Educause Security Discussion mailing list archives
Re: Lockout Settings
From: "Radford, Jennifer" <jradford () INTAUDIT UBC CA>
Date: Fri, 27 Aug 2010 13:36:56 -0700
Hi Todd,
From an internal audit perspective, screen lockouts should be risk based. Obviously they are more important depending on the type of data that is involved and that could potential by viewed / altered by unauthorised parties. Sounds like you are dealing with sensitive data but if any of this is regulated data, e.g personally identifiable data, then this may raise the risk even higher.
Also, consideration should be given to what type of environment is in place, e.g. open plan versus closed locked offices. Lastly, users should be educated on the security risks of leaving open screens unattended and policy should drive behaviour to get employees to 'cntl alt delete' before they leave their desk. Once the above has been considered, management can make an informed decision about whether to set at 10, 15, 20 etc minutes before screen lock out. Cheers, Jen Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca Web: www.intaudit.ubc.ca The information contained in this e-mail message is strictly confidential and intended solely for the use of the designated addressee(s). Any unauthorized viewing, disclosure, copying or distribution of this e-mail is prohibited and may be unlawful. If you have received this e-mail in error, please do not read it, reply to the sender immediately to inform us that you are not the intended recipient, and delete the e-mail from your computer system. Thank you. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd Sent: Friday, August 27, 2010 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Lockout Settings I'd like to get everyone's feedback on their current enterprise settings for screen lockout. This discussion has re emerged for us as we roll out Sharepoint with Windows Authentication (rather than through an ISA server) which will provide portals (without a second login/password requirement) into some applications which maintain sensitive data. Is everyone using a 15 minute screen lockout? Do you have Sharepoint? Browser timeout? Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Thursday, June 11, 2009 12:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Timeout/Lockout Settings 15 minutes for us as well. There are a few exceptions like an OU for admissions counselors. Lock it when you leave it is ideal. Jacob Barros Network Administrator Grace College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Richard Sent: Wednesday, June 10, 2009 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Timeout/Lockout Settings I am curious to know how other peer institutions are setting up their timeout/lockout settings. How are you enforcing the timeouts (pointsec, windows settings, screensaver,etc)? How long must the PC be inactive for the timeout setting to take effect? Do the time limits vary based on user? Thanks all! Adam Richard '05 IT Security Analyst/Operations Specialist Messiah College Hoffman 211 (717) 796-1800 x.6570 One College Ave. Information Technology Services Box 3055 Grantham, PA 17027 "ITS will never ask you for your password"
Current thread:
- Lockout Settings Plesco, Todd (Aug 27)
- Re: Lockout Settings Radford, Jennifer (Aug 27)
- Re: Lockout Settings Doty, Timothy T. (Aug 27)
- Re: Lockout Settings McCrary, Barbara (Aug 27)
- Re: Lockout Settings Doty, Timothy T. (Aug 27)
- Re: Lockout Settings Basgen, Brian (Aug 28)
- <Possible follow-ups>
- Re: Lockout Settings Sarazen, Daniel (Aug 27)
- Re: Lockout Settings Radford, Jennifer (Aug 27)