Main Nav

Posted by curryd on October 4, 2012
Greetings,

I'm trying to make the case for implementing a mandatory locking screensaver on our office workstations/laptops (faculty and administrative staff). It would be done in the usual way: after some period (15, 20, 30 minutes TBD) of idle time, the system would invoke the screen saver, and to restore the screen and continue working, the user would have to enter his or her password. Reaction has been mixed (as I expected), and the usual question has come up: "well, what do other universities do?"

So....
  1. Do you implement a mandatory locking screen saver on your staff and/or faculty computers?
  2. If so, do you do so for all staff/faculty, or just certain groups (and what are those groups)?
  3. If so, how long is your timeout before the screensaver starts?

Thanks,

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Comments

Message from dwscott@fhu.edu

1. Yes, we implement a mandatory locking screen saver on staff computers via Windows Group Policy.
2. We only implement it for departments dealing with financial and sensitive student information (Business office, admissions, etc.)
3. We implement a lockout at 20 minutes.


Posted by: listserv-anon on October 4, 2012
David,

1. Franklin University imposes a mandatory locking screen saver through GPO on all University-owned computers.

2. We do this regardless of account type: faculty, staff, consultant, student, library visitor, you name it. We have an exception for classroom instructor PCs that drive projection systems and the PC in our main auditorium connected to a projector. Our mandatory locking policy also applies to laptops which also require whole-disk encryption.

3. As for how long, we settled on 15 minutes to satisfy PCI requirements. Hey, it's easy to blame it on the credit card industry!

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"

From: "David Curry" <david.curry@NEWSCHOOL.EDU>
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, October 4, 2012 12:05:52 PM
Subject: [SECURITY] Automatic timeout to locking screensaver

Greetings,

I'm trying to make the case for implementing a mandatory locking screensaver on our office workstations/laptops (faculty and administrative staff). It would be done in the usual way: after some period (15, 20, 30 minutes TBD) of idle time, the system would invoke the screen saver, and to restore the screen and continue working, the user would have to enter his or her password. Reaction has been mixed (as I expected), and the usual question has come up: "well, what do other universities do?"

So....
  1. Do you implement a mandatory locking screen saver on your staff and/or faculty computers?
  2. If so, do you do so for all staff/faculty, or just certain groups (and what are those groups)?
  3. If so, how long is your timeout before the screensaver starts?

Thanks,

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Posted by: collinsc on October 4, 2012
We do on all computer systems......admin and instruction.....15 minutes on admin, and we just changed instruction to 30 minutes.... M David Scott <dwscott@FHU.EDU> wrote:
1. Yes, we implement a mandatory locking screen saver on staff computers via Windows Group Policy.
2. We only implement it for departments dealing with financial and sensitive student information (Business office, admissions, etc.)
3. We implement a lockout at 20 minutes.


Posted by: mschalip on October 4, 2012
Weber State University
 
1. Yes, All users must have an auto-locking feature enabled, which requires a password to unlock.
           We do not use the term screen saver, so that power options can satisfy the requirement.
2. We require this on all faculty and staff workstations; exceptions are computer labs, public library systems, e-kiosk etc .
3. We recommend activation after 10 min. of idle time, but the standard is 20 minutes or less.
 
We also recommend that you physically lock your office door (if you have a door) should you leave your work area unattended, or manually lock your system as you leave your work area.
 
louis

On 10/4/2012 at 10:05 AM, in message <CA+d9XAPU22J7=umXcAcJKcXcg1uUNY34tevdjb=Kq2xKBZ1G3g@mail.gmail.com>, David Curry <david.curry@NEWSCHOOL.EDU> wrote:
Greetings,

I'm trying to make the case for implementing a mandatory locking screensaver on our office workstations/laptops (faculty and administrative staff). It would be done in the usual way: after some period (15, 20, 30 minutes TBD) of idle time, the system would invoke the screen saver, and to restore the screen and continue working, the user would have to enter his or her password. Reaction has been mixed (as I expected), and the usual question has come up: "well, what do other universities do?"

So....
  1. Do you implement a mandatory locking screen saver on your staff and/or faculty computers?
  2. If so, do you do so for all staff/faculty, or just certain groups (and what are those groups)?
  3. If so, how long is your timeout before the screensaver starts?

Thanks,

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu


Posted by: Louis Aponte on October 4, 2012
Message from aperry@murraystate.edu

We recently instituted a Domain-wide 30 minute password-protected screensaver lock for all systems. There was a lot of fight over it until we actually did it. Few people have noticed. :) We plan on decreasing it in 5 minute increments over several months down to 15 minutes. PCI was our overall justification as well.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

***MSU Information Systems staff will never ask for your password or other confidential information via email.***




Posted by: listserv-anon on October 4, 2012
We are currently implementing a requirement for the use of locking screensavers. What I hadn't appreciated is that some screensavers are transparent and so do not hide what is on the screen (for instance OSX has a bubble screen saver that does this).

You may also want to ensure that no transparent screensavers are allowed.

Mark



On 5/10/2012 5:05 a.m., David Curry wrote:
Greetings,

I'm trying to make the case for implementing a mandatory locking screensaver on our office workstations/laptops (faculty and administrative staff). It would be done in the usual way: after some period (15, 20, 30 minutes TBD) of idle time, the system would invoke the screen saver, and to restore the screen and continue working, the user would have to enter his or her password. Reaction has been mixed (as I expected), and the usual question has come up: "well, what do other universities do?"

So....
  1. Do you implement a mandatory locking screen saver on your staff and/or faculty computers?
  2. If so, do you do so for all staff/faculty, or just certain groups (and what are those groups)?
  3. If so, how long is your timeout before the screensaver starts?

Thanks,

--Dave


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



-- Mark Borrie Information Security Manager, Information Technology Services, University of Otago, Dunedin, N.Z. Ph +64 3 479-8395, Fax +64 3 479-8813
Posted by: markborrie on October 4, 2012
Post a Comment

Research and Publications

Conferences and Events

Career Development

Focus Areas and Initiatives

Connect and Contribute

About EDUCAUSE

Close

 


Current Issue
March/April 2013
EDUCAUSE Review

Publications

Research

Close


Annual Conference
October 15–18, 2013
Save the date!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

See All Events

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center

Find or Post a Job

Leadership and Management Programs

EDUCAUSE Institute
Advanced Programs
Project Management

 

Fellowships and Awards

Fellowships
Awards Programs

Getting Involved

Mentoring
Volunteer
Speak at an Event

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

Advance Your Career

 

Close

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

 

Enterprise and Infrastructure

Enterprise and
Infrastructure

Policy and Security

Policy and
Security

Teaching and Learning

Teaching and
Learning

 

Join These Programs If Your Focus Is

Close

From the Blogs
The Role of Campus Leadership in Ensuring IT Accessibility
by
Diana Oblinger

Find Others

Share Ideas

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

Create Your Profile

 

Close

2013 Strategic Priorities

  • Connected Learning
  • Enterprise IT
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.
 

Discover Membership