15) Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
IT Operations Screen Lock System Lock
Written by Haydn Brooks
Created on March 18, 2019
Modified on July 7, 2020

Answer yes if your organisation’s systems automatically lock after a period of inactivity and require the user to re-authenticate.

All systems that contain confidential data should lock after a period of inactivity from the user. This is to protect the user from leaving a system logged in and unattended, which could lead to other people gaining malicious access to the data.

The length of time a system has to be inactive before locking and requiring re-authentication will depend on the nature of your business, your company’s own individual risk profile, and the risk profile of the systems on which the lock is being implemented.

How to implement the control:

This control typically needs to be configured on a system by system basis, or it can be enforced through organisational technical policies (such as through the use of Group Policies within your Windows Active Directory).

For cloud based services (such as SAAS tools), ensure that the system logs inactive users out within a known and acceptable amount of time.

For on premise solutions, instruct your IT team to ensure the systems are configured to require re-authentication after a user has been inactive for an agreed amount of time.

For end points, the screen lock should be implemented after a period of 5 minutes of inactivity (or less) to prevent unauthorised users gaining access to unattended systems.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.