Tarleton IT Standards for All

Effective: June 1, 2019

Revised: April 17, 2025

Procedure Summary

This Standard Administrative Procedure (SAP) applies to all Tarleton State University (Tarleton) students, employees (faculty/staff/student workers, etc.), and third-parties that operate on behalf of Tarleton. The below defined procedures and responsibilities must be followed to help ensure appropriate conduct and use of state resources.

Procedures and Responsibilities

University Incidental Use
- Permissible incidental use is defined in Texas A&M University System (TAMUS) Policy 33.04, Use of System Resources. The following restrictions and caveats also apply to incidental personal use of Tarleton information resources and data/information:
  - A user may make incidental use of only those Tarleton information resources and/or data/information to which they have been authorized access;
  - Incidental personal use is restricted to the authorized user, it does not extend to family members or other acquaintances;
  - Storage of personal electronic data (e.g., personal email messages, voice messages, and documents) within Tarleton information resources must be nominal; and
  - All personal electronic data stored on, processed by, or transmitted by Tarleton information resources may be subject to open records requests per Texas Government Code Chapter 552 and may be accessed in accordance with this document and other policies/procedures.
Protection of Confidential and Controlled Information.
- Users should constantly strive to minimize 1) the amount of confidential and controlled information stored on all their computing devices and 2) the transmission of such information to others.
- Users shall not store confidential or controlled information on a portable computing device (e.g., laptop, smartphone, USB storage device) or a non-Tarleton computing device (e.g., home workstation, Internet host) unless absolutely necessary.
- Users shall encrypt confidential and controlled information before 1) storing such information on a portable device or on a non-Tarleton owned device and before 2) transmitting such information over a non-Tarleton owned network, e.g. the Internet.
- Before a user may transfer confidential or controlled information to another institution of higher education, contractor, or other third party, that third party must affirm that they will protect the transferred data in accordance with the conditions imposed by the information owner, which conditions will contain, at a minimum, the conditions specified in this procedure and the Tarleton Security Controls Catalog.
- Users shall not delete information that is protected by records retention laws (e.g., Texas Gov’t Code Chapter 552, TAMUS Regulation 61.99.01, Retention of State Records) or e-discovery requirements. Such information includes emails and text messages. Users should contact the Tarleton Records Officer for more guidance.
- Users shall not perform mass file deletions without supervisory approval.
Authenticators (e.g. Passwords)
- Users shall not share their authenticators with anyone.
- Users shall not ask for, accept, or use the authenticator of another user.
- If a user accidentally acquires another user’s authenticator, then the user should contact the Tarleton OITS Service Desk.
- If a user doubts the security of their own authenticator, the user shall change/replace the authenticator immediately. The user can perform an authenticator reset using the Tarleton Self-Service Password Manager. If a user doubts the security of another user’s authenticator, then the user should contact the Tarleton OITS Service Desk.
- Users must return physical authenticators (e.g., Smartcard/token) per the request of a supervisor or the token’s custodian, and/or upon termination of their relationship with Tarleton.
Security Incident Reporting
- Users must report security incidents to the Tarleton OITS Service Desk (ext. 9885 or helpdesk@tarleton.edu).
- The Tarleton Office of Marketing and Communications will assist in handling all interactions with public or private media related to any security incident involving Tarleton information resources and/or sensitive information. All Tarleton employees must refer any questions about these issues to this office.
- If fraud or theft is suspected as part of a security incident detection, the person detecting the incident shall follow TAMUS Policy 10.02, Fraud Prevention.
Hardware and Software
- Users shall secure unattended Tarleton portable devices (e.g. laptops, tablets, USB memory devices) by placing the resources in a locked room or tethering the resources with a security cable.
- Users shall not install or use the following software on a Tarleton information-resource:
  - Software for disabling, circumventing, or testing security measures, e.g., vulnerability scanners, password crackers, and packet sniffers;
  - Software that is considered prohibited in accordance with TAMUS Regulation 29.01.06, Covered Applications and Prohibited Technologies;
  - Software for which the user does not have a valid license (also see TAMUS Regulation 29.01.02, Use of Licensed Software);
  - Software for which the vendor is no longer supplying security patches;
  - Proprietary encryption software or encryption software that is weaker than AES 256-bit; and
  - Any other software that would violate or not conform with TAMUS Regulations: 29.01.03, Information Security, 29.01.04, Accessibility of Electronic and Information Resources, and 29.01.05, Artificial Intelligence, unless prior approval is received per applicable processes/procedures as mentioned in the above listed TAMUS Regulations.
- Users shall not make the following software changes on a Tarleton information-resource unless they are also a custodian of the information resource and the change is authorized:
  - Replace the operating system or boot the device from another operating system;
  - Disable or modify Tarleton anti-malware and/or other security software;
  - Turn off whole disk encryption;
  - Change the domain to which the machine is attached; and
  - Modify the network-interface configurations, e.g. IP address or protocols.
- Users shall not make the following changes to Tarleton hardware unless they are also a custodian of the information resource and the change is authorized:
  - Replace or remove internal hardware components, e.g. network card, hard drive, etc.;
  - Connect the device to a non-Tarleton network, or change how the device connects to the Tarleton network (i.e., change from a wired connection to wireless or vice versa);
  - Format a Tarleton hard drive or other mass storage device;
  - Attach network extending devices (e.g., access points, routers) to the Tarleton network;
  - Attach personally-owned devices to a Tarleton network without prior approval or in a manner different from what Tarleton has approved; and
  - Modify, in any way, Tarleton network devices (e.g. routers, firewalls), or network cabling other than station cables.
- Remote Access: Users remotely accessing an information resource (e.g., via VPN or Remote Desktop) shall use only those remote access methods that have been approved by Tarleton OITS.
Consequences for Violations
- All users, including staff, tenured and non-tenured faculty, graduate assistants, student workers, interns, guests, volunteers, and probationary, temporary, or wage employees as well as contractors, consultants, and vendors, are required to adhere to this Tarleton procedure, and may be subject to criminal, civil, or disciplinary actions consistent with federal and state laws, TAMUS policies/regulations, and Tarleton policies/procedures.
- Individuals found in violation of this Tarleton procedure are subject to the removal of access privileges to Tarleton information resources (e.g. servers, workstations, email, etc.). In addition, contracts associated with contractors, consultants, or vendors are subject to review and possible termination. Any device, system, or software found in violation of this procedure may be confiscated and temporarily stored by the Information Resources Manager or a representative of the office.
- Additional guidance may be found, but is not limited to, the following policies and rules.: