Control 16.11: Lock Workstation Sessions After Inactivity

Automatically lock workstation sessions after a standard period of inactivity.

Category

Technical

Purpose

Using a password to regularly log into a computer can cause trouble for a user, especially if a computer quickly locks. Yet too often computers are left unattended without being locked. Unlocked computers allow anyone to access the information and applications open on a system. A point of sale (POS) system, tax information, and even an employee’s personal information will be available to anyone who walks up to an unattended enterprise workstation. This Sub-Control applies to more than just a computer system since smartphones and tablets can also be left unlocked.

This Sub-Control is important because it protects from very basic, low-effort, and easy to do attacks. People with very little technical skill can walk up to a computer and access a company’s information if there is no lock on the system. If someone with technical knowledge accessed a system without a lockscreen, depending on how the computer is setup, they can install malware and potentially access passwords used by employees. In a worst-case scenario, they can potentially bring enterprise computer systems and networks down if passwords are reused or if the computer they are on is setup to manage other devices.

Automation

This type of policy can be controlled and monitored automatically if you have your systems joined to a domain. This is a fairly basic configuration setting that can be completely accomplished automatically.

Guidance and Tools

There is no universally agreed upon time frame for how quickly a computer should lock. Locking after one or two minutes of inactivity may be too quick, and cause frustration while trying to read emails, articles, and spreadsheets. Many organizations recommend 5 minutes as a balance between security and usability. With that said, the following should be kept in mind:

  • All computers, phones, and tablets should have their settings changed to lock after a predetermined time. Although you may not be able to enforce it, at least asking employees who use their phones to access work emails to put a password or lock on their personal phones and tablets.
  • Employees should be regularly reminded of the dangers of leaving their computer systems unlocked.

Step-by-step instructions for implementing this Sub-Control can be found in: Automatically Locking a Workstation.