On 20/01/2011 13:12, Adam Tauno Williams wrote: > On Thu, 2011-01-20 at 11:05 +0000, John Hodrien wrote: >> An account is a personal account that should not be shared. > +1 > > Also, at least in the United States, locking a PC / workstation after 15 > minutes of idle is a requirement of PCI/DSS - which your company almost > certainly agreed to if you process credit card or other payment > information. HIPPA, FERPA, and friends have similar requirements / > strong-recommendations. > > Ask a competent lawyer and he'll/she'll tell you to lock unattended > workstations. > > This has nothing to do with auditing the access to or usage of data - > that is a separate issue. > Yes, what you mention then becomes a legal compliance issue. Note, however, that many small companies completely outsource credit card payment by using third-party processing (e.g. Worldpay). This means they have no card data environment and don't need to comply with PCI/DSS in their offices. Even companies that do in-house card payment processing only have to enforce PCI/DSS in their CDE. I can't speak for HIPPA, SOX etc... but automatic locking is part of IT best practice. -- Best Regards, Giles Coochey NetSecSpec Ltd NL T-Systems Mobile: +31 681 265 086 NL Mobile: +31 626 508 131 GIB Mobile: +350 5401 6693 Email/MSN/Live Messenger: giles at coochey.net Skype: gilescoochey -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5137 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.centos.org/pipermail/centos/attachments/20110120/26c89930/attachment-0005.p7s>