Standards Group:
YALE-MSS-7: Data Protection
YALE-MSS-7.9: Use inactivity locks
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Not Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
Inactivity locks help prevent unauthorized physical access to a system or mobile device.
When a user steps away from their system/device, an inactivity lock can secure their session from unauthorized physical access.
On the system or mobile device employed by a user, an inactivity screen lock should automatically disable access and require a password to unlock. The system must lock after 45 minutes or less of inactivity.
If the system/device is located in a Critical IT Space that implements the physical security controls outlined in Yale-MSS-4.1, it does not need a screen lock and no policy exception is required.