S 4.2 Screen Lock

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT users

"Screen lock" refers to a facility enabling the concealment of information currently displayed on the screen. In order that access to an IT system is reliably prevented during a short absence of the IT user, it should only be possible to inactivate a screen lock after successful user authentication, i.e. following entry of a password.

It should be possible for the user to activate the screen lock manually. In addition, the screen lock should be automatically initiated after a predefined period of inactivity. All users should be made aware of the need to activate the screen lock when they leave their workstation for a short period. If a user is to be away from the workstation for an extended period, he should log off.

The period after which a screen lock is activated due to a lack of user inputs should be neither too short nor too long. If it is too short, the screen lock may be triggered while the user has merely paused for thought. On the other hand, if the period is too long, then a third party could exploit the absence of the user. A reasonable period to set is a time interval of 15 minutes. The IT Security Management Team should specify how the delay should be defined so as to satisfy the security requirements of the IT systems concerned and their operational environment.

Most operating systems come supplied with screen lock facilities. When these are used, care must be taken to ensure that they are configured so that input of a password is required.

A password-supported screen lock is offered in Microsoft Windows 3.x as a screen saver. However, the documentation points out that if the current application is not a Windows application, the screen saver will not be activated automatically, regardless of whether the application is executed in a window, from the MS-DOS command line or has been iconised. Under Windows 95, on the other hand, the screen saver is also automatically activated for DOS applications. Apart from Microsoft Windows, there are other products offering password-supported screen savers. Before employing such products, it is necessary to check whether the screen lock will work under all applications.

Under UNIX, a screen lock can be activated with programs such as lock or, while under X-Windows, the same result can be achieved with lockscreen.

Additional controls:

• Has a screen lock been installed on the relevant computers?

• Is the screen lock feature applied consistently?