Educause Security Discussion mailing list archives

Re: Manual locking workstations

From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Thu, 21 Apr 2011 07:38:23 -0400

Hi All,
If the control isn't managed at the Domain level (So the users can't set it to 600 minutes or turn it off completely) I 
write up the observation. There is no substitute manual process, that I've seen, that I'll accept. Failure to have the 
control in place makes nonrepudiation very difficult, at best.
My two cents... Thanks

[cid:image002.gif@01CBFFF7.17FDB8E0]

:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Wednesday, April 20, 2011 3:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Manual locking workstations

Hi Andrea:
We were able to get a locking policy in place for our central IT group and we actually walk around and enforce it 
periodically. We have not been able to get such a policy to be implemented University wide.  A draft copy of our policy 
is attached.
- Kevin
Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, 
with a student population of more than 41,000.

[cid:image003.gif@01CBFFF7.17FDB8E0]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of ANDREA 
Grover
Sent: Wednesday, April 20, 2011 3:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Manual locking workstations

I am working our Secure Computing Standard and am stuck in discussions about manually locking workstations. We already 
require that workstations are set to automatically lock after a specified time, but are also wondering about making the 
manual locking of workstations a requirement or a recommendation.

What policies and/or practices are in place for other universities and groups? Is it a requirement or a recommendation 
that they lock their workstations when they leave it?

If I can get any feedback on this I would appreciate it very much.

Andrea Grover
Weber State University - Network Security

Current thread:

Manual locking workstations ANDREA Grover (Apr 20)
- Re: Manual locking workstations Mclaughlin, Kevin (mclaugkl) (Apr 20)
  - Re: Manual locking workstations Sarazen, Daniel (Apr 21)
- Re: Manual locking workstations Hart, Lee Anne (Apr 20)
  - Re: Manual locking workstations Bob Bayn (Apr 20)