Introduction:
Ensuring the security of unattended user equipment is crucial for preventing unauthorized access, data loss, and corruption.
Organizations need to have a policy and procedures in place to manage the security of unattended user equipment.
ISO 27001:2013 provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
One of the controls in the A.11.2.8 section of the standard requires organizations to have a policy and procedures for managing unattended user equipment. In this article, we will discuss the key elements of this control and provide a checklist for organizations to evaluate their compliance with this control.
Sample Checklist:
- Define the idle time: Define the maximum amount of idle time for active user sessions before they are suspended or terminated. This definition should consider the risks of unauthorized physical access to active/logged-on devices.
- Password-protected screen locks: Ensure that screen locks are password-protected to prevent unauthorized access to the device. This policy should apply to all servers, desktops, laptops, smartphones, and other ICT devices.
- Termination of applications: Ensure that applications are suspended or terminated before the device is suspended or terminated to avoid data loss or corruption.
- Exceptions: Risk-assess any exceptions and authorize them as policy exemptions by management.
- Compliance check: Regularly check and enforce compliance with the policy and procedures for managing unattended user equipment.
Conclusion:
Managing unattended user equipment is crucial for maintaining the security of an organization’s information.
Organizations need to have a policy and procedures in place for managing unattended user equipment, including defining the idle time, ensuring password-protected screen locks, terminating applications before the device is suspended, risk-assessing any exceptions, and regularly checking compliance.
By following the checklist provided in this article, organizations can evaluate their compliance with this control and take appropriate measures to improve their information security management system.