S 3.18 Log-out obligation for PC users

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

If an IT system or an IT application is used by several users and each user possesses different access rights to the data or programs stored there, an access control system will only provide the necessary protection if every user logs out after finishing his/her task on the IT system. If it is possible for a third party to work on an IT system or in an IT application using someone else's identity, then it is impossible to perform any type of reasonable access control. For this reason, all users must be obliged to log out of the IT system or IT application after completing their tasks. For technical reasons (for example to close all open files), rules should be created for logging out of IT systems and IT applications if access control has not been implemented.

If absence from the PC is likely to be of only short duration, the screen lock can be activated manually instead of logging out of the system (see also S 4.2 Screen lock). If the absence is longer, the screen lock should activate automatically.

Some IT systems and IT applications provide the possibility to define an inactivity time period. In this case, the user is automatically logged out of the system after the inactivity time has expired. Using this method should be carefully considered since it can also lead to data loss. For example, automatic logout can be used in PC pools frequently used by many different people because it is possible for a user who is logged in to a workstation to block it without permission using the screen lock function.

Depending on the workstation environment, consideration should be given to the precautions to take for short-term absences of users. For example, the screen lock should be automatically activated faster (after only 5 minutes, for example) in multiple user systems than in systems used by only one user.

Review questions:

• Are all users obligated to log out of the IT system or from the application when their tasks are completed?
• Are technical procedures (e.g. automatic activation of the screen lock) implemented to prevent undesired changes of users using the same user ID in case of short absences while working on the IT system?