To: Engineering Faculty, Staff, and Students
Subject: Password-Protected Computer Screen Savers as a Security Measure
All computers at Purdue should be configured such that a password-protected screen saver runs after 15 minutes or less of idle time.
A password-protected screen saver has been set on Purdue IT-maintained Linux computers before June 20, 2007.
Purdue IT will be enforcing this on supported PCs running Windows.
People who administer their own computers (including laptops) are expected to comply with these guidelines. Some useful sites are listed below:
If you would like more information about these guidelines and policies, please read on.
In response to questions and comments relating to the automatic password-protected screen saver policy, the Purdue Internal Audit Office states: " ... as a governmental unit subject to the requirements established by the Indiana State Board of Accounts (SBOA), Purdue University must adhere to the SBOA's recommendations for logical security requirements. These requirements specify that, for inactive terminals, the user must be automatically prevented from accessing the computer after 15 minutes of no activity until the user's password is entered.
Since the computer resources at Purdue have significant value and our students and the citizens of Indiana expect us to be good stewards of these resources, we strive to take all reasonable precautions to protect them. The University's security guidelines call for you to lock the workstation whenever it is left unattended. Consider the 15-minute screen saver and password requirement to be a safety net to help prevent inappropriate access. It is hard to make a case that the additional time to type a few keystrokes is an unreasonable burden."
We recognize that the auto-lock feature introduces a certain level of inconvenience as we interact with computing resources on a daily basis. However, Purdue has a very clear policy in this regard. Under the Log-in Process section of the Information Security Standards on the SecurePurdue website, it states: "It is expected that any user of one of these devices will activate a lock facility prior to leaving the machine unattended."
Further, a best practice policy has been established by Purdue's IT Security & Policy group here on campus that recommends that the system be forced to lock after a given time of inactivity and states: the default is 15 minutes, but it is advisable to set it less than 15 minutes.
It is prudent that we therefore continue the implementation of the 15-minute automatic password-protected screen saver mechanism if we are to be in compliance with Purdue security standards recommendations and best practices.