V1.0 February 13, 2023

1.0 Introduction

1.1 Purpose

On December 7, 2022, the Governor of Texas required (https://gov.texas.gov/uploads/files/press/State_Agencies_Letter_1.pdf) all state agencies to ban the video-sharing application TikTok from all state-owned and state-issued devices and networks over the Chinese Communist Party’s ability to use the application for surveilling Texans. Governor Abbott also directed the Texas Department of Public Safety (DPS) and the Texas Department of Information Resources (DIR) to develop a plan providing state agencies guidance on managing personal devices used to conduct state business.

In addition to TikTok, San Jacinto Community College District (“College”) may add other software and hardware products with security concerns to this policy and will be required to remove prohibited technologies which are on the DIR prohibited technology list. Throughout this Policy, "Prohibited Technologies" shall refer to TikTok and any additional hardware or software products added to this Policy.

1.2  Scope

This policy applies to College full and part-time employees, contractors, and paid or unpaid interns (“College Users”). College Users are responsible for complying with the terms and conditions of this policy.

Registered and paid Students (“Students”) are exempt from this policy. Students who are not provided access to College-owned devices are restricted to only use a personal device that is privately owned or leased by the Student or a member of the Student’s immediate family or the Student’s ISD or Academy, and the College will include network security considerations to protect the College’s network and data from traffic related to prohibited technologies.

College business includes accessing any College-owned data, applications, email accounts, non-public facing communications, state email, VoIP, SMS, video conferencing, CAPPS, Texas.gov, and any other state databases or applications (“College Business”).

Mobile, desktop, or other internet capable devices that are funded by the College and provided to College Users and Students to conduct College Business are regarded as College-owned devices (“College-owned devices”).

Mobile, desktop, or other internet capable devices owned by College Users, Students, other institutions, businesses and other organizations are regarded as Personal-owned devices (“Personal-owned devices”).

2.0  Policy

2.1  College-Owned Devices

Except where approved exceptions apply, the use or download of prohibited applications or websites is prohibited on all College-owned devices.

The College must identify, track, and control College-owned devices to prohibit the installation of or access to all prohibited applications. This includes the various prohibited applications for mobile, desktop, or other internet capable devices.

In particular, the College must manage all College-issued mobile devices by implementing the following security controls:

a.     Restrict access to “app stores” or non-authorized software repositories to prevent the installation of unauthorized applications.

b.    Maintain the ability to remotely wipe non-compliant or compromised mobile devices.

c.     Maintain the ability to remotely uninstall unauthorized software from mobile devices.

d.    Deploy secure baseline configurations for mobile devices, as determined by the College.

2.2  Personal Devices Used For College-Business

College Users may not install or operate prohibited applications or technologies on any personal device that is used to conduct College Business.

College Users are allowed the use of personal devices to only conduct College business limited to the use of SOS, Blackboard, Instructional Software and Applications, Zoom, Office 365 Outlook, Teams, Productivity Tools and other instructional and collaborative software and applications (“Instructional and Collaborative Applications”). Such Instructional and Collaborative Applications are reviewed to ensure regulatory compliance with access protected by Multi-factor Authentication (MFA) and defense in depth.

2.3  Identification of Sensitive Locations

Data rooms, data closets, emergency operations center and any other location are regarded as sensitive locations (“Sensitive Locations”). Visitors granted access to sensitive locations are subject to the same limitations as College Users on unauthorized personal devices when entering sensitive locations.     

2.4  Network Restrictions

To ensure multiple layers of protection, the College will implement additional network-based restrictions to include:

a.     Configure College firewalls to block access to statewide prohibited services on all College technology infrastructures, including local networks, WAN, and VPN connections. Ensure periodic evaluation of rules as URLs, domains, and IP addresses may change frequently.  

b.    Prohibit personal devices with prohibited technologies installed from connecting to College technology infrastructure or data. 

c.     Provide a separate network for access to prohibited technologies with the approval of the Chancellor.

2.5  Ongoing and Emerging Technology Threats

To provide protection against ongoing and emerging technological threats to the state’s sensitive information and critical infrastructure, DPS and DIR will regularly monitor and evaluate additional technologies posing concerns for inclusion in this policy.

DIR will host a site that lists all prohibited technologies including apps, software, hardware, or technology providers. The prohibited technologies list can be found in Addendum A. New technologies will be added to the list after consultation between DIR and DPS.

The College will implement the removal and prohibition of any listed technology.  The College may prohibit technology threats in addition to those identified by DIR and DPS.

3.0 Policy Compliance

All College Users shall sign a document annually confirming their understanding of this policy. This process is to be included in the Annual Cybersecurity Awareness training and added to Procedure 2-3-a(rev) Individual Responsibilities for Computing Resources.

Compliance with this policy will be verified through various methods, including but not limited to, IT/security system reports and feedback to agency leadership.

College Users found to have violated this policy may be subject to disciplinary action, including termination of employment.

4.0 Exceptions

Exceptions to the ban on prohibited technologies may only be approved by the Chancellor. This authority may not be delegated. All approved exceptions to the TikTok prohibition or other statewide prohibited technology must be reported to DIR. Exceptions to the policy will only be considered when the use of prohibited technologies is required for a specific business need, such as enabling criminal or civil investigations or for sharing of information to the public during an emergency.

Addendum A

The up-to-date list of prohibited technologies is published at https://dir.texas.gov/information-security/prohibited-technologies.

Prohibited Software/Applications/Developers

  • TikTok

  • Kaspersky

  • ByteDance Ltd.

  • Tencent Holdings Ltd.

  • Alipay

  • CamScanner

  • QQ Wallet

  • SHAREit

  • VMate

  • WeChat

  • WeChat Pay

  • WPS Office

  • Any subsidiary or affiliate an entity listed above.

Prohibited Hardware/Equipment/Manufacturers

  • Huawei Technologies Company

  • ZTE Corporation

  • Hangzhou Hikvision Digital Technology Company

  • Dahua Technology Company

  • SZ DJI Technology Company

  • Hytera Communications Corporation

  • Any subsidiary or affiliate an entity listed above.

Need More Help?

Please contact the OfficeofCybersecurity@sjcd.edu with any questions regarding the above directive.