IITS Standard: Screen Saver Timeout

Post

Information Security Standards are developed to support and enforce the California Community College Information Security Standard and all applicable District Administrative Regulations.

Screen Saver Timeout

All District workstations, laptops, tablets, and servers shall be configured with a 15 minute screen-saver lockout, which will require a password in order to reestablish access.

NIST Requirements

The U.S. Department of Education requires compliance with the Gramm-Leach-Bliley Act (GLBA), which, in turn, requires colleges to protect student records and information by following recommendations set out in NIST SP 800-171. This particular publication is a streamlined version of the overarching NIST SP 800-53, and focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems.

NIST SP 800-171 has two specific requirements relevant to automated profile locking. The following Department of Defense (DoD) Security Technical Implementation Guides (STIGs) provide specific mitigation language.

3.1.10
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

The operating system must initiate a session lock after a 15-minute period of inactivity.

A screensaver must be enabled and set to require a password to unlock. The timeout should be set to fifteen minutes of inactivity. This mitigates the risk that a user might forget to manually lock the screen before stepping away from the computer. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user’s session has idled and take action to initiate the session lock.

The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

A default screensaver must be configured for all users, as the screensaver will act as a session time-out lock for the system and must be one that conceals the contents of the screen from unauthorized users. The screensaver must not display any sensitive information or reveal the contents of the locked session screen. Publicly viewable images can include static or dynamic images such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen.

3.1.11
Terminate (automatically) a user session after a defined condition.

The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.

Users must be prompted to enter their passwords when unlocking the screensaver. The screensaver acts as a session lock and prevents unauthorized users from accessing the current user’s account.

Exceptions

If it is determined that this standard imposes an undue burden to a specific business process, the department in question must provide a formal business justification to the Office of Information Security for why the standard is unreasonable as well as an appropriate alternative measure (an alternative measure must be equivalent to the protection afforded by the standard).