RE: Best Practice for Screen Savers

From: Ron Boyer (ronboyer@gra.midco.net)
Date: 09/13/02 

From: Ron Boyer <ronboyer@gra.midco.net>
To: security-basics@securityfocus.com
Date: 12 Sep 2002 17:14:18 -0500

Greetings list,

A company I recently worked for utilized the 'policy' of locking
terminals for breaks, lunches, etc. At the end of the day, most users
shut their terminals down. Locking of the terminal was permitted, but
monitors were shut off to conserve energy.

In regards to firing people for forgetting to log out of (or lock) their
computer, I can not recall any users repeatedly disregarding this policy
once users were educated/informed and the policy was enforced.

For my company, the policy worked well and was enforced as follows:

1. All employees were informed of the new policy, either by attending a
meeting (with recorded attendance) or by 'written policy.' If a user was
informed of the policy by reading the written version of the policy,
they signed the policy, along with their supervisor/manager (read =
superior) to verify that they were informed of said policy.

2. Users were given a fair number of warnings/reminders (approximately
10, depending upon frequency of violation) before any action was taken
for not following said policy. These violations were recorded by system
administrators.

3. Users with repeated violations of the policy had their superior
notified, and it was then expected of the supervisor to give a verbal
warning to the user.

4. Further violations led to a written warning for each account, which
are all signed by user and the users 'superior'.

5. Termination of employment was to be expected upon the third violation
of the policy... however, termination was decided on a case by case
basis. Frequency of violation was a big factor concerning this policy.

Again, I know of no one personally that was fired because of this policy
alone, and my location employed over 500 people.

I don't know if this will work in your situation or not, but this policy
worked well for my company.

As for screen savers, they were disabled for our users. Although I am
not recommending disabling all screen savers, I agree with Richard and
prefer the 'locking' policy over implementing any screen saver methods.

Further, I found it to be a good idea to stress that the enforcement of
this policy was a security measure taken to encompass and effect the
entire company as a whole, and was implemented for the security of the
company and it's customers/business partners, rather than just a method
of protection for users to protect themselves.

Best regards,

Ron Boyer

On Wed, 2002-09-11 at 12:45, Tim V - DZ wrote:
> Totally agreed, but how do you enforce such a policy? Firing people for
> forgetting to log out or lock their computer is a tad harsh for most
> companies I would imagine. With a screen saver policy set on the domain
> (possibly set to use logoff.scr with the "terminate applications" regkey
> set) you can at least catch the people that "forget." And then the
> station is only vulnerable for 10 minutes, instead of the next morning
> at 8 when they come back.
>
> -t
>
> -----Original Message-----
> From: rsieber@web.de [mailto:rsieber@web.de]
> Sent: Tuesday, September 10, 2002 11:55 PM
> To: security-basics@securityfocus.com
> Subject: RE: Best Practice for Screen Savers
>
> Hi Chris,
>
> I'dont prefer ss-policies! IMHO 10 minutes are to long
> when sb leaves the computer but is to short for working.
> For these reasons we have the ploicy that everybody has
> to lock his computer when leaving!
>
> Robert
>
> > -----Original Message-----
> > From: Chris Hylen [mailto:chris.hylen@unigard.com]
> > Sent: Tuesday, September 10, 2002 7:00 PM
> > To: security-basics@securityfocus.com
> > Subject: Best Practice for Screen Savers
> >
> >
> > Security Pro's-
> >
> > I am looking for any best practice info or case studies on what
> to
> > set my companies screen saver password timeout to. It is currently 10
> > minutes and I want to know if this is reasonable or if it is to
> stringent.
> > Any comments welcome.
> >
> > Thanks,
> >
> > -Chris
> >
>
>
>
>

Quantcast