乐播传媒

1.0 Purpose 

The purpose of this standard is to ensure that the purchase of IT hardware, including user workstations and servers, follows established University of Alaska Board of Regents policies and president鈥檚 regulations, and ensures maximization of efficiency and use of resources, while minimizing cost and risk to the institution. This standard aims to prevent duplication of IT services and costs, ensure supportability by IT Services (ITS), maintain the security of information systems, equipment, and data, ensure sustainable budget support, and facilitate compatibility with existing systems and policies.  

Rising challenges and costs due to cybersecurity threats require constant improvements in the university鈥檚 security posture. Network firewalls and security are no longer adequate to ensure protection of university assets, including university hardware and data. Current cybersecurity realities necessitate a 鈥渮ero trust鈥� model that requires the security hardening of all IT hardware on the university network and which is used to process or store university data. This requires the devices to be managed directly or indirectly by modern IT service and security tools, regular patching to address vulnerabilities, and backups of all servers on a regular basis. This type of support requires professional, modern, and cost-effective IT management and support.  

2.0 Standard 

2.1 Scope 

This standard applies to all IT hardware resources owned, used, or operated by the 乐播传媒, regardless of the source of funding, location, or intended purpose. These resources include, but are not limited to, user workstations, servers, peripheral equipment (e.g., printers, scanners), network devices, and other related IT hardware. 

2.1.1 Not-In-Scope 

IT devices not owned by the university are not in scope of this policy except where specified.  

2.2 IT Hardware Purchases 

All IT hardware purchased with university funds (regardless of the source of funding) will be purchased through ITS. All computers purchased with university funds remain property of the University until disposed of through the University鈥檚 Surplus Property Program. 

2.3 IT Hardware Management and Support 

2.3.1 Endpoint IDs and Management 

All IT hardware including user workstations and servers will be joined to the university domain, use domain-based identities, or otherwise be managed by university endpoint and server management services.  

2.3.2 Endpoint and Security Management 

All IT hardware (including user workstations and servers) will have the relevant endpoint management controls applicable to the specific device and as allowed by current licensing limitations. Licenses shall be allocated and prioritized based on the level of risk determined by data risk classification. 

2.3.2.1 EDR/XDR 

All IT hardware must utilize Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) as allowed by technical and licensing capabilities.  

2.3.2.2 Admin Rights for Workstations 

• All IT hardware must require MFA for use of admin rights when technically available. 
• Admin rights granted for use on workstations will not be granted by use of a local admin account but by use of an approved admin rights management solution (such as Admin By Request) or Privileged Access Management solution. 

2.3.2.2 Admin Rights for Servers 

• All university owned IT hardware must require MFA for use of admin rights when technically available. 
• Non-standard accounts must be used for admin privileges. 
• Password requirements on local accounts must align with university password standards. 
• Must use Privileged Access Management solution where available. 
• Accounts must be provisioned and managed by IAM solution whenever possible. 
• Audit logs must be enabled for all privileged activities including: 
• Login attempts 
• Command executions 
• Configuration changes 
• Logs must be forwarded to SIEM for real-time alerting and correlation. 
• All domain-joined Windows Servers will be configured to utilize LAPS. 

2.3.2.3 Patching 

All IT hardware must be in compliance with university patching standards in order to be on the university network and for admin rights to be granted to local users where applicable.  

2.3.3 Server Hosting and Management 

All servers owned by the university will be hosted in the university鈥檚 Data Center. Hardware and OS support will be managed by ITS. This is to ensure that all university owned servers are: 

• Physically secure.  
• Regularly patched. 
• Domain joined. 
• Backed up. 
• Server hardening follows best practices in conformance with 乐播传媒鈥檚 implementation of the Center for Internet Security Control鈥檚 (CIS) Benchmarks.  

Servers used only for teaching purposes may be hosted and managed by faculty, but should not be used to store or process medium risk data or higher.  

2.3.4 Exceptions 

IT hardware used to control or manage specialized equipment for teaching for research may be eligible for an exception to these standards. Such exceptions must be approved by the AVC&CIO, have compensating controls, and meet the following criteria 

2.3.4.1 Exception Criteria 

• Hardware or OS cannot comply with the above standards due to limitations of the devices the hardware manages or controls, or critical software running on the device that is used for teaching or research. 
• Hardware does not store or process medium risk data or higher. 

2.3.4.2 Compensating Controls 

IT Hardware granted an exception must be placed in a high risk VLAN segment of the university network to protect the university鈥檚 network and data from high-risk devices.  

2.4 IT Hardware Security Controls and Hardening 

Violations of this standard may result in refusal to provide data integrations, support, or network access for non-compliant hardware. 

2.4.1 Existing IT Hardware Audits 

ITS may conduct maintenance and security audits of any existing IT hardware to determine compliance with university policies and standards including the Vulnerability and Patch Management Standard. 

3.0 Procedures 

3.1 Reporting Violations 

Violations of this standard should be reported to the Technical Support Center or the Office of the CIO. All reported violations will be investigated and may result in disciplinary action. 

3.2 Compliance Deadline 

• Compliance with this standard is required for all university workstations by 7/1/2027.  
• Compliance with this standard is required for all university servers by 7/1/2028. 

3.3 Requesting and Granting of Variances 

Variances from this standard must be approved by the Associate Vice Chancellor and CIO and in conformance with the following criteria.  

• Variances for domain join , domain identities, and endpoint management standards: 
  • Must have technical compliance justification. 
  • Cost or timeline justifications are only eligible for temporary variance. 
• Variances for purchase standards: 
  • Valid procurement or contractual justification. 
• Variances for MFA and Admin rights standards: 
  • Must have technical compliance justification. 
  • Cost or timeline justifications are only eligible for temporary variance. 
• Variances for patching standards: 
  • See .
• Variances for server hosting and management standards: 
  • Must have technical compliance justification. 
  • Cost or timeline justifications are only eligible for temporary variance. 

3.3.1 Compensating Controls 

All variances granted require implementation of compensating controls approved by the AVC&CIO. Examples of compensating controls include annual audits of compliance, server logs written to central log service, hosting location is segmented from the general university network, annual reporting on costs or support expenses, etc. At a minimum all variances will require the IT hardware to use the high-risk VLAN. 

3.3.2 Variance Request Process 

Requests for a variance should be submitted via email to 乐播传媒-IT-Policy@alaska.edu. Any exceptions require approval by the Chief Information Officer. Granted variances will be recorded and tracked by ITS. 

4.0 Definitions 

See IT Policies and Standards Definitions. 

5.0 References 

• 105 鈥� IT Hardware, Software, and Services Purchasing Policy 
• - Vulnerability and Patch Management Standard 
• CIS Benchmarks:   

6.0 Standard Information 

Standard Effective Date: 06/01/2026 
Standard Revision Date: 06/01/2026
Standard Owner: Ryan McDaniel - Associate Vice Chancellor and CIO  
Standard Author: Ryan McDaniel - Associate Vice Chancellor and CIO