Re: Manual locking workstations

["Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU>]

Hi Andrea,
The biggest problem I see with what you are suggesting is that requiring people to manually lock their workstation when 
they step away is not enforceable or auditable - it is a recommendation or best practice. Standards are most effective 
when they are enforceable and auditable.
However, during your security awareness efforts, you should certainly educate people on why they should lock their 
workstations and show them how (shortcuts, etc.) but it doesn't belong in a standard. Configuring systems to lock after 
5 - 15 minutes of inactivity is enforceable (OS settings/group policies) and auditable and most certainly belongs in 
secure computing standard.
Good luck!
Lee Anne

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of ANDREA 
Grover
Sent: Wednesday, April 20, 2011 3:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Manual locking workstations

I am working our Secure Computing Standard and am stuck in discussions about manually locking workstations. We already 
require that workstations are set to automatically lock after a specified time, but are also wondering about making the 
manual locking of workstations a requirement or a recommendation.

What policies and/or practices are in place for other universities and groups? Is it a requirement or a recommendation 
that they lock their workstations when they leave it?

If I can get any feedback on this I would appreciate it very much.

Andrea Grover
Weber State University - Network Security