Subcontrol 16.11

[adammontville]

Automatically lock workstation sessions after a standard period of inactivity.

Measures

M1 =# of workstation with locking enabled(Model driven, data driven)
M2 = # of workstation(Model driven, data driven)

Metrics/KEI

Enforcement Quality = M1/ M2
The same KEI can be measured with active testing

No explicit comment, other than that this is covered in most, if not all, benchmarks.

[apiperCIS]

Question for UNCC: The proposed measure does not take into account the time period. It should factor in more than just whether locking is enabled, but also if the locking is set for an acceptable period of time.

[wmunyan]

Inputs:

• List of workstations which have enabled automatic workstation locking
• List of workstations
• The workstation configuration policy establishing the organization's workstation locking time threshold

Operations:

• For each workstation with locking enabled, collect the locking time threshold
• Collect the list of workstations whose locking time threshold exceeds the value specified by Input 3

Measures:

• M1 = Number of workstations which have enabled automatic workstation locking
• M2 = Number of workstations which have enabled automatic locking exceeding the organization's threshold (the count from Operation 2).
• M3 = Number of workstations

Metrics:

• M2/M1 = Ratio of workstations with locking enabled outside the threshold
• M3 - M1 = Number of workstations without automatic locking enabled