Workstation Security Standard
Overview
To reasonably protect information resources (including data, systems, applications, user identities, communication platforms, and supporting infrastructure), 㽶Ƶhas established and enforces minimum technical, administrative, and physical control standards. Additional or more rigorous controls may be applied, but the controls listed within this standard are the minimum 㽶Ƶadopted requirements.
This standard is designed to align with applicable regulatory requirements, contractual obligations, and recognized industry best practices. Controls are determined based on the risk classification of the device, application, service, or data being accessed.
- Scope
- Definitions
- 㽶ƵWorkstation
- Security Control
- University Approved Software
- Privileged Access Workstation (PAW)
- Sensitive or Regulated Data
- CIS Benchmarks
- System Risk Definitions
- System Risk Levels
- 㽶ƵAssurance Levels
- Standard
- System Management
- Whole-Disk/Full-Disk Encryption
- Local Administrator Password Rotation
- Remove/Actively Manage Local Administrator Permissions
- Endpoint Detection and Response (EDR)
- Vulnerability Scanning
- Patching
- Secure Baseline Configuration
- Backups
- Host Firewall
- Multi-Factor Authentication (MFA)
- Audit Log Collection and Retention
- Physical Protections
- Require Network Time Protocol (NTP)
- Screen Lock
- Application Allowlisting
- Logon Banner
- Standard (cont.)
- USB Mass Storage Allowlisting
- Disable Macros in MS Office Docs from Internet
- Review/Approve Browser and Other User-Installable Extensions
- File Integrity Monitoring (FIM) on High Risk Systems
- Temporary File Cleanup
- Cached Credential Cleanup
- Limit Unsuccessful Login Attempts
- Loss/Theft
- Disposal of Devices
- Use of Personal Devices for University Business
- Violations and Exceptions
- Implementation
- Related Standards
- References
- Lifecycle and Contacts
Scope
Information Security and Assurance (ISA) Standards are mandatory and apply to the
㽶ƵSystem and all users of 㽶Ƶcomputing resources. This standard supplements and
supports Board of Regents Policy & Regulation R02.07. These standards are reviewed and approved by the CIO Management Team (CMT), a system-wide
governance group consisting of each university CIO, the System CITO, and the System
CISO. Business units maintaining their own security standards should utilize this
standard as a baseline and may add additional requirements or detail as appropriate
for their business needs, however, may not weaken any individual element of this standard
without an approved Information Security Controls Exception.
This standard is periodically reviewed and updated to respond to emerging threats, changes in legal and regulatory requirements,
and technological advances.
This security standard applies to all 㽶Ƶworkstations.
Definitions
- 㽶ƵWorkstation
Any computing device either purchased with university funds, including grant funds, or acquired by other means in order to support the universities’ academic, research, administrative, or operational functions. A typical workstation could be described as a desktop or laptop computer running the Windows, Linux or MacOS operating system used to perform daily tasks. - Security Control
A security measure, such as a tool, process, or guideline, that helps protect university information and systems. Security controls help ensure that 㽶Ƶdata stays private, accurate, and available when it is needed. - University Approved Software
Applications or services that have been through the 㽶ƵSoftware Review Process.
- PAW
A Privileged Access Workstation (PAW) is a system designed with strict security controls and isolation mechanisms to reduce the attack surface for administrative tasks, like domain administration, system configuration, or managing critical infrastructure. - Sensitive or Regulated Data
Information that must be protected by law or in accordance with industry best practices. At the University of Alaska, this data is classified as “Restricted” and includes multiple data types, including Personally Identifiable Information (PII), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), financial data, Criminal Justice Information Systems (CJIS), International Traffic in Arms Regulations (ITAR), and others. For more information and examples, see “Restricted” data in Board of Regents Regulation R02.07.094. Data Classification Standards: Categories. - CIS Benchmarks
CIS Benchmarks are best practices for the secure configuration of a computing system. Most CIS Benchmarks include multiple configuration profiles.
-
Level 1 profile
Considered a base recommendation that can be implemented quickly, addresses common security risks, and does not significantly impact usability.
-
Level 2 profile
Considered to be “defense in depth” and is intended for environments where security is paramount; these recommendations can impact usability.
-
- System Risk Definitions
-
Low
A 㽶ƵWorkstation that only processes, stores, or transmits information that is appropriate or intended for public release, including information that would be releasable without restriction or redaction in response to an request. -
Medium
A 㽶ƵWorkstation that processes, stores, or transmits any information where a compromise would have moderate adverse effects on UA’s operations, assets, or individuals. - High
A 㽶ƵWorkstation that processes, stores, or transmits any information where a compromise would result in serious to severe adverse effects on 㽶Ƶoperations, security, legal standing, research integrity, or individuals’ privacy.
-
- System Risk Levels
System Risk Levels (Low, Medium, and High) are applied to systems based on the following risk levels.
System Risk Level
Examples
Low
Level 1
- Library kiosk or public access computers
- General use (public) computer lab workstations
- Reception desk (shared)
Medium
Level 2
- Faculty or Staff workstations
- Student Employee workstations
High
Level 3
- Principal Investigator (PI) workstation
- Privileged Access Workstation (PAW)
- HIPAA-covered entity workstation
- Financial Admin workstation
- 㽶ƵAssurance Levels
㽶ƵAssurance Levels, which set the rules for verifying who someone is and how they log in securely, are defined in the Password and Authentication Standard.
Standard: Workstation Security Controls
System Management
|
Low |
Medium |
High |
|
|
Workstations must be set up, updated, and maintained by either unit IT departments or the central University IT team, using approved university tools. |
Recommended |
Recommended |
Required |
|
Enable remote wipe capabilities for managed devices wherever possible. |
Required |
Required |
Required |
|
Enable location services for managed devices wherever possible. |
Required |
Required |
Required |
Centrally managing workstations reduces risk, improves operational efficiency, and makes it easier to enforce and prove compliance with cybersecurity standards.
| Framework | Mapping | Description |
| 3.4.1, 3.4.3 | Consistently apply controls | |
| ID.AM-01, PR.PS-01 | Asset inventory, configuration management | |
| 1.1, 4.1 | Asset inventory, secure configuration process |
Whole-Disk/Full-Disk Encryption
|
Low |
Medium |
High |
|
|
Workstations must be encrypted using a FIPS 140-2 validated full-disk encryption solution. |
Recommended |
Recommended |
Required |
|
Encryption keys must be securely stored in a managed enterprise vault. |
Recommended |
Recommended |
Required |
Enabling whole (or full) disk encryption is a critical cybersecurity best practice because it protects sensitive data at rest, especially in scenarios where a device is lost, stolen, or improperly decommissioned.
| Framework | Mapping | Description |
| 3.13.11, 3.8.6 | FIPS-validated cryptography for CUI Crypto for digital media (transport) |
|
| PR.DS-1 | Data-at-rest protection | |
| 3.4 | Encryption of sensitive data on endpoints |
Local Administrator Password Rotation
|
Low |
Medium |
High |
|
|
Implement a local administrator password management solution with unique per-device passwords. |
Recommended |
Required |
Required |
|
If enabled, rotate local administrator passwords at least every 180 days or upon role changes. It is recommended that the rotation process be automated if possible. |
Required |
Required |
Required |
Rotating local administrator credentials on workstations is a critical security practice because it prevents credential reuse, limits lateral movement, and reduces insider and external threat risk.
| Framework | Mapping | Description |
| 3.1.1, 3.1.2, 3.1.5, 3.1.6, 3.5.3, 3.5.6, 3.5.7 | Ties to access control, least privilege, password policy | |
| PR.AC-1, PR.AC-4, PR.IP-1, PR.IP-3, DE.CM-7 | Identity and access management + secure config | |
| 4.3, 4.4, 4.6, 5.2, 5.4, 5.5 | Privileged access, password uniqueness, vaulting |
Remove/Actively Manage Local Administrator Permissions
|
Low |
Medium |
High |
|
|
Remove persistent local administrator privileges for standard users. |
Required |
Required |
Required |
|
Restrict local admin access to approved users with Just-In-Time (JIT) access solutions like Privileged Access Management (PAM). |
Recommended |
Recommended |
Required |
|
Require MFA for privileged access. |
Required |
Required |
Required |
|
Use a privileged access workstation (PAW) for domain administration or managing critical infrastructure. |
N/A |
N/A |
Required |
This control reduces risk by ensuring that standard users do not have continuous administrative access on their devices — a foundational principle for least privilege and limiting lateral movement.
| Framework | Mapping | Description |
| 3.1.2, 3.1.5, 3.1.6 | Remove unnecessary admin rights, least privilege | |
| PR.AA-04, 05 | Permissions and Privileged access restricted | |
| 4.7 | Permissions and Privileged access restricted |
Endpoint Detection and Response (EDR)
|
Low |
Medium |
High |
|
|
Deploy endpoint detection and response (EDR) solutions. |
Required |
Required |
Required |
|
Set up endpoint detection and response (EDR) to watch for unusual activity in real time and take automatic action to stop threats. |
Required |
Required |
Required |
This control is about deploying real-time endpoint monitoring and automated threat response, key to detecting and stopping malicious activity (e.g., malware, lateral movement, fileless attacks) before it escalates.
| Framework | Mapping | Description |
| 3.14.6 | Monitor system for attacks and unusual conditions | |
| DE.CM-09, RS.MI-01 | Systems are monitored and incidents are contained | |
| 10.1 | Deploy and maintain antimalware software |
Vulnerability Scanning
|
Low |
Medium |
High |
|
|
Using a tool, conduct authenticated or agent-based vulnerability scans on all workstations at least weekly, in accordance with UA’s Vulnerability and Patch Management Standard. |
Required |
Required |
Required |
Regularly scanning workstations for vulnerabilities helps find and fix security weaknesses before attackers can exploit them. Since workstations are often the first target in cyberattacks, it's important to keep them closely monitored.
| Framework | Mapping | Description |
| 3.11.02, 3.14.1 | Vulnerability monitoring and scanning, remediate flaws | |
| ID.RA-01 | Vulnerabilities in assets are identified, validated, and recorded | |
| 7.1, 7.5, 7.6 | Establish and maintain automated vulnerability scans of assets |
Patching
|
Low |
Medium |
High |
|
|
Apply security patches in accordance with UA’s Vulnerability and Patch Management Standard. |
Required |
Required |
Required |
|
Wherever possible, turn on “automatic updates” for software and operating systems. |
Required |
Required |
Required |
This control ensures that known vulnerabilities are addressed in a timely, consistent, and scalable way by automating the patching process — reducing the window of exposure for exploit attempts.
| Framework | Mapping | Description |
| 3.14.1 | Identify, report, and correct system flaws | |
| PR.PS-02 | Software is maintained, replaced, and removed commensurate with risk | |
| 7.7 | Remediate detected vulnerabilities |
Secure Baseline Configuration
|
Low |
Medium |
High |
|
|
Deploy workstations using hardened configurations based on the appropriate CIS Level. |
Level 1 |
Level 1 |
Level 2 |
|
Enforce configurations via tools. |
Required |
Required |
Required |
This control ensures that default, insecure settings are eliminated and that systems are provisioned with security-focused baselines. Hardened configurations reduce the attack surface from the moment a system is deployed.
| Framework | Mapping | Description |
| 3.4.1, 3.4.2 | Develop baseline configuration, as restrictive as operations allow | |
| PR.PS-01 | Configuration management practices are established and applied | |
| 4.1, 4.6 | Establish and maintain a secure configuration process, securely manage assets |
Backups
|
Low |
Medium |
High |
|
|
Workstation data should be backed up to encrypted solutions ( either cloud or on-prem storage). |
Recommended |
Recommended |
Required |
|
Implement continuous backup solutions. |
Recommended |
Recommended |
Required |
|
Test backups regularly. |
Annually |
Annually |
Quarterly |
This control ensures the availability and recoverability of workstation data in the event of loss, theft, ransomware, or hardware failure — and that backups are encrypted to protect confidentiality.
| Framework | Mapping | Description |
| 3.8.8 | System backup, cryptographic protection | |
| PR.DS-01, PR.DS-11 | Backups of data are created, protected, maintained and tested | |
| 11.1, 11.2, 11.3, 11.5 | Establish, maintain, perform, protect and test data recovery |
Host Firewall
|
Low |
Medium |
High |
|
|
Enable and configure host-based firewalls. |
Recommended |
Required |
Required |
|
Block all inbound traffic unless explicitly allowed. |
Recommended |
Recommended |
Required |
|
Enable logging for firewall rule violations. |
Recommended |
Recommended |
Required |
This control ensures that endpoint firewalls are actively protecting the system from unauthorized access attempts and providing audit trails for monitoring and incident response.
| Framework | Mapping | Description |
| 3.13.1, 3.13.6, 3.3.1 | Boundary protection, deny by default, event logging | |
| PR.IR-02 | Assets protected from environmental threats | |
| 4.5. 8.2 | Firewalls and port filtering on end-user devices |
Multi-Factor Authentication (MFA)
|
Low |
Medium |
High |
|
|
Enforce MFA for all workstation logins. |
Recommended |
Recommended |
Required (FY27) |
|
Require MFA for privileged access. |
Required |
Required |
Required |
This control ensures that both standard and privileged users are required to provide at least two authentication factors when logging into workstations, significantly reducing the risk of unauthorized access due to credential compromise.
| Framework | Mapping | Description |
| 3.5.3 | Implement MFA for privileged and non-privileged accounts | |
| PR.AA-03 | Users, services, and hardware are authenticated | |
| 6.5 | Require MFA for administrative access |
Audit Log Collection and Retention
|
Low |
Medium |
High |
|
|
Enable detailed logging for system, security, and application events. |
Recommended |
Recommended |
Required |
|
Retain logs as appropriate for relevant compliance obligations. |
N/A |
N/A |
Required |
|
Forward logs to a SIEM or log management solution. |
Required |
Required |
Required |
This control ensures that critical security events are not only captured locally but also centralized for monitoring, correlation, threat detection, and incident response.
| Framework | Mapping | Description |
| 3.3.1, 3.3.2 | Create and retain audit logs, ensure detail for reporting | |
| DE.CM-09, PR.PS-04 | Log records are generated and made available for monitoring | |
| 8.2, 8.5, 8.9, 8.10 | Collect, centralize, and retain detailed audit logs |
Physical Protections
|
Low |
Medium |
High |
|
|
Workstations must be stored in a physically secure location. |
Recommended |
Recommended |
Required |
|
Enable BIOS/UEFI password protection. |
Recommended |
Recommended |
Required |
|
Disable boot from USB/DVD in BIOS/UEFI. |
Recommended |
Recommended |
Required |
This control prevents unauthorized users from modifying firmware settings or bypassing the operating system's security controls by booting from external devices (e.g., USB drives). It's an essential part of pre-boot security and helps defend against physical tampering, data theft, and persistence mechanisms used by attackers.
| Framework | Mapping | Description |
| 3.14.2 | Malicious code protection | |
| PR.PS.01 | Configuration management established and applied | |
| 4.1, 4.8 | Establish and maintain secure baseline, disable unnecessary services |
Require Network Time Protocol (NTP)
|
Low |
Medium |
High |
|
|
Synchronize time via secure, internal NTP servers or trusted sources (e.g., NIST, Microsoft time servers). |
Recommended |
Required |
Required |
Accurate and consistent time synchronization is critical for ensuring log integrity, event correlation, digital forensics, and secure communications. Using secure and authoritative NTP sources prevents time spoofing and supports reliable system auditing.
| Framework | Mapping | Description |
| 3.3.7 | Time stamps | |
| ID.AM-01, DE.CM-01 | Hardware inventories maintained, continuous monitoring | |
| 8.4 | Standardize time synchronization, at least two sources where supported |
Screen Lock
|
Low |
Medium |
High |
|
|
Enforce automatic screen lock for no more than 15 minutes of inactivity; adhere to specific regulatory requirements where applicable. |
Recommended |
Required |
Required |
|
Require password or platform authentication to unlock. |
Recommended |
Required |
Required |
This control helps prevent unauthorized access to unattended workstations by automatically locking the screen after a period of user inactivity. It's a foundational access control that supports both physical and logical security.
| Framework | Mapping | Description |
| 3.1.10, 3.1.11 | Device lock, session termination | |
| PR.AA-06 | Physical access to assets managed, monitored and enforced | |
| 4.3 | Configure automatic session locking on enterprise assets |
Application Allowlisting
|
Low |
Medium |
High |
|
|
Only software that has been by the 㽶ƵSoftware Security Review process may be installed or run on workstations. |
Required |
Required |
Required |
This control helps enforce software allowlisting and application control, reducing the risk of malware, unauthorized tools, or other mechanisms being used to bypass security controls or introduce vulnerabilities.
| Framework | Mapping | Description |
| 3.4.2, 3.4.8 | Configuration settings, authorized software | |
| PR.PS-01, PR.PS-05 | Installation/execution of unauthorized software not permitted | |
| 2.1, 2.3, 2.5 | Maintain software inventory allowlist, address unauthorized software |
Logon Banner
|
Low |
Medium |
High |
|
|
Display legal, security, and regulatory compliance (if applicable) notification at login. |
Required |
Required |
Required |
This control ensures that a login banner or warning notice is displayed before granting access to a system, serving as a legal safeguard and a security awareness mechanism. It establishes user acknowledgment of acceptable use, informs users of monitoring, and helps support prosecution and accountability in the event of misuse.
| Framework | Mapping | Description |
| 3.1.9 | System use notification | |
| GV.OC-03 | Legal, regulatory, and contractual requirements are understood and managed | |
| N/A | N/A | |
| 5.5.4 | System use notification |
USB Mass Storage Allowlisting
|
Low |
Medium |
High |
|
|
Disable USB storage devices unless explicitly allowed via university-approved management tools. |
Recommended |
Recommended |
Required |
|
Encrypt all external storage devices. |
Recommended |
Recommended |
Required |
This control helps prevent data exfiltration, malware introduction, and unauthorized data transfers by blocking removable storage device access (e.g., USB drives) unless explicitly permitted and centrally managed. It’s a critical endpoint data protection and device control measure.
| Framework | Mapping | Description |
| 3.4.6, 3.14.2 | Least functionality, malicious code protection | |
| PR.PS-01, PR.PS-05 | Installation and execution of unauthorized software are prevented | |
| 4.8, 10.3 | Disable unnecessary services, configure options for removable media |
Disable Macros in MS Office Docs from Internet
|
Low |
Medium |
High |
|
|
Block all macros from the internet via Microsoft Office security settings or university-approved management/threat detection tools. |
Required |
Required |
Required |
This control mitigates one of the most common malware delivery vectors — malicious Office macros delivered via email or downloaded files — by blocking them by default unless explicitly trusted. This reduces the risk of phishing, ransomware, and remote code execution.
| Framework | Mapping | Description |
| 3.4.6, 3.14.2 | Least functionality, malicious code protection | |
| PR.PS-01, PR.PS-05 | Installation and execution of unauthorized software are prevented | |
| 4.8, 10.5 | Disable unnecessary services, enable anti-exploitation features |
Review/Approve Browser and Other User-Installable Extensions
|
Low |
Medium |
High |
|
|
Install only pre-approved browser extensions. |
Recommended |
Recommended |
Required (FY27) |
This control helps prevent malicious or risky browser extensions from being installed by users. Extensions can introduce significant privacy, security, and data leakage risks, and should be tightly controlled through allowlisting or enterprise policy enforcement.
| Framework | Mapping | Description |
| 3.4.6, 3.14.2 | Least functionality, malicious code protection | |
| PR.PS-01, PR.PS-05 | Installation and execution of unauthorized software are prevented | |
| 10.5 | Enable anti-exploitation features |
File Integrity Monitoring (FIM) on High Risk Systems
|
Low |
Medium |
High |
|
|
Implement file integrity monitoring (FIM) solutions to monitor and alert on changes to software, firmware, and critical system files. |
N/A |
N/A |
Required |
This control focuses on maintaining system integrity, detecting unauthorized or malicious changes, and ensuring compliance with security best practices and regulatory requirements.
| Framework | Mapping | Description |
| 3.14.1, 3.14.6 | Flaw remediation, monitor system for unusual activities or conditions | |
| PR.DS-01, -10 | The confidentiality, integrity, and availability of data are rest/in use are protected | |
| 8.2, 8.5, 8.9 | Collect and centralize detailed audit logs | |
| 10.3.4 | Log and Monitor All Access to System Components and Cardholder Data |
Temporary File Cleanup
|
Low |
Medium |
High |
|
|
Automate deletion of temporary files using system cleanup tools or scripts. |
Recommended |
Required |
Required |
This control ensures that temporary files and cached data — which may contain sensitive or residual information — are routinely removed to reduce data leakage, free disk space, and limit exposure in the event of compromise. Automating this process ensures consistency and auditability.
| Framework | Mapping | Description |
| 3.4.2, 3.8.4, 3.8.5 | Protect and control system media | |
| ID.AM-01, PR.PS-01 | The confidentiality, integrity, and availability of data are rest/in use are protected | |
| 1.1, 4.1 | Secure configuration process |
Cached Credential Cleanup
|
Low |
Medium |
High |
|
|
Configure workstations to clear cached credentials for network accounts upon reboot. |
Recommended |
Recommended |
Required |
This control reduces the risk of credential theft, reuse, and lateral movement by ensuring that cached domain or network credentials are purged after a reboot, particularly on shared or sensitive systems. It also enforces session integrity and account security.
| Framework | Mapping | Description |
| 3.5.4 | Replay-resistant authentication | |
| PR.AA-02 | Identities are proofed & bound to credentials based on context of interactions | |
| 4.1 | Secure configuration process |
Limit Unsuccessful Login Attempts
|
Low |
Medium |
High |
|
|
After 10 consecutive unsuccessful attempts, lock session for 10 minutes. |
Required |
Required |
Required |
This control implements account lockout policy as a safeguard against brute force attacks and unauthorized login attempts. Temporarily locking access after repeated failures slows attackers and alerts defenders, without permanently disabling legitimate user access.
| Framework | Mapping | Description |
| 3.1.8 | Unsuccessful logon attempts | |
| PR.AA-01 | Identities and credentials are managed by the organization | |
| 4.1 | Secure configuration process |
Loss/Theft
|
Low |
Medium |
High |
|
|
Report lost or stolen devices to unit or central IT and Security (security@alaska.edu) within 24 hours of determining the device is missing. |
Required |
Required |
Required |
This control supports timely incident response and asset protection by requiring users to promptly report lost or stolen devices. Rapid notification helps reduce the risk of data loss, unauthorized access, or prolonged system compromise.
| Framework | Mapping | Description |
| 3.6.2 | Incident monitoring, reporting and response assistance | |
| RS.CO-02 | Internal and external stakeholders are notified of incidents | |
| 17.4 | Establish and maintain an incident response process |
Disposal of Devices
|
Low |
Medium |
High |
|
|
All university-owned devices and data storage must have their storage media properly sanitized at the end of their lifecycle or prior to disposal. |
Secure Delete/Wipe |
Secure Delete/Wipe |
Destruction of Storage Media |
This control ensures that sensitive data is irreversibly removed from all storage media before disposal, transfer, or repurposing. Proper data sanitization protects against data leakage, unauthorized recovery, and regulatory violations.
| Framework | Mapping | Description |
| 3.8.3 | Media sanitization | |
| PR.DS-10 | The confidentiality, integrity, and availability of data-in-use are protected | |
| 3.5 | Securely dispose of data |
Use of Personal Devices for University Business
㽶Ƶusers may need to access or maintain sensitive university data from their personally owned devices (smartphones, tablets, laptops, and more). The university addresses this use in Board of Regents' Policy 02.07.066, Device Security .
Storing and processing institutional and research data on personal devices may introduce significant risk to the integrity, security, and availability of that data. Note that some units have adopted and enforce requirements for use of personally owned devices that are more specific or restrictive than defined in BOR Policy 02.07.066 and its related guidelines.
If your department or unit permits you to work with sensitive institutional data from devices not owned by the university, you, as the employee, are expected to protect university data by adhering to this Standard to secure all personal devices accessing university resources.
This control ensures that security and data protection policies apply to all devices that access, store, or process institutional or regulated data—whether institutionally owned or personally owned (BYOD). It supports data-centric security, focusing on safeguarding information, not just the infrastructure.
| Framework | Mapping | Description |
| 3.13.1 | Boundary protection | |
| GV.OC-03 | Legal, regulatory, and contractual requirements are understood and managed | |
| 1.2 | Address unauthorized assets |
Violations and Exceptions
In an effort to perform its requirements under Board of Regents Policy & Regulation R02.07.060 to secure University Information Resources, systems and services which fail to abide by approved information security controls may be subject to the implementation of compensating controls to effectively manage risk, up to and including disconnection from the 㽶Ƶnetwork or blocking of traffic to/from untrusted networks.
㽶Ƶemployees, students, and other affiliates who attempt to circumvent an approved information security control may be subject to sanctions or administrative action depending on their role and the nature of the violation, which:
- may result in a reduction or loss of access privileges, or the imposition of other restrictions or conditions on access privileges;
- may subject employees to disciplinary action, up to and including termination;
- may subject students to disciplinary action including expulsion according to the Student Code of Conduct procedures; and
- may also subject violators to criminal prosecution.
Requesting an Exception
The process for requesting exceptions to this or other IT Security Standard are outlined in the Information Security Controls Standard.
Implementation
OIT Information Security and Assurance is responsible for the implementation, maintenance and interpretation of this IT Standard.
Related Standards
- Password and Authentication Standard
- Information Security Controls and Exceptions Standard
- Vulnerability and Patch Management Standard
References
- (㽶Ƶlogin required)
Lifecycle and Contacts
Standard Owner: OIT Information Security and Assurance
Standard Contact: Chief Information Security Officer
Phone: 907-474-5347
Email: ua-ciso@alaska.edu
Approved: December 2025
Effective: January 2026
Next Review: January 2028