50.03 General Computing

Revised: November 12, 2024

1. Governing Regulations

This procedure is governed by System Regulation 29.01.02, Use of Licensed Software and Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202, Information Security Standards.

2. Purpose

2.1 Information resources are strategic assets of the State of Texas that must be managed as valuable state resources. The purpose of this procedure is the following:

  1. Establish prudent and acceptable practices regarding the use of information resources.
  2. Educate users about their responsibilities.

2.2 This procedure applies to all users of agency information resources.

3. Acceptable Use

3.1 Users will not attempt to access any data or programs contained on agency information systems for which they do not have authorization.

3.2 Users will not attempt to circumvent information security measures that are in place.

3.3 Users will exercise caution to protect their user accounts, passwords, etc., that are used for identification and authentication.

3.5 Users will not intentionally create, store, or transmit material that is offensive, indecent, or obscene.

3.6 Users will not intentionally transmit or make available for download material that is copyrighted (such as movies, videos, music, or photos) without permission from the material’s owner.

3.7 Users will not use agency information resources for personal gain or personal business.

3.8 Use of information resources for any unauthorized purpose may result in administrative or disciplinary actions or criminal prosecution.

4. Incidental Use

4.1 Incidental personal use of e-mail, internet access, fax machines, printers, copiers, and mobile devices is restricted to approved users; it does not extend to family members or other acquaintances.

4.2 Incidental use will not result in direct cost to the agency.

4.3 Incidental use will not interfere with normal departmental operations, nor with the performance of the employee’s work duties.

4.4 No files or documents may be created, sent, or solicited electronically that may cause legal action against or embarrassment to the agency. If you receive such files without your solicitation, delete them immediately.

4.5 Storage of personal e-mails and files within agency desktop computers, laptop computers, mobile devices, or networks must be nominal.

5. Internet/Intranet Use

5.1 Users will not visit web sites that are obscene, indecent, malicious, or objectionable.

5.2 Incidental use of internet / intranet is subject to the incidental use and the acceptable use sections of this procedure.

5.3 Software for browsing the internet is provided to users for agency business only.

5.4 All software used to access the internet must be part of the agency’s standard software suite or approved by the Information Resources (IR) Department. This software must incorporate all security patches.

5.5 All files downloaded from the internet must be scanned for malware using the approved IR-distributed security solutions.

5.6 All websites accessed must comply with the acceptable use section of this procedure.

5.7 All web activity on information resource assets is subject to filtering, logging, monitoring, observation, and review.

5.8 Agency internet access must not be used for personal gain or personal solicitations.

5.9 Access to the internet from agency-owned, home-based computers or mobile devices must adhere to the same procedures that apply to use from within agency facilities.

5.10 When transmitting information of sensitive nature over the internet, ensure that the website is TLS secured. This can be verified by observing the padlock icon to the left of the address bar at the top of the browser.

6. E-mail Use

6.1 Employees must use their assigned e-mail address for all official e-mail correspondence within and outside of the agency.

6.2 Automatic forwarding of an employee’s e-mail to an external internet service provider account, or other non-agency account shall be established only after approval from the Deputy Director, Associate Director for Finance and Administration, or the Chief Administrative officer.

6.3 All e-mail activity is subject to filtering, logging, monitoring, observation, and review.

6.4 An employee will not send, receive, or store sensitive (confidential or non-public) information through non-agency e-mail accounts. Examples of non-agency e-mail accounts include, but are not limited to Yahoo, Gmail, and e-mail provided by internet service providers.

6.5 An employee shall not store e-mails or attachments containing sensitive (or confidential) information on unencrypted portable computing devices. Examples of portable computing devices include, but are not limited to, laptops, flash drives, external hard drives, smart phones, tablets, and other cellular devices.

6.6 When sending e-mails or attachments containing sensitive information through the internet, users should encrypt the e-mail itself and ensure that the connection is TLS secured. This can be verified by observing the padlock icon to the left of the address bar at the top of the browser.

6.7 The following e-mail activities are prohibited:

  1. Sending e-mail that is disparaging, intimidating, or harassing.
  2. Using e-mail for conducting personal business.
  3. Using e-mail for political lobbying or campaigning.
  4. Violating copyright laws by inappropriately distributing protected works.
  5. Posing as someone else when sending e-mail (spoofing), except when authorized to send messages for another when serving in an administrative support role.
  6. Using unauthorized e-mail software.
  7. Sending unsolicited messages to large groups, except as required to conduct agency business.
  8. Sending or forwarding e-mail that is likely to contain malware.

7. Use of Digital Messaging Platforms

7.1 Digital messaging services can be used as a means to exchange near real-time messages, see whether a co-worker is online and connected (presence) and share text, files, and images.

7.2 Employees will use the agency approved messaging service, Microsoft Teams.

7.3 When using the agency messaging service, employees will follow the same acceptable use practices found in Section 6 that also apply to e-mail use.

7.4 Employees are prohibited from using messaging platforms outside the control of the agency to conduct business that would require content to be saved, discovered as an official record, or is sensitive in nature (contains Internal Use or Confidential data or data that should not be available to the general public). This includes using a contractor’s messaging platform to communicate with the contractor regarding agency business.

8. Authorized Software

8.1 All agency computers are outfitted with a standard software suite by the IR Department. Non-standard software must be purchased only through the IR Department.

8.2 Software licenses are assigned to individual computers and not to an employee. Software licenses may not be replicated. They may be transferred only from one computer to another.

8.3 Users must neither make unauthorized copies of software nor transfer software to another computer without approval from the IR Department.

8.4 Users will not download, install, or run security programs or software utility programs that may reveal or exploit weaknesses in the security of an information system. For example, users will not install or run password cracking programs.

8.5 Each employee is responsible for reporting evidence of use of unlicensed or malicious software to the IR Department.

8.6 The IR Department has the following responsibilities related to unlicensed software:

  1. Delete or destroy unlicensed installations and copies of software that are not needed, or immediately obtain a license for the package. Continually audit agency software licenses to determine usage and authorization.
  2. Educate employees concerning:
    1. the boundaries of “acceptable use” of information resources to prevent the installation and use of unlicensed software and,
    2. the responsibility for reporting evidence of willful misconduct in the area to the IR Department.
  3. The Information Resources Department Head has overall responsibility for agency licensing compliance.

9. Prohibited Software

9.1 The Texas Department of Information Resources (DIR) maintains a list of prohibited technologies on the DIR website at: Covered Applications and Prohibited Technologies. This list may change at any time without warning.

9.2 Agency employees and contractors are prohibited from installing software on agency-owned computing devices (including all portable computing devices as defined in section 10) that is produced wholly or in part by a vendor on the DIR prohibited technology list or one of its subsidiaries.

9.3 Agency-owned computing devices will be scanned by the IR Department at regular intervals. Any prohibited software found on the devices will be immediately removed unless an exception has previously been approved for the software.

9.4 Exceptions to allow prohibited software on agency-owned computing devices must be reviewed and approved by the Information Resources Department Head and the Agency Director. Exceptions are treated as high residual risk as defined in 1 TAC 202.75(4)(B). Exceptions will only be granted if the prohibited software is required for one of the following reasons:

  1. Law enforcement and public safety investigations
  2. Other investigations and adjudications required by law, regulation or policy
  3. Enforcement of system-owned intellectual property rights
  4. Research in which a prohibited technology is critical to the project and an approved technology control plan is in place to protect agency research security, data, and networks
  5. For purposes of developing, implementing, and/or testing information security measures.

10. Portable Computing

10.1 Portable computing devices include notebook or laptop computers, handheld devices (smart phones, tablets), flash drives, external drives, etc. or any computing device that is capable of storing, receiving, and/or transmitting information.

10.2 Confidential information must not be stored on unencrypted portable computing devices. Any exceptions to this requirement must be approved by the Chief Administrative Officer.

10.3 All portable computing devices will be password-protected to prevent unauthorized access.

10.4 Portable computing devices will be kept physically secure using appropriate means commensurate with the associated risk.

10.5 Confidential information must not be transmitted from portable computing devices unless approved encryption techniques (for example, transport layer security, encrypted e-mail, drive encryption) are utilized.

10.6 If a portable computing device is either lost or stolen, it must be reported to the IR Department immediately.

10.7 Where appropriate, portable computing devices must be equipped with agency approved endpoint management and security solutions.

10.8 All data stored on portable computing devices will be scanned for malware continually during usage.

11. Personal Device Use for Agency Business

11.1 Agency business is defined as using the device to access any state/agency-owned data, applications, email accounts, non-public facing communications, VoIP, SMS, video conferencing, CAPPS, Texas.gov, and any other state/agency databases or applications.

11.2 Agency employees and contractors are prohibited from conducting agency business, connecting to agency computing networks (wired and wireless), connecting to the agency VPN service, or accessing state/agency resources on personal computing devices (including portable computing devices as defined in section 10) if the device has installed prohibited applications or contains prohibited hardware.

12. Security Awareness and Training

12.1 Computing devices such as desktop and laptop computers, tablets, smart phones, flash drives, and external drives are vital to the agency’s business operations. When any computing device is either missing or stolen, the information (or data) stored in the device may be more important than the device itself. Therefore, in addition to the physical security of these devices, precautionary measures must be taken to secure the data.

12.2 Flash drives and external storage media are portable, convenient, and can hold a large amount of data. Often these devices are stored along with laptops and are likely to be incidental to the theft. When such a device is either missing or stolen, valuable information is lost and cannot be replaced easily.

12.3 Please follow these simple steps to protect your data:

  1. Ensure Windows and software updates and malware definitions updates are completed regularly.
  2. Create strong passwords that are difficult to guess or crack, and change passwords periodically.
  3. c. Be aware of malware and phishing when browsing the internet.
  4. Do not write down usernames and passwords and post or store them near the device.
  5. Do not store confidential information, such as social security numbers, banking information, credit card numbers or any information that is protected by various privacy laws and regulations. This information should be stored on encrypted devices and secure cloud providers (such as OneDrive for Business).
  6. Do not transmit or store confidential information through unencrypted e-mail.
  7. Do not give out personal information via e-mail or over the internet.
  8. Do not click on internet links that are unfamiliar or are not from a reliable source.
  9. Do not respond to e-mails that request your personal information, passwords, etc.

12.4 All agency employees (full-time, part-time, seasonal, and student worker) will complete information security awareness training during the new employee orientation and on a periodic basis during employment. (See Administrative Procedure 10.31 Required Employee Training.)

12.5 Contractors requiring access to agency information resources must complete agency-approved information security awareness training prior to receiving access to the information resources and on a periodic basis during the life of the contract.

13. Protecting Computer Devices

13.1 Portable computing devices should be stored out of sight when not in use.

13.2 Users will not expose desktop, laptop, or other computing devices to environmental conditions such as extreme heat, humidity, cold, extended periods of direct sunlight, or magnetic fields.

13.3 Users will take precautionary measures to isolate computing devices from flammable materials.

13.4 When feasible, users should use an uninterruptible power supply or a surge protector to protect computers from power surges.

13.5 Users should exercise care when moving computers within offices or transferring computers between locations.

13.6 All desktop and laptop computers are preset to enable password protected screen saver after 30 minutes of inactivity. This security setting shall not be changed.

13.7 All agency applications, computers, and servers shall display the following disclaimer prior to a user logging in:

“This Computer System and all data herein are official State of Texas Resources and as such are available only for authorized purposes by authorized users. Use for any other purpose may result in administrative/disciplinary actions or criminal prosecution against the user. Usage is subject to monitoring and security testing. The user should have no expectation of privacy except as otherwise provided by applicable privacy laws.”

13.8 Personnel access to offices and buildings must be controlled through the established key control process at each office location for both digital and physical key systems.

14. Export Controls

An employee should contact the Compliance Coordinator prior to shipping or hand-carrying any agency portable computing device outside the United States.

15. Backup and Recovery

15.1 All information considered of institutional value must be copied to one or more backup storage solutions on a regular basis (backed up) for disaster recovery and business continuity. All backup solutions should include an off-site component where technically feasible. Systems considered mission-critical shall be stored in a secure, off-site location.

15.2 Electronic backups are a means to enable the recovery of data and applications in case of events such as natural disasters, storage media failure, data corruption, data entry errors, or system operations errors.

15.3 Centralized systems, servers, and mission-critical applications maintained by the agency (for example database web applications) will be backed up on a regular basis by the IR Department.

15.4 Desktops, laptops, and other computing devices at remote locations should be backed up by the personnel to whom they are assigned. Users are individually responsible for providing adequate primary backups to ensure the recovery of institutional data in the event of failure or loss. The agency provides each user with the ability to store and share data via an approved secure enterprise data storage service (such as OneDrive for Business).

The following steps should be used to back up the data:

  1. Install and enable agency approved enterprise data storage software to perform the automatic backup of data (preferred).
  2. Periodically run backups to an external device (optional).
  3. Choose a backup frequency based on the criticality of the data. In general, it is recommended to perform a computer backup consisting of individual user profile data (i.e., desktop, documents, favorites, pictures, etc.) at a minimum. Using the agency approved enterprise data storage system, backup is continuous when connected to the network.
  4. If utilized, external backup devices should be stored in a separate, secure location whenever feasible.

16. Disciplinary Action

16.1 Circumvention of established information security controls is prohibited. Failure to comply with this procedure may result in disciplinary action by the agency.

16.2 Consequences may include administrative actions, such as loss of access privileges, and/or disciplinary actions up to and including termination of employment.

CONTACT

Get in touch with the Information Resources Department Head

Back to top