Tarleton OITS Use of Peer-to-Peer Sharing Software Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Use of Peer-to-Peer Sharing Software Standard

Effective: February 11, 2020

Revised: June 12, 2026

Procedure Summary

This standard describes requirements related to the appropriate use of peer-to-peer (P2P) file- sharing software.

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. This standard applies to Tarleton information resources that store, process, or transmit mission critical and/or confidential information.

As an institution of higher education, Tarleton permits P2P software, as long as the software is appropriately licensed, and its use does not violate any university rules or standards, Texas A&M university System (TAMUS) policies or regulations, or federal/state laws. Generally, P2P software should be used only for legitimate university business. However, as with other software, brief and occasional personal use of P2P software is allowable. Use of P2P file sharing software may require special attention by individual users in order to prevent the unintended and inappropriate distribution of files.

The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. This standard applies to the use of all P2P software/information resources used on Tarleton assets/devices, involving Tarleton information sharing, and/or on any devices using the Tarleton network (even if on a personal device). This standard will apply equally to all individuals who utilize Tarleton devices and access Tarleton information resources, including the Tarleton network.

Please see the Tarleton Security Controls Catalog, specifically the System and Services Acquisition (SA) family, specifically SA-8, Security and Privacy Engineering Principles, and SA-9, External System Services, for additional information and requirements.

Procedures and Responsibilities

This standard applies to all individually or university owned computing systems attached to the Tarleton network. The intended audience includes all university network users.
Any university network user using P2P file sharing software should be thoroughly familiar with the proper use, options and default settings of the particular P2P program. The user must ensure that the P2P program configuration does not allow automatic/unintended file sharing.
Insecurely configured file sharing programs may be cause for removal of network access from the hosting computer. This includes, but is not limited to, Windows file sharing with no password and other systems with unauthenticated and/or unrestricted uploading and/or downloading capabilities.
For instances in which the department is the owner-custodian or custodian of a system using P2P software, the department is responsible for ensuring compliance with this procedure.
Any violation or inappropriate use of P2P file sharing software shall be reported in accordance with the Tarleton Electronic Information Resource Complaints Standard.
The use of already available Tarleton P2P sharing software should be utilized when feasible and access for external users can be requested on a case-by-case basis depending on the business/use case. External access for collaborators on Tarleton business can be requested through an ITS Service Desk ticket and reviewed by the applicable ITS team(s). External collaborators are expected to comply with the Tarleton Security Controls Catalog requirements.

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.