Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Locking Computer Policy
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Thu, 2 May 2019 13:36:30 +0000
Here at the University of St. Thomas, all employees sign a Privileged Access and Confidentiality Agreement when they are hired, which includes a statement that whey will lock their computer when they are away from their computer. Whether people remember this is an open question. And, many people think that their out of the way office location or door lock is good enough, not realizing just how many people have keys on campus. We do have a 15-minute inactivity screensaver set on all computers with the exception of classroom computers which have a 90-minute lockout. The classroom setting alleviated most of the concerns from people and the risk seems to be acceptable. We did get an uptick in complaints about the policy last summer when we implemented a longer password length requirement (from 8 characters to 15+ characters). One way we’re looking to address this is that we’re piloting some fingerprint reader options. This seems like it will be a good option for people who need to unlock their computer several times a day based on their work routines. One question I get from people on campus is… “Is that really a problem that people access unlocked computers and access data/systems they are not supposed to access?” That can be a tough one to answer, because I don’t have any evidence that it has actually happened on our campus, but depending on the scenario it would be very difficult to detect. So having a screensaver lockout helps ensure that it doesn’t. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Information Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ronald Loneker Sent: Wednesday, May 1, 2019 5:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] [SECURITY] Locking Computer Policy Hi Everyone - We looking to set up a group policy to push out to some of our end users to automatically lock a computer after a certain period of inactivity - especially in departments that have elevated privileges or access to sensitive data. We are noticing some people not following procedure on this, and we want to take action. What best practices are you using at your institution in terms of the amount of time before a computer locks automatically during inactivity? Thanks in advance for your thoughts on this. Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Mahoney Library 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229<tel:973-290-4229> e-mail: rloneker () cse edu<mailto:rloneker () cse edu> CSE's IT department will never ask for your password, social security number or other personal information in an e-mail message. Please do not share any information with others!
Current thread:
- Locking Computer Policy Ronald Loneker (May 01)
- Re: Locking Computer Policy Mandi Witkovsky (May 02)
- Re: Locking Computer Policy Andregg, Bryan Courtney (May 02)
- Re: Locking Computer Policy King, Ronald A. (May 06)
- Re: Locking Computer Policy Tom Miller (May 02)
- Re: Locking Computer Policy Ronald Loneker (May 06)
- Re: Locking Computer Policy Julian Y Koh (May 02)
- Re: [External] [SECURITY] Locking Computer Policy Gregg, Christopher S. (May 02)
- Re: Locking Computer Policy Burns, Denis (May 02)
- Re: Locking Computer Policy Ronald Loneker (May 06)
- Re: Locking Computer Policy Dave Broucek (May 02)
- Re: Locking Computer Policy Mandi Witkovsky (May 02)