On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote: > On 20/01/2011 13:12, Adam Tauno Williams wrote: > > On Thu, 2011-01-20 at 11:05 +0000, John Hodrien wrote: > >> An account is a personal account that should not be shared. > > +1 > > Also, at least in the United States, locking a PC / workstation after 15 > > minutes of idle is a requirement of PCI/DSS - which your company almost > > certainly agreed to if you process credit card or other payment > > information. HIPPA, FERPA, and friends have similar requirements / > > strong-recommendations. > > Ask a competent lawyer and he'll/she'll tell you to lock unattended > > workstations. > > This has nothing to do with auditing the access to or usage of data - > > that is a separate issue > Yes, what you mention then becomes a legal compliance issue. > Note, however, that many small companies completely outsource credit > card payment by using third-party processing (e.g. Worldpay). This means > they have no card data environment and don't need to comply with PCI/DSS > in their offices. > Even companies that do in-house card payment processing only have to > enforce PCI/DSS in their CDE. Correct; I'm just of the stick-to-as-much-of-the-strictest-requirements-in-as-much-of-the-network-as-possible school. It helps avoid debates and issues about where and where not a requirement applies [some of the clauses are pretty vague]. Call it CYA if you like. While such standards are much-maligned I actually find them useful as a tool for pushing for better security against crowds that don't like password change requirements, etc... The standards speak a language "suits" understand and to some degree believe in [or at least fear, which works well enough]. > I can't speak for HIPPA, SOX etc... but automatic locking is part of IT > best practice.