Re: [External] [SECURITY] Locking Computer Policy

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

Here at the University of St. Thomas, all employees sign a Privileged Access and Confidentiality Agreement when they 
are hired, which includes a statement that whey will lock their computer when they are away from their computer.  
Whether people remember this is an open question.  And, many people think that their out of the way office location or 
door lock is good enough, not realizing just how many people have keys on campus.

We do have a 15-minute inactivity screensaver set on all computers with the exception of classroom computers which have 
a 90-minute lockout.  The classroom setting alleviated most of the concerns from people and the risk seems to be 
acceptable.

We did get an uptick in complaints about the policy last summer when we implemented a longer password length 
requirement (from 8 characters to 15+ characters).  One way we’re looking to address this is that we’re piloting some 
fingerprint reader options.  This seems like it will be a good option for people who need to unlock their computer 
several times a day based on their work routines.

One question I get from people on campus is…  “Is that really a problem that people access unlocked computers and 
access data/systems they are not supposed to access?”  That can be a tough one to answer, because I don’t have any 
evidence that it has actually happened on our campus, but depending on the scenario it would be very difficult to 
detect.  So having a screensaver lockout helps ensure that it doesn’t.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ronald Loneker
Sent: Wednesday, May 1, 2019 5:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Locking Computer Policy

Hi Everyone -

We looking to set up a group policy to push out to some of our end users to automatically lock a computer after a 
certain period of inactivity - especially in departments that have elevated privileges or access to sensitive data.

We are noticing some people not following procedure on this, and we want to take action.

What best practices are you using at your institution in terms of the amount of time before a computer locks 
automatically during inactivity?

Thanks in advance for your thoughts on this.

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229<tel:973-290-4229>

e-mail:  rloneker () cse edu<mailto:rloneker () cse edu>


CSE's IT department will never ask for your password, social security number or other personal information in an e-mail 
message.

Please do not share any information with others!