Educause Security Discussion mailing list archives
Re: passworded screen savers with timeouts, do you enforce?
From: John Piercy <jpiercy () RMWC EDU>
Date: Tue, 9 Jan 2007 09:31:23 -0500
We somehow need to educate the masses that this is a new day and age that requires due diligence in all matters regarding data security and not just from the security professionals. You can set up hundreds of IDS/IPS sensors, install host-based security agents on every machine you have, and implement a rigid network access control system totaling hundreds of thousands of dollars and have your users inadvertently defeat all of it because they were allowed to argue that re-typing a pass phrase was too much to handle. Guess who takes the heat when there's a breech and subsequent data theft as a result of the user who got up to go get a cup of coffee and go to the restroom... the security folks who weren't able to get the message across that you are only as secure as the weakest link in your security chain. We implemented screen saver passwords and a timeout of 20 minutes (too high in my opinion but MUCH better than nothing) via AD Group Policy at the domain level. We can change it in times of crisis if need be and have done so once already. There has been some grumbling but most people here took the time to read our explanations as to why it is so important. It seems to make the argument more concrete when referencing highly reputable schools that have been slapped with $1,000,000 lawsuits/fines and expenses incurred for security changes not to mention the press that goes along with it. It is unfortunate and worth mentioning that many of these "insecure" institutions have been at the forefront of securing data and the only reason they ever knew they'd been compromised (and subsequently reported it - the absolute right thing to do) was because of good security practices. Consider two neighboring houses: one has high tech surveillance equipment throughout the house and the other has only faith that it won't happen to his/her house. They BOTH have a front door that won't lock properly so - until they have time to fix it - they leave these doors unlocked. The high-tech surveillance house records an intruder taking pictures of documents and credit cards and putting them back exactly where they were found. The break-in is reported to the police and the police advise the homeowner to cancel all credit cards and accounts that could have been compromised in any way. The house with no surveillance sees nothing and assumes nothing has happened. Sorry for the long response. Just trying to give you some arguments/analogies that could help you back this policy. Good luck and Happy New Year to all! John Piercy Network Manager Randolph-Macon Woman's College 2500 Rivermont Avenue Lynchburg, VA 24503 jpiercy () rmwc edu -----Original Message----- From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU] Sent: Monday, January 08, 2007 5:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] passworded screen savers with timeouts, do you enforce? Last month I asked for reasons why we should utilize passworded screen savers and I want to say thanks to everyone that responded. Now I need to ask if you enforce the screen saver password lockout and if you do how do you do it? Also how did you go about getting it past the nay sayers that don't want to have anything make them type their password in more than once a day. Any help would be appreciated. Thanks for the help. Mike
Current thread:
- passworded screen savers with timeouts, do you enforce? Michael Fox (Jan 08)
- <Possible follow-ups>
- passworded screen savers with timeouts, do you enforce? Michael Fox (Jan 08)
- Re: passworded screen savers with timeouts, do you enforce? Waller, Michael A. (HSC) (Jan 08)
- Re: passworded screen savers with timeouts, do you enforce? Michelle Mueller (Jan 08)
- Re: passworded screen savers with timeouts, do you enforce? John Piercy (Jan 09)
- Re: passworded screen savers with timeouts, do you enforce? Parker, Ron (Jan 09)
- Re: passworded screen savers with timeouts, do you enforce? RL Vaughn (Jan 09)
- Re: passworded screen savers with timeouts, do you enforce? Parker, Ron (Jan 09)
- Re: passworded screen savers with timeouts, do you enforce? Harold Winshel (Jan 09)