Skip to main content

Information Technology Services (ITS)

IT Standard Administrative Procedures

Acceptable Use Policy

Introduction

Computers, networks, and electronic information systems are essential resources for accomplishing Texas A&M University–Kingsville’s mission of instruction, research, and public service. Under the Information Resources Management Act (Texas Government Code § 2054), these information resources are considered strategic assets of the State of Texas and must be protected and managed accordingly.

Purpose

The purpose of this Acceptable Use Policy is to ensure compliance with applicable statutes, regulations, and mandates, including Texas Administrative Code §202.

This policy establishes acceptable and prohibited uses of university information resources and defines user responsibilities necessary to protect the confidentiality, integrity, and availability of information resources.

NIST SP 800-53 controls: PL-1 (Security Planning Policy and Procedures), PL-4 (Rules of Behavior), and AT-1 (Security Awareness and Training Policy),

TAC §202.71 (Security Program Responsibilities) and TAC §202.76 (Training and Awareness).

                 

Audience

The Texas A&M University-Kingsville Acceptable Use policy applies equally to all individuals granted access privileges to any Texas A&M University-Kingsville Information Resource. This policy applies to all individuals granted access to Texas A&M University–Kingsville information resources, including faculty, staff, students, contractors, vendors, and affiliates. This policy applies to all University-owned, University-managed, or University-controlled information resources, regardless of location or method of access.

NIST SP 800-53 controls: AC-1 (Access Control Policy and Procedures) and PL-2 (System Security Plan), TAC §202.72 (Security Controls).

 

  1. Ownership of Electronic Information

1.1 Electronic files created, transmitted, received, or stored on information resources owned, leased, administered, or otherwise under the custody or control of Texas A&M University–Kingsville are the property of the University.

1.2 This ownership applies to the physical electronic files and does not alter any intellectual property rights granted under other University or Texas A&M University System policies.

NIST SP 800-53 controls: CM-1 (Configuration Management Policy and Procedures), MP-7 (Media Use), and UL-1 (Use Limitations),

TAC §202.72 (Security Controls) and TAC §202.73 (Risk Management).

 

  1. Privacy and Monitoring

2.1 Users do not expect privacy when using University information resources.

2.2 Authorized University personnel may monitor, access, review, or disclose electronic files, communications, and system activity in accordance with Texas Administrative Code §202 and applicable law.

NIST SP 800-53 controls: SI-4 (System Monitoring), AU-2 (Event Logging), AU-6 (Audit Review, Analysis, and Reporting), and UL-1 (Use Limitations),

TAC §202.72 (Security Controls)

TAC §202.74 (Security Monitoring).

 

  1. Acceptable Use

3.1 Information resources shall be used only for authorized University purposes.

3.2 Users shall access only those systems and data for which they have been explicitly authorized.

3.3 Users shall protect authentication credentials and shall not share accounts, passwords, or access mechanisms.

3.4 Users shall comply with applicable copyright laws, licensing agreements, and intellectual property requirements.

3.5 Users shall promptly report suspected security incidents, weaknesses, or policy violations to appropriate University authorities.

NIST SP 800-53 controls: PL-4 (Rules of Behavior), AC-2 (Account Management), AC-3 (Access Enforcement), AC-6 (Least Privilege), IA-2 (Identification and Authentication), IA-5 (Authenticator Management), and AT-2 (Security Awareness Training).

TAC §202.72 (Security Controls)

TAC §202.76 (Training and Awareness).

 

  1. Prohibited Use

4.1 Users shall not bypass, disable, or attempt to circumvent security controls.

4.2 Users shall not intentionally access, modify, disclose, or destroy information without authorization.

4.3 Users should not introduce malicious software or engage in activities that disrupt or degrade information resources.

4.4 Users shall not install or operate unauthorized software, services, servers, or network devices.

4.5 Users shall not use information resources for personal gain, illegal activities, or actions contrary to the mission or governing documents of the University.

4.6 Users shall not create, store, or transmit offensive, obscene, or unlawful material, except where explicitly approved for academic research.

NIST SP 800-53 controls: PL-4 (Rules of Behavior), CM-7 (Least Functionality), SC-7 (Boundary Protection), SI-3 (Malicious Code Protection), and SR-2 (Supply Chain Risk Management Policy).

TAC §202.72 (Security Controls)

TAC §202.73 (Risk Management).

 

  1. Security Requirements

5.1 Devices connected to university networks shall comply with university security standards.

5.2 Unauthorized scanning, monitoring, or exploitation of systems is prohibited.

5.3 University access credentials shall not be used by unauthorized individuals.

NIST SP 800-53 controls: AC-17 (Remote Access), SI-7 (Integrity Monitoring), CM-2 (Baseline Configuration), and CM-6 (Configuration Settings), and aligns with

TAC §202.72 (Security Controls)

TAC §202.74 (Security Monitoring).

 

  1. Incidental Use

6.1 Limited incidental personal use of information resources is permitted, provided it does not interfere with university operations or job responsibilities.

6.2 Incidental use shall not incur cost to the University or violate law or policy.

6.3 All data created or stored during incidental use remains subject to this policy.

NIST SP 800-53 controls: UL-1 (Use Limitations) and PL-4 (Rules of Behavior).

TAC §202.72 (Security Controls).

 

  1. Incident Reporting

7.1 All suspected or confirmed information security incidents shall be reported immediately to the appropriate University authorities.

NIST SP 800-53 controls: IR-1 (Incident Response Policy and Procedures) and IR-6 (Incident Reporting).

TAC §202.75 (Incident Management).

 

  1. Enforcement and Disciplinary Action

8.1 Violations of this policy may result in revocation of access privileges and disciplinary action.

8.2 Disciplinary action may include termination, dismissal, expulsion, or other actions as permitted by law.

8.3 Violations may also result in civil or criminal prosecution.

NIST SP 800-53 controls: PL-4 (Rules of Behavior) and PS-8 (Personnel Sanctions).

TAC §202.71 (Security Program Responsibilities).

 

  1. Compliance Alignment

9.1 This policy supports compliance with NIST Special Publication 800-53 and Texas Administrative Code §202 Information Security Standards.

NIST SP 800-53 controls: PL-2 (System Security Plan) and RA-1 (Risk Assessment Policy and Procedures).

TAC §202.72 (Security Controls).

Acceptable Use Policy

NIST SP 800-53 ↔ TAC §202 Crosswalk

NIST SP 800-53 ↔ TAC §202 Crosswalk

Policy Section

NIST SP 800-53 Control(s)

TAC §202 Subsection(s)

1. Purpose

PL-1, PL-4, AT-1

§202.71, §202.76

2. Scope and Applicability

AC-1, PL-2

§202.72

3. Ownership of Electronic Information

CM-1, MP-7, UL-1

§202.72, §202.73

4. Privacy and Monitoring

SI-4, AU-2, AU-6, UL-1

§202.72, §202.74

5. Acceptable Use

PL-4, AC-2, AC-3, AC-6, IA-2, IA-5, AT-2

§202.72, §202.76

6. Prohibited Use

PL-4, CM-7, SC-7, SI-3, SR-2

§202.72, §202.73

7. Security Requirements

AC-17, SI-7, CM-2, CM-6

§202.72, §202.74

8. Incidental Use

UL-1, PL-4

§202.72

9. Incident Reporting

IR-1, IR-6

§202.75

10. Enforcement and Disciplinary Action

PL-4, PS-8

§202.71

11. Compliance Alignment

PL-2, RA-1

§202.72