Topic

Session and screen locking

Applicable to

all

History

Priority

must

Dec 2022

Systems are configured with a session or screen lock that: • activates after a maximum of 15 minutes of user inactivity, or if manually activated by users • conceals all session content on the screen • ensures that the screen does not enter a power saving state before the session or screen lock is activated • requires users to authenticate to unlock the session • denies users the ability to disable the session or screen locking mechanism.

Language from an existing control relating to session and screen locking was amended to ensure consistency with similar authentication-related controls.

Mar 2022

Systems are configured with a session or screen lock that: • activates after a maximum of 15 minutes of user inactivity, or if manually activated by users • conceals all session content on the screen • ensures that the screen does not enter a power saving state before the session or screen lock is activated • requires users to reauthenticate to unlock the session • denies users the ability to disable the session or screen locking mechanism.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

Jun 2021

Systems are configured with a session or screen lock that: • activates after a maximum of 15 minutes of user inactivity, or if manually activated by the user • conceals all session content on the screen • ensures that the screen does not enter a power saving state before the session or screen lock is activated • requires the user to reauthenticate to unlock the system • denies users the ability to disable the session or screen locking mechanism.

Security control 0428 was amended to note that only session contents needs to be concealed(instead of all contents)when a screen is locked (i.e. corporate lock screen backgrounds are acceptable).

Apr 2021

Systems are configured with a session or screen lock that: • activates after a maximum of 15 minutes of user inactivity or if manually activated by the user • completely conceals all information on the screen • ensures that the screen does not enter a power saving state before the screen or session lock is activated • requires the user to reauthenticate to unlock the system • denies users the ability to disable the session or screen locking mechanism.

2017

Agencies must configure systems with a session or screen lock that:• activates either after a maximum of 15 minutes of user inactivity or if manually activated bythe user• completely conceals all information on the screen• ensures that the screen does not enter a power saving state before the screen or sessionlock is activated• requires the user to reauthenticate to unlock the system• denies users the ability to disable the session or screen locking mechanism.

Control Text Changed. No public explaination.

2015

Agencies must configure systems with a session or screen lock which:• activates either after a maximum of 15 minutes of user inactivity or if manually activated bythe user• completely conceals all information on the screen• ensures that the screen does not enter a power saving state before the screen or sessionlock is activated• requires the user to reauthenticate to unlock the system• denies users the ability to disable the session or screen locking mechanism.

2010

Agencies must:• configure systems with a session or screen lock• configure the lock to activate either:– after a maximum of 10 minutes of system user inactivity– if manually activated by the system user• configure the lock to completely conceal all information on the screen• ensure the screen is not turned off or enters a power saving state before the screen or sessionlock is activated• have the system user reauthenticate to unlock the system• deny system users the ability to disable the locking mechanism.