controls.

Administrative Control

Measures that have or will be taken include, but may not be limited to, the following:

  • Issuance of this standard.
  • Removal of content on university webpages referencing and/or linking to TikTok other than those used to communicate and facilitate compliance with the order such as this standard.
  • Reviews of institutional procurement activity to assess direct spending with TikTok.
  • Reviews of institutional research activity and grants regarding TikTok and development of procedures to avoid such activities in the future.
  • Identification and neutralization of TikTok accounts controlled by the university and external parties on behalf of the university.
  • Communication to multiple stakeholder groups.
  • Establishing and appropriately reporting exceptions authorized by the university president.

Procedures to Disable TikTok Accounts

Prior to the 12/7/22 order, parts of the university used TikTok as a component of social media strategies. In order to mitigate the likelihood of username reclamation and subsequent impersonation by threat actors, the following procedures are to be implemented by the respective information resource owner and information resource custodian of university-managed TikTok accounts:

  • Review and download copies of any videos that you may need for reference or records retention.
  • Delete all content, branding, and data from the account and profile page.
  • Make profile private.
  • Submit the TikTokAccount Registration Form to account for all your Â鶹ÊÓƵ-related TikTok.
  • Do NOT delete the TikTok account(s) at this time.

Additional procedures may include temporarily logging on to the account from an authorized source to prevent deactivation of the account and loss of the account’s reserved username after a period of approximately 170 days of inactivity. These procedures may be activated based on several factors, including risk analysis, shifts in the threat landscape, and the status of authorized exceptions.