Back

Establish, implement, and maintain a locking screen saver policy.


CONTROL ID
06717
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain end user computing device security guidelines., CC ID: 00719

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • completely conceals all information on the screen (Security Control: 0428; Revision: 6; Bullet 2, Australian Government Information Security Manual, March 2021)
  • Access to consoles in sensitive areas is restricted via locking when not in use. (9.2.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Observe a system administrator's attempt to log into consoles in sensitive areas and verify that they are "locked" to prevent unauthorized use. (9.2.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Access to consoles in sensitive areas is restricted via locking when not in use. (9.2.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Access to consoles in sensitive areas is restricted via locking when not in use. (9.2.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configure screen locks on systems to limit access to unattended workstations. (Control 16.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • BYOD and/or company owned devices shall require an automatic lockout screen, and the requirement shall be enforced through technical controls. (MOS-14, Cloud Controls Matrix, v3.0)
  • Configure all relevant interactive-use endpoints to require an automatic lock screen. (UEM-06, Cloud Controls Matrix, v4.0)
  • Is there a policy on using locking screen savers on unattended system displays or locks on consoles inside the data center? (§ F.2.23, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Does the password policy for systems that transmit scoped systems and data include a policy to lock (using key lock or equivalent control) when systems are unattended? (§ H.4.1.9, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that process scoped systems and data include a policy to lock (using key lock or equivalent control) when systems are unattended? (§ H.4.1.9, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Does the password policy for systems that store scoped systems and data include a policy to lock (using key lock or equivalent control) when systems are unattended? (§ H.4.1.9, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Users shall directly initiate a session lock to prevent inadvertent viewing when the device is unattended. (§ 5.5.5, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The organization should implement a session lock mechanism that places a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. (App F § AC-11(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. (AC-11(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. (AC-11(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. (AC-11(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)