Brief Summary

For typical office workstations, Information Technology cannot set a screen lock timeout length shorter than 15 minutes without a documented accessibility need, or other exceptional circumstance.

Questions regarding this policy should be addressed below. Any unaddressed concerns can be directed to the office of IT-Information Security.

Screen Lock Timers

Computers maintain a timer to decide when to leave themselves unlocked for use (e.g. in cases of writing on paper while remaining at your computer for a few minutes), or when to lock themselves and require a password or other security measure in order to unlock and resume operation.

This timer, referred to as a timeout timer, idle lock timer, lockout timer, or many other informal terms, is what is being discussed in this document.

Why these timers max out at 15 minutes in typical cases

Regulations; NIST standards; other guidelines from regulators & security experts 

State auditors and the federal government have both demanded that screens lock after 15 minutes — or even faster, in many cases!
These decisions are influenced by input provided by industry experts and ultimately result in policies that UNI is responsible for enforcing.

In particular, the following standards from the National Institute of Standards and Technology are applicable for our screen lock timeout rules. NIST 800-53, 800-171*
These are relevant due to their applicability to confidential data which isn't classified, of which student data is one of the principle examples.
The security of student data, most data pertaining to federal grants, and compliance with PCI DSS (credit card processing) rules and HIPAA (healthcare) rules all factor in to the final number that UNI must enforce.

Handling of student data, data relating to grants, and so on, is routine for UNI personnel — as such, the Center for Internet Security sets an ultimate value of 15 minutes, at most, for UNI workstations to lock themselves in the event they sit idle.

This maximum timeout is applied UNI-wide to all workstations, with some devices and computers having a timeout applied which is stricter, and shorter still.

*The rules within 800-53 and 800-171 may/do frequently reference other NIST standards – 800-53 and 800-171 are not necessarily the only applicable NIST standards, but are the top-level encompassing standards which are relevant to this matter 

Leaving a workstation unattended

It is noteworthy that these same rules also require personnel to lock their computer if they will be leaving their workstation unattended.

The keyboard shortcut in Windows to quickly lock a workstation is to hold the Windows key and press L. (Win + L)
The keyboard shortcut in MacOS is to hold Control, Command, and press Q. (Ctrl + Cmd + Q)

Closing notes from your IT support staff

Bear in mind that we all at UNI are in the same boat with this – Information Technology included.

Many individual staff members within IT would be personally satisfied by longer timeout timers, but it is our responsibility, and our obligation as stewards of students' data [among other things], to enforce appropriate measures to keep data secure.
According to the standards accepted for data security in the broader IT industry, and within upper-education, the 15 minute timeout is considered appropriate, and applies to all UNI workstations – IT workstations included.

If you have any questions or concerns with regard to this after reading the information provided above, please direct them to IT-Information Security.