General discussion

Locked

screensaver timeout standard

By eosrebelx ·
My company is looking to implement a standard for screensaver timeout. What I am looking for is hardcore information in regards to what other companies have as their standard. If anyone can give me a site with other company standards or security sites with suggested timeout.

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Comments

Collapse -

Varies greatly

by JamesRL In reply to screensaver timeout stand ...

Some security conscious firms I have been with have used as little as 5 minutes. One global firm I was with used 15 minutes, and would bend it to 30 minutes on request.

Not sure you will find these things published. Companies tend not to share that kind of information.

You have to determine whats right for your business. If you have sensitive information on the screen all the time, 30 seconds may be annoying , but appropriate. If you are just working with non-propriatary information, then 15 minutes(time it takes to get a coffee) may be enough.

James

Collapse -

We use 5 minutes

by johnsmith In reply to screensaver timeout stand ...

We have a policy in place that forces password protection on the screensaver with a timeout of 5 minutes. We are a financial org with a large amount of sensitive client financial data.

This looks very good on a security audit, by the way.

Collapse -

Thanks. Any sites?

by eosrebelx In reply to We use 5 minutes

Thanks for your input. do you know of any security sites that might have sugested timeout time. I got some info from cert.org and DISA but that is about it.

Collapse -

A couple

by johnsmith In reply to Thanks. Any sites?

You might look at ciac.org, sans.org, nsa.gov, and policy.nrcs.usda.gov. Several higher education institutions have published their guidelines as well. There does not appear to be a hard and fast rule, or even a Best Practices recommendation; just whatever your organization is comfortable with. Physical security is a factor; generally the timeout time should be lower as the level of physical access increases. Logical access is also a consideration; how much access does the user have to information/systems?

We basically took the lowest comfort level timeout for the highest level users (within reason; some wanted 1 minute!) and made it the company standard. We also cycle our breaks within a given department so no machine is left unattended (out of view of an on-duty employee).

Back to Security Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums