Re: passworded screen savers with timeouts, why?

[Chris Green <cmgreen () UAB EDU>]

15 minutes is our timeout.  Public stations (libraries, labs) where they
logout automatically after 15 minutes. There are no screensavers
implemented in rooms where presentations are done.

Due to our HIPAA implementation, roughly 50% of campus is required to
(decision is on a school by school basis). We have a central desktop
service center and departments can also run their own services. In our
central desktop group, we've engaged it for almost all customers but
individual departments can choose to acknowledge the risks and leave it
off for one or all workstations.

Some of the things we've run into:

* Make sure you communicate to the affected folks! We relied on trickle
down for these changes and that trickle didn't happen in all areas. 
* Lab Equipment that is shared across multiple people
* Conference Rooms
* Shared, but not public, workstations:  Unlocking a desktop in a shared
office

> -----Original Message-----
> From: Bob Kehr [mailto:rskehr () ucdavis edu]
> Sent: Thursday, December 14, 2006 4:50 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] passworded screen savers with timeouts, why?
>
> We, too, have this policy. It can be a hard sell.
>
> Out of curiosity, what is your prescribed time of inactivity before
the
> screensaver engages? What environments is it used in (including
faculty
> offices?)?
>
> -Bob
>
> -----Original Message-----
> From: Chris Green [mailto:cmgreen () UAB EDU]
> Sent: Thursday, December 14, 2006 2:36 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] passworded screen savers with timeouts, why?
>
> I'm assuming by timeouts you mean the screensaver engages after N
> minutes of inactivity.
> The reason is to tie the user's logged in state to their actual
> identity.  If someone walks away, someone can now do activity under
the
> user's account.
>
> An example I use here:  If you're logged into our ERP application, you
> can do self-service payroll adjustment.  Wouldn't you hate if someone
> just sat down and changed YOUR direct deposit to THEIR account?
>
> Since people tend to use multiple applications, I try to use the
> workstation as the place to do locking so people don't have to then
get
> into the other 4 applications that have timed out since they went to
> lunch.
>
> That said, it's still a very hard sell in some areas.
>
>
>
> > -----Original Message-----
> > From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU]
> > Sent: Thursday, December 14, 2006 3:44 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] passworded screen savers with timeouts, why?
> >
> >  We are in the implementation stage of password and workstation
> > policies. My questions, which comes from a number of users, is why a
> > screen saver with a timeout period that requires entering a password
> > when unlocking the screen saver?
> >
> > I have my answers (not a lot) for this but I would like to see what
> > others would have to say about this. It is part of a DID from my
> > perspective, but  not the only piece for the workstation.
> >
> > Any opinions about this one way or another would be appreciated
> > (hopefully most would be for locking the workstation).
> >
> > Oh, by the way we are doing this with Novell Zenworks.
> >
> > Thanks in advance,
> >
> > Mike
> >
> > Mike Fox
> > Georgia Southern University
> > Information Technology Services
> > Office of Information Security
> > mfox () georgiasouthern edu
> > (912)871-1592
> >
> > Jeremiah 29:11-16