16) For how many minutes does a user have to be inactive before the system is locked?
IT Operations Screen Lock System Lock
Written by Haydn Brooks
Created on March 18, 2019
Modified on July 7, 2020

How long must a user be inactive for (in minutes) before the systems lock (if times vary between systems, please put the highest value and state the others in the notes). If no screen lock is implemented, please put 0 (zero).

All systems that contain confidential data should lock after a period of inactivity from the user. This is to protect the user from leaving a system logged in and unattended, which could lead to other people gaining malicious access to the data.

The length of time a system has to be inactive before locking and requiring re-authentication will depend on the nature of your business, your company’s own individual risk profile, and the risk profile of the systems on which the lock is being implemented. Assess the risk for each system and choose a length of time that you feel appropriately mitigates the risk.

When answering this control, if different systems have a different period of inactivity configured before the lock is implemented, please input the highest time. You can list any shorter amounts of times with the relevant systems in the notes.

How to implement the control:

This control typically needs to be configured on a system by system basis, or it can be enforced through organisational technical policies (such as through the use of Group Policies within your Windows Active Directory).

For cloud based services (such as SAAS tools), ensure that the system logs inactive users out within a known and acceptable amount of time.

For on premise solutions, instruct your IT team to ensure the systems are configured to require re-authentication after a user has been inactive for an agreed amount of time.

For end points, the screen lock should be implemented after a period of 5 minutes of inactivity (or less) to prevent unauthorised users gaining access to unattended systems.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.