Policy
It is the policy of Texas State Technical College (TSTC) to ensure that information resources are used in an effective, efficient, ethical, and lawful manner. SOS GA.5.2
Introduction
Under the provisions of the Information Resources Management Act, Information Resources are strategic assets of the State of Texas that must be managed as valuable state resources. Thus this policy is established to achieve the following:
- To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources.
- To establish prudent and acceptable practices regarding the use of information resources.
- To educate individuals who may use information resources with respect to their responsibilities associated with such use.
Audience
The TSTC Acceptable Use policy applies equally to all individuals granted access privileges to any TSTC Information Resources.
Rights
The provision and use of computing and networking privileges is governed by Texas State Technical College policy. TSTC reserves all rights, including termination of services to any of these resources without notice. These procedures shall not be construed as a waiver of any rights of TSTC, nor shall they conflict with applicable acts of law.
Definitions
Acceptable Use:
All computer use activities contained herein or otherwise that meets the requirements of SOS GA.5.2 and may include other activities that the college deems to be acceptable.
Information Resources (IR):
Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. Key Roles & Responsibilities
User: Has the responsibility to (1) use the resource only for the purpose specified by the owner, (2) comply with controls established by the owner, and (3) prevent disclosure of confidential or sensitive information. The user is any person who has been authorized to read, enter, or update information by the owner of the information. The user is the single most effective control for providing adequate security.
Network & Telecommunications Services (NTS): The name of department responsible for computers, networking, and data management.
Director of Network & Telecommunications Services: Ensures that TSTC’s information resources are being adequately secured, based on risk management as directed by college administration and acting on delegated authority for risk management decisions.
Information Resources Acceptable Use Policy
1. All users must respect the privacy and usage privileges of others, both on the TSTC campus and at all sites reachable by TSTC’s external network connections.
1.1 Users shall not intentionally seek information on, obtain copies of, or modify files, other data, or passwords belonging to other Users, whether on the TSTC campus or elsewhere, or develop or retain programs for that purpose.
1.2 Users shall not represent themselves electronically as others, either on the TSTC campus or elsewhere.
1.3 Users shall not intentionally develop or retain programs that harass other Users, either on the TSTC campus or elsewhere.
1.4 Users shall not obstruct or disrupt the use of any computing system or network by another person or entity, either on the TSTC campus or elsewhere, whose usage is protected by law, ordinance, regulation, policy, or administrative ruling.
2. All Users must respect the integrity of computing systems and networks, both on the TSTC campus and at all sites reachable by TSTC’s external network connections.
2.1 Users shall not by any means attempt to infiltrate (e.g., gain access without proper authorization) a computing system or network, either on the TSTC campus or elsewhere.
2.2 Users shall not attempt to damage, or alter, either the hardware or the software components of a computing system or network, either on the TSTC campus or elsewhere
3. All Users of TSTC’s external network connections shall comply with the evolving "Acceptable Use" policies established by the external networks’ governing bodies.
3.1 In cases of doubt, Users bear the burden of responsibility to inquire concerning the permissibility of external network uses, prior to execution.
4. Computing and networking resources are sometimes in scarce supply. Resource contention may variously involve disk space, server access, applications availability, and network bandwidth. Users are expected to comply fully with the instructions of technical staff and administrators when monitoring network activities.
UAP References
Detail based on TAC 202 and Best Practices
It is the policy that TSTC will create, approve, publish and implement and maintain Information Resources Security Standards in accordance with TAC 202.
Reference #
- IR Security controls must not be bypassed or disabled.
TAC 202.2 – (1)
- Security awareness of personnel must be continually emphasized, reinforced, updated and validated.
TAC 202.8 – (d), (e)
- All personnel are responsible for managing their use of IR and are accountable for their actions relating to IR security. Personnel are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management.
TAC 202.2 – (3); TAC 202.3 – (c) (3)
- Passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), and other computer systems security procedures and devices shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to the custodian or owner department management.
TAC 202.2- (3); TAC 202.3 – (c) (3)
- Access to, change to, and use of IR must be strictly secured. Information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
TAC 202.3 - (c) (1)(A),(H); TAC 202.7 – (c) (2)
- The use of IR must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; email, Web browsing, and other electronic discussion tools. The use of these electronic communications tools may be monitored to fulfill complaint or investigation requirements. Departments responsible for the custody and operation of computers (custodian departments) shall be responsible for proper authorization of IR utilization, the establishment of effective use, and reporting of performance to management.
TAC 202.2 – (3); TAC 202.7 – (h) (O), (j)
- Any data used in an IR system must be kept confidential and secure by the user. The fact that the data may be stored electronically does not change the requirement to keep the information confidential and secure. Rather, the type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
TAC 202.2 – (1); TAC 202.3 – (c) (3); TAC 202.7 – (b)
- All computer software programs, applications, source code, object code, documentation and data shall be guarded and protected as if it were state property.
TAC 202.2 – (1)
- On termination of the relationship with the agency users must surrender all property and IR managed by the agency. All security policies for IR apply to and remain in force in the event of a terminated relationship until such surrender is made. Further, this policy survives the terminated relationship.
TAC 202.7 – (c) (2)
- The owner must engage the IRM, or designate, at the onset of any project to acquire computer hardware or to purchase or develop computer software. The costs of acquisitions, development and operation of computer hardware and applications must be authorized by appropriate management. Management and the requesting department must act within their delegated approval limits in accordance with the agency authorization policy. A list of standard software and hardware that may be obtained without specific, individual approval will be published.
Industry Best Practices
Disciplinary Actions
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of TSTC Information Resources access privileges, civil, and criminal prosecution.
Assistance
Any inquiries relating to this policy or the application of this policy should be referred to the Director, Network and Telecommunications Department.
References
|
Request Information