Workstation Security Standard
Overview
To reasonably protect information resources (including data, systems, applications, user identities, communication platforms, and supporting infrastructure), UA has established and enforces minimum technical, administrative, and physical control standards. Additional or more rigorous controls may be applied, but the controls listed within this standard are the minimum UA adopted requirements.
This standard is designed to align with applicable regulatory requirements, contractual obligations, and recognized industry best practices. Controls are determined based on the risk classification of the device, application, service, or data being accessed.
- Scope
- Definitions
- UA Workstation
- Security Control
- University Approved Software
- Privileged Access Workstation (PAW)
- Sensitive or Regulated Data
- CIS Benchmarks
- System Risk Definitions
- System Risk Levels
- UA Assurance Levels
- Standard
- System Management
- Whole-Disk/Full-Disk Encryption
- Local Administrator Password Rotation
- Remove/Actively Manage Local Administrator Permissions
- Endpoint Detection and Response (EDR)
- Vulnerability Scanning
- Patching
- Secure Baseline Configuration
- Backups
- Host Firewall
- Multi-Factor Authentication (MFA)
- Audit Log Collection and Retention
- Physical Protections
- Require Network Time Protocol (NTP)
- Screen Lock
- Application Allowlisting
- Logon Banner
- Standard (cont.)
- USB Mass Storage Allowlisting
- Disable Macros in MS Office Docs from Internet
- Review/Approve Browser and Other User-Installable Extensions
- File Integrity Monitoring (FIM) on High Risk Systems
- Temporary File Cleanup
- Cached Credential Cleanup
- Limit Unsuccessful Login Attempts
- Loss/Theft
- Disposal of Devices
- Use of Personal Devices for University Business
- Violations and Exceptions
- Implementation
- Related Standards
- References
- Lifecycle and Contacts
Scope
Information Security and Assurance (ISA) Standards are mandatory and apply to the
UA System and all users of UA computing resources. This standard supplements and
supports Board of Regents Policy & Regulation R02.07. These standards are reviewed and approved by the CIO Management Team (CMT), a system-wide
governance group consisting of each university CIO, the System CITO, and the System
CISO. Business units maintaining their own security standards should utilize this
standard as a baseline and may add additional requirements or detail as appropriate
for their business needs, however, may not weaken any individual element of this standard
without an approved Information Security Controls Exception.
This standard is periodically reviewed and updated to respond to emerging threats, changes in legal and regulatory requirements,
and technological advances.
This security standard applies to all UA workstations.
Definitions
- UA Workstation
Any computing device either purchased with university funds, including grant funds, or acquired by other means in order to support the universities’ academic, research, administrative, or operational functions. A typical workstation could be described as a desktop or laptop computer running the Windows, Linux or MacOS operating system used to perform daily tasks. - Security Control
A security measure, such as a tool, process, or guideline, that helps protect university information and systems. Security controls help ensure that UA data stays private, accurate, and available when it is needed. - University Approved Software
Applications or services that have been approved through the UA Software Review Process.
- PAW
A Privileged Access Workstation (PAW) is a system designed with strict security controls and isolation mechanisms to reduce the attack surface for administrative tasks, like domain administration, system configuration, or managing critical infrastructure. - Sensitive or Regulated Data
Information that must be protected by law or in accordance with industry best practices. At the University of Alaska, this data is classified as “Restricted” and includes multiple data types, including Personally Identifiable Information (PII), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), financial data, Criminal Justice Information Systems (CJIS), International Traffic in Arms Regulations (ITAR), and others. For more information and examples, see “Restricted” data in Board of Regents Regulation R02.07.094. Data Classification Standards: Categories. - CIS Benchmarks
CIS Benchmarks are best practices for the secure configuration of a computing system. Most CIS Benchmarks include multiple configuration profiles.
-
Level 1 profile
Considered a base recommendation that can be implemented quickly, addresses common security risks, and does not significantly impact usability.
-
Level 2 profile
Considered to be “defense in depth” and is intended for environments where security is paramount; these recommendations can impact usability.
-
- System Risk Definitions
-
Low
A UA Workstation that only processes, stores, or transmits information that is appropriate or intended for public release, including information that would be releasable without restriction or redaction in response to an Alaska Public Records Act request. -
Medium
A UA Workstation that processes, stores, or transmits any information where a compromise would have moderate adverse effects on UA’s operations, assets, or individuals. - High
A UA Workstation that processes, stores, or transmits any information where a compromise would result in serious to severe adverse effects on UA operations, security, legal standing, research integrity, or individuals’ privacy.
-
- System Risk Levels
System Risk Levels (Low, Medium, and High) are applied to systems based on the following risk levels.
System Risk Level
Examples
Low
Level 1
- Library kiosk or public access computers
- General use (public) computer lab workstations
- Reception desk (shared)
Medium
Level 2
- Faculty or Staff workstations
- Student Employee workstations
High
Level 3
- Principal Investigator (PI) workstation
- Privileged Access Workstation (PAW)
- HIPAA-covered entity workstation
- Financial Admin workstation
- UA Assurance Levels
UA Assurance Levels, which set the rules for verifying who someone is and how they log in securely, are defined in the Password and Authentication Standard.
Standard: Workstation Security Controls
System Management
|
Low |
Medium |
High |
|
|
Workstations should be set up, updated, and maintained by either unit IT departments or the central University IT team, using approved university tools. |
Recommended |
Recommended |
Required |
|
Enable remote wipe capabilities for managed devices wherever possible. |
Required |
Required |
Required |
|
Enable location services for managed devices wherever possible. |
Required |
Required |
Required |
Centrally managing workstations reduces risk, improves operational efficiency, and makes it easier to enforce and prove compliance with cybersecurity standards.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.1, 3.4.3 | Consistently apply controls |
| NIST CSF | ID.AM-01, PR.PS-01 | Asset inventory, configuration management |
| CIS v8.1 | 1.1, 4.1 | Asset inventory, secure configuration process |
Whole-Disk/Full-Disk Encryption
|
Low |
Medium |
High |
|
|
Workstations must be encrypted using a FIPS 140-2 validated full-disk encryption solution. |
Recommended |
Recommended |
Required |
|
Encryption keys must be securely stored in a managed enterprise vault. |
Recommended |
Recommended |
Required |
Enabling whole (or full) disk encryption is a critical cybersecurity best practice because it protects sensitive data at rest, especially in scenarios where a device is lost, stolen, or improperly decommissioned.
| Framework | Mapping | Description |
| NIST 800-171 | 3.13.11, 3.8.6 | FIPS-validated cryptography for CUI Crypto for digital media (transport) |
| NIST CSF | PR.DS-1 | Data-at-rest protection |
| CIS v8.1 | 3.4 | Encryption of sensitive data on endpoints |
Local Administrator Password Rotation
|
Low |
Medium |
High |
|
|
Implement a local administrator password management solution with unique per-device passwords. |
Recommended |
Required |
Required |
|
If enabled, rotate local administrator passwords at least every 180 days or upon role changes. It is recommended that the rotation process be automated if possible. |
Required |
Required |
Required |
Rotating local administrator credentials on workstations is a critical security practice because it prevents credential reuse, limits lateral movement, and reduces insider and external threat risk.
| Framework | Mapping | Description |
| NIST 800-171 | 3.1.1, 3.1.2, 3.1.5, 3.1.6, 3.5.3, 3.5.6, 3.5.7 | Ties to access control, least privilege, password policy |
| NIST CSF | PR.AC-1, PR.AC-4, PR.IP-1, PR.IP-3, DE.CM-7 | Identity and access management + secure config |
| CIS v8.1 | 4.3, 4.4, 4.6, 5.2, 5.4, 5.5 | Privileged access, password uniqueness, vaulting |
Remove/Actively Manage Local Administrator Permissions
|
Low |
Medium |
High |
|
|
Remove persistent local administrator privileges for standard users. |
Required |
Required |
Required |
|
Restrict local admin access to approved users with Just-In-Time (JIT) access solutions like Privileged Access Management (PAM). |
Recommended |
Recommended |
Required |
|
Require MFA for privileged access. |
Required |
Required |
Required |
|
Use a privileged access workstation (PAW) for domain administration or managing critical infrastructure. |
N/A |
N/A |
Required |
This control reduces risk by ensuring that standard users do not have continuous administrative access on their devices — a foundational principle for least privilege and limiting lateral movement.
| Framework | Mapping | Description |
| NIST 800-171 | 3.1.2, 3.1.5, 3.1.6 | Remove unnecessary admin rights, least privilege |
| NIST CSF | PR.AA-04, 05 | Permissions and Privileged access restricted |
| CIS v8.1 | 4.7 | Permissions and Privileged access restricted |
Endpoint Detection and Response (EDR)
|
Low |
Medium |
High |
|
|
Deploy university approved endpoint detection and response (EDR) solutions. |
Required |
Required |
Required |
|
Set up endpoint detection and response (EDR) to watch for unusual activity in real time and take automatic action to stop threats. |
Required |
Required |
Required |
This control is about deploying real-time endpoint monitoring and automated threat response, key to detecting and stopping malicious activity (e.g., malware, lateral movement, fileless attacks) before it escalates.
| Framework | Mapping | Description |
| NIST 800-171 | 3.14.6 | Monitor system for attacks and unusual conditions |
| NIST CSF | DE.CM-09, RS.MI-01 | Systems are monitored and incidents are contained |
| CIS v8.1 | 10.1 | Deploy and maintain antimalware software |
Vulnerability Scanning
|
Low |
Medium |
High |
|
|
Using a university approved tool, conduct authenticated or agent-based vulnerability scans on all workstations at least weekly, in accordance with UA’s Vulnerability and Patch Management Standard. |
Required |
Required |
Required |
Regularly scanning workstations for vulnerabilities helps find and fix security weaknesses before attackers can exploit them. Since workstations are often the first target in cyberattacks, it's important to keep them closely monitored.
| Framework | Mapping | Description |
| NIST 800-171 | 3.11.02, 3.14.1 | Vulnerability monitoring and scanning, remediate flaws |
| NIST CSF | ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded |
| CIS v8.1 | 7.1, 7.5, 7.6 | Establish and maintain automated vulnerability scans of assets |
Patching
|
Low |
Medium |
High |
|
|
Apply security patches in accordance with UA’s Vulnerability and Patch Management Standard. |
Required |
Required |
Required |
|
Wherever possible, turn on “automatic updates” for software and operating systems. |
Required |
Required |
Required |
This control ensures that known vulnerabilities are addressed in a timely, consistent, and scalable way by automating the patching process — reducing the window of exposure for exploit attempts.
| Framework | Mapping | Description |
| NIST 800-171 | 3.14.1 | Identify, report, and correct system flaws |
| NIST CSF | PR.PS-02 | Software is maintained, replaced, and removed commensurate with risk |
| CIS v8.1 | 7.7 | Remediate detected vulnerabilities |
Secure Baseline Configuration
|
Low |
Medium |
High |
|
|
Deploy workstations using hardened configurations based on the appropriate CIS Level. |
Level 1 |
Level 1 |
Level 2 |
|
Enforce configurations via university approved tools. |
Required |
Required |
Required |
This control ensures that default, insecure settings are eliminated and that systems are provisioned with security-focused baselines. Hardened configurations reduce the attack surface from the moment a system is deployed.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.1, 3.4.2 | Develop baseline configuration, as restrictive as operations allow |
| NIST CSF | PR.PS-01 | Configuration management practices are established and applied |
| CIS v8.1 | 4.1, 4.6 | Establish and maintain a secure configuration process, securely manage assets |
Backups
|
Low |
Medium |
High |
|
|
Workstation data should be backed up to encrypted solutions ( either cloud or on-prem storage). |
Recommended |
Recommended |
Required |
|
Implement continuous backup solutions. |
Recommended |
Recommended |
Required |
|
Test backups regularly. |
Annually |
Annually |
Quarterly |
This control ensures the availability and recoverability of workstation data in the event of loss, theft, ransomware, or hardware failure — and that backups are encrypted to protect confidentiality.
| Framework | Mapping | Description |
| NIST 800-171 | 3.8.8 | System backup, cryptographic protection |
| NIST CSF | PR.DS-01, PR.DS-11 | Backups of data are created, protected, maintained and tested |
| CIS v8.1 | 11.1, 11.2, 11.3, 11.5 | Establish, maintain, perform, protect and test data recovery |
Host Firewall
|
Low |
Medium |
High |
|
|
Enable and configure host-based firewalls. |
Recommended |
Required |
Required |
|
Block all inbound traffic unless explicitly allowed. |
Recommended |
Recommended |
Required |
|
Enable logging for firewall rule violations. |
Recommended |
Recommended |
Required |
This control ensures that endpoint firewalls are actively protecting the system from unauthorized access attempts and providing audit trails for monitoring and incident response.
| Framework | Mapping | Description |
| NIST 800-171 | 3.13.1, 3.13.6, 3.3.1 | Boundary protection, deny by default, event logging |
| NIST CSF | PR.IR-02 | Assets protected from environmental threats |
| CIS v8.1 | 4.5. 8.2 | Firewalls and port filtering on end-user devices |
Multi-Factor Authentication (MFA)
|
Low |
Medium |
High |
|
|
Enforce MFA for all workstation logins. |
Recommended |
Recommended |
Required (FY27) |
|
Require MFA for privileged access. |
Required |
Required |
Required |
This control ensures that both standard and privileged users are required to provide at least two authentication factors when logging into workstations, significantly reducing the risk of unauthorized access due to credential compromise.
| Framework | Mapping | Description |
| NIST 800-171 | 3.5.3 | Implement MFA for privileged and non-privileged accounts |
| NIST CSF | PR.AA-03 | Users, services, and hardware are authenticated |
| CIS v8.1 | 6.5 | Require MFA for administrative access |
Audit Log Collection and Retention
|
Low |
Medium |
High |
|
|
Enable detailed logging for system, security, and application events. |
Recommended |
Recommended |
Required |
|
Retain logs as appropriate for relevant compliance obligations. |
N/A |
N/A |
Required |
|
Forward logs to a university-approved SIEM or log management solution. |
Required |
Required |
Required |
This control ensures that critical security events are not only captured locally but also centralized for monitoring, correlation, threat detection, and incident response.
| Framework | Mapping | Description |
| NIST 800-171 | 3.3.1, 3.3.2 | Create and retain audit logs, ensure detail for reporting |
| NIST CSF | DE.CM-09, PR.PS-04 | Log records are generated and made available for monitoring |
| CIS v8.1 | 8.2, 8.5, 8.9, 8.10 | Collect, centralize, and retain detailed audit logs |
Physical Protections
|
Low |
Medium |
High |
|
|
Workstations must be stored in a physically secure location. |
Recommended |
Recommended |
Required |
|
Enable BIOS/UEFI password protection. |
Recommended |
Recommended |
Required |
|
Disable boot from USB/DVD in BIOS/UEFI. |
Recommended |
Recommended |
Required |
This control prevents unauthorized users from modifying firmware settings or bypassing the operating system's security controls by booting from external devices (e.g., USB drives). It's an essential part of pre-boot security and helps defend against physical tampering, data theft, and persistence mechanisms used by attackers.
| Framework | Mapping | Description |
| NIST 800-171 | 3.14.2 | Malicious code protection |
| NIST CSF | PR.PS.01 | Configuration management established and applied |
| CIS v8.1 | 4.1, 4.8 | Establish and maintain secure baseline, disable unnecessary services |
Require Network Time Protocol (NTP)
|
Low |
Medium |
High |
|
|
Synchronize time via secure, internal NTP servers or trusted sources (e.g., NIST, Microsoft time servers). |
Recommended |
Required |
Required |
Accurate and consistent time synchronization is critical for ensuring log integrity, event correlation, digital forensics, and secure communications. Using secure and authoritative NTP sources prevents time spoofing and supports reliable system auditing.
| Framework | Mapping | Description |
| NIST 800-171 | 3.3.7 | Time stamps |
| NIST CSF | ID.AM-01, DE.CM-01 | Hardware inventories maintained, continuous monitoring |
| CIS v8.1 | 8.4 | Standardize time synchronization, at least two sources where supported |
Screen Lock
|
Low |
Medium |
High |
|
|
Enforce automatic screen lock for no more than 15 minutes of inactivity; adhere to specific regulatory requirements where applicable. |
Recommended |
Required |
Required |
|
Require password or platform authentication to unlock. |
Recommended |
Required |
Required |
This control helps prevent unauthorized access to unattended workstations by automatically locking the screen after a period of user inactivity. It's a foundational access control that supports both physical and logical security.
| Framework | Mapping | Description |
| NIST 800-171 | 3.1.10, 3.1.11 | Device lock, session termination |
| NIST CSF | PR.AA-06 | Physical access to assets managed, monitored and enforced |
| CIS v8.1 | 4.3 | Configure automatic session locking on enterprise assets |
Application Allowlisting
|
Low |
Medium |
High |
|
|
Only software that has been approved by the UA Software Security Review process may be installed or run on workstations. |
Required |
Required |
Required |
This control helps enforce software allowlisting and application control, reducing the risk of malware, unauthorized tools, or other mechanisms being used to bypass security controls or introduce vulnerabilities.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.2, 3.4.8 | Configuration settings, authorized software |
| NIST CSF | PR.PS-01, PR.PS-05 | Installation/execution of unauthorized software not permitted |
| CIS v8.1 | 2.1, 2.3, 2.5 | Maintain software inventory allowlist, address unauthorized software |
Logon Banner
|
Low |
Medium |
High |
|
|
Display legal, security, and regulatory compliance (if applicable) notification at login. |
Required |
Required |
Required |
This control ensures that a login banner or warning notice is displayed before granting access to a system, serving as a legal safeguard and a security awareness mechanism. It establishes user acknowledgment of acceptable use, informs users of monitoring, and helps support prosecution and accountability in the event of misuse.
| Framework | Mapping | Description |
| NIST 800-171 | 3.1.9 | System use notification |
| NIST CSF | GV.OC-03 | Legal, regulatory, and contractual requirements are understood and managed |
| CIS v8.1 | N/A | N/A |
| CJIS 5.9 | 5.5.4 | System use notification |
USB Mass Storage Allowlisting
|
Low |
Medium |
High |
|
|
Disable USB storage devices unless explicitly allowed via university-approved management tools. |
Recommended |
Recommended |
Required |
|
Encrypt all external storage devices. |
Recommended |
Recommended |
Required |
This control helps prevent data exfiltration, malware introduction, and unauthorized data transfers by blocking removable storage device access (e.g., USB drives) unless explicitly permitted and centrally managed. It’s a critical endpoint data protection and device control measure.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.6, 3.14.2 | Least functionality, malicious code protection |
| NIST CSF | PR.PS-01, PR.PS-05 | Installation and execution of unauthorized software are prevented |
| CIS v8.1 | 4.8, 10.3 | Disable unnecessary services, configure options for removable media |
Disable Macros in MS Office Docs from Internet
|
Low |
Medium |
High |
|
|
Block all macros from the internet via Microsoft Office security settings or university-approved management/threat detection tools. |
Required |
Required |
Required |
This control mitigates one of the most common malware delivery vectors — malicious Office macros delivered via email or downloaded files — by blocking them by default unless explicitly trusted. This reduces the risk of phishing, ransomware, and remote code execution.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.6, 3.14.2 | Least functionality, malicious code protection |
| NIST CSF | PR.PS-01, PR.PS-05 | Installation and execution of unauthorized software are prevented |
| CIS v8.1 | 4.8, 10.5 | Disable unnecessary services, enable anti-exploitation features |
Review/Approve Browser and Other User-Installable Extensions
|
Low |
Medium |
High |
|
|
Install only pre-approved browser extensions. |
Recommended |
Recommended |
Required (FY27) |
This control helps prevent malicious or risky browser extensions from being installed by users. Extensions can introduce significant privacy, security, and data leakage risks, and should be tightly controlled through allowlisting or enterprise policy enforcement.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.6, 3.14.2 | Least functionality, malicious code protection |
| NIST CSF | PR.PS-01, PR.PS-05 | Installation and execution of unauthorized software are prevented |
| CIS v8.1 | 10.5 | Enable anti-exploitation features |
File Integrity Monitoring (FIM) on High Risk Systems
|
Low |
Medium |
High |
|
|
Implement file integrity monitoring (FIM) solutions to monitor and alert on changes to software, firmware, and critical system files. |
N/A |
N/A |
Required |
This control focuses on maintaining system integrity, detecting unauthorized or malicious changes, and ensuring compliance with security best practices and regulatory requirements.
| Framework | Mapping | Description |
| NIST 800-171 | 3.14.1, 3.14.6 | Flaw remediation, monitor system for unusual activities or conditions |
| NIST CSF | PR.DS-01, -10 | The confidentiality, integrity, and availability of data are rest/in use are protected |
| CIS v8.1 | 8.2, 8.5, 8.9 | Collect and centralize detailed audit logs |
| PCI DSS v4.0.1 | 10.3.4 | Log and Monitor All Access to System Components and Cardholder Data |
Temporary File Cleanup
|
Low |
Medium |
High |
|
|
Automate deletion of temporary files using system cleanup tools or scripts. |
Recommended |
Required |
Required |
This control ensures that temporary files and cached data — which may contain sensitive or residual information — are routinely removed to reduce data leakage, free disk space, and limit exposure in the event of compromise. Automating this process ensures consistency and auditability.
| Framework | Mapping | Description |
| NIST 800-171 | 3.4.2, 3.8.4, 3.8.5 | Protect and control system media |
| NIST CSF | ID.AM-01, PR.PS-01 | The confidentiality, integrity, and availability of data are rest/in use are protected |
| CIS v8.1 | 1.1, 4.1 | Secure configuration process |
Cached Credential Cleanup
|
Low |
Medium |
High |
|
|
Configure workstations to clear cached credentials for network accounts upon reboot. |
Recommended |
Recommended |
Required |
This control reduces the risk of credential theft, reuse, and lateral movement by ensuring that cached domain or network credentials are purged after a reboot, particularly on shared or sensitive systems. It also enforces session integrity and account security.
| Framework | Mapping | Description |
| NIST 800-171 | 3.5.4 | Replay-resistant authentication |
| NIST CSF | PR.AA-02 | Identities are proofed & bound to credentials based on context of interactions |
| CIS v8.1 | 4.1 | Secure configuration process |
Limit Unsuccessful Login Attempts
|
Low |
Medium |
High |
|
|
After 10 consecutive unsuccessful attempts, lock session for 10 minutes. |
Required |
Required |
Required |
This control implements account lockout policy as a safeguard against brute force attacks and unauthorized login attempts. Temporarily locking access after repeated failures slows attackers and alerts defenders, without permanently disabling legitimate user access.
| Framework | Mapping | Description |
| NIST 800-171 | 3.1.8 | Unsuccessful logon attempts |
| NIST CSF | PR.AA-01 | Identities and credentials are managed by the organization |
| CIS v8.1 | 4.1 | Secure configuration process |
Loss/Theft
|
Low |
Medium |
High |
|
|
Report lost or stolen devices to unit or central IT and Security (security@alaska.edu) within 24 hours of determining the device is missing. |
Required |
Required |
Required |
This control supports timely incident response and asset protection by requiring users to promptly report lost or stolen devices. Rapid notification helps reduce the risk of data loss, unauthorized access, or prolonged system compromise.
| Framework | Mapping | Description |
| NIST 800-171 | 3.6.2 | Incident monitoring, reporting and response assistance |
| NIST CSF | RS.CO-02 | Internal and external stakeholders are notified of incidents |
| CIS v8.1 | 17.4 | Establish and maintain an incident response process |
Disposal of Devices
|
Low |
Medium |
High |
|
|
All university-owned devices and data storage must have their storage media properly sanitized at the end of their lifecycle or prior to disposal. |
Secure Delete/Wipe |
Secure Delete/Wipe |
Destruction of Storage Media |
This control ensures that sensitive data is irreversibly removed from all storage media before disposal, transfer, or repurposing. Proper data sanitization protects against data leakage, unauthorized recovery, and regulatory violations.
| Framework | Mapping | Description |
| NIST 800-171 | 3.8.3 | Media sanitization |
| NIST CSF | PR.DS-10 | The confidentiality, integrity, and availability of data-in-use are protected |
| CIS v8.1 | 3.5 | Securely dispose of data |
Use of Personal Devices for University Business
UA users may need to access or maintain sensitive university data from their personally owned devices (smartphones, tablets, laptops, and more). The university addresses this use in Board of Regents' Policy 02.07.066, Device Security .
Storing and processing institutional and research data on personal devices may introduce significant risk to the integrity, security, and availability of that data. Note that some units have adopted and enforce requirements for use of personally owned devices that are more specific or restrictive than defined in BOR Policy 02.07.066 and its related guidelines.
If your department or unit permits you to work with sensitive institutional data from devices not owned by the university, you, as the employee, are expected to protect university data by adhering to this Standard to secure all personal devices accessing university resources.
This control ensures that security and data protection policies apply to all devices that access, store, or process institutional or regulated data—whether institutionally owned or personally owned (BYOD). It supports data-centric security, focusing on safeguarding information, not just the infrastructure.
| Framework | Mapping | Description |
| NIST 800-171 | 3.13.1 | Boundary protection |
| NIST CSF | GV.OC-03 | Legal, regulatory, and contractual requirements are understood and managed |
| CIS v8.1 | 1.2 | Address unauthorized assets |
Violations and Exceptions
In an effort to perform its requirements under Board of Regents Policy & Regulation R02.07.060 to secure University Information Resources, systems and services which fail to abide by approved information security controls may be subject to the implementation of compensating controls to effectively manage risk, up to and including disconnection from the UA network or blocking of traffic to/from untrusted networks.
UA employees, students, and other affiliates who attempt to circumvent an approved information security control may be subject to sanctions or administrative action depending on their role and the nature of the violation, which:
- may result in a reduction or loss of access privileges, or the imposition of other restrictions or conditions on access privileges;
- may subject employees to disciplinary action, up to and including termination;
- may subject students to disciplinary action including expulsion according to the Student Code of Conduct procedures; and
- may also subject violators to criminal prosecution.
Requesting an Exception
The process for requesting exceptions to this or other IT Security Standard are outlined in the Information Security Controls Standard.
Implementation
OIT Information Security and Assurance is responsible for the implementation, maintenance and interpretation of this IT Standard.
Related Standards
- Password and Authentication Standard
- Information Security Controls and Exceptions Standard
- Vulnerability and Patch Management Standard
References
- UA Software Register (UA login required)
Lifecycle and Contacts
Standard Owner: OIT Information Security and Assurance
Standard Contact: Chief Information Security Officer
Phone: 907-474-5347
Email: ua-ciso@alaska.edu
Approved: December 2025
Effective: January 2026
Next Review: January 2028