S 4.2 Screen lock

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

A screen lock provides the possibility to conceal the information currently displayed on the screen. In order that access to an IT system is reliably prevented during a short absence of the IT user, it should only be possible to disable a screen lock after successful user authentication, i.e. following entry of a password.

It should be possible for the user to activate the screen lock manually. In addition, the screen lock should be automatically initiated after a predefined period of inactivity. All users should be made aware of the need to activate the screen lock when they leave their workstation for a short period. If users leave the workstation for a longer time, they should log out.

The period after which the screen lock is activated due to a lack of user inputs has to be within certain limits. The period should not be too short. Otherwise, the screen lock will be activated after a short pause for thought. However, under no circumstances must this period be too long. Otherwise, a third party could exploit the absence of the user. A reasonable period to set is a period of 15 minutes. The IT Security Management Team should specify how the waiting period should be set so as to satisfy the security requirements of the IT systems concerned and their operational environment.

Most operating systems already feature screen locks. If these are used, it has to be ensured that the password prompt is enabled.

Review questions:

• Is there a PC guideline that addresses security safeguards, scope and legal provisions as well as internal provisions, responsibilities, roles and contacts?
• Do all employees know of and use the manual screen lock?
• Is a period for the automatic screen lock defined that takes both user and security needs into account?
• If the operating system does not feature a screen lock: Is the screen lock implemented by other means?