Are screen locks with strong passwords / passcodes / biometrics enforced?
Demonstrate that all organizational endpoints enforce automatic screen locking with authentication mechanisms meeting defined password complexity, biometric integrity, or multi-factor standards across all device types and operating systems.
Description
What this control does
Screen lock enforcement is an endpoint security control that requires workstations, laptops, mobile devices, and servers to automatically lock after a defined period of inactivity or manual activation, requiring strong authentication to regain access. Implementation typically involves mobile device management (MDM) systems, Group Policy Objects (GPO), or unified endpoint management (UEM) platforms that configure timeout thresholds, authentication complexity requirements, and biometric enablement. This control prevents unauthorized physical or proximity-based access to corporate data when devices are left unattended in offices, public spaces, or during travel.
Control objective
What auditing this proves
Demonstrate that all organizational endpoints enforce automatic screen locking with authentication mechanisms meeting defined password complexity, biometric integrity, or multi-factor standards across all device types and operating systems.
Associated risks
Risks this control addresses
- Unauthorized individuals gaining physical access to unlocked workstations to exfiltrate sensitive data from active sessions
- Shoulder-surfing attackers exploiting unattended devices to install malware, keyloggers, or backdoors without user credentials
- Credential harvesting through access to password managers, browser-stored credentials, or cached authentication tokens on unlocked screens
- Insider threats exploiting absent colleagues' unlocked workstations to perform unauthorized transactions or access restricted systems
- Compliance violations and regulatory penalties when protected health information (PHI), payment card data (PCI), or personally identifiable information (PII) remains accessible on unattended devices
- Session hijacking where attackers assume active authenticated sessions to bypass multi-factor authentication and access controls
- Data breach incidents originating from lost or stolen devices lacking screen lock protection with residual active sessions
Testing procedure
How an auditor verifies this control
- Obtain the organizational policy documentation specifying screen lock timeout thresholds, password complexity requirements, and approved authentication methods for each device category
- Export configuration baselines from Group Policy Management Console (GPMC), MDM consoles (Intune, Jamf, Workspace ONE), or configuration management databases (CMDB) showing enforced screen lock settings
- Select a stratified random sample of at least 15-20 endpoints spanning Windows workstations, macOS laptops, iOS devices, Android devices, and Linux servers across different organizational units
- Physically observe or remotely connect to sampled devices to verify screen lock timeout settings by reviewing local security policies, system preferences, or device profiles
- Test actual screen lock behavior by leaving each sampled device idle and measuring the time elapsed before automatic lock activation, comparing against policy thresholds
- Attempt to unlock sampled devices using weak passwords or passcodes (e.g., '1234', 'password', dictionary words) to verify complexity enforcement is functional
- Review MDM or endpoint detection and response (EDR) compliance dashboards for non-compliant devices showing disabled screen locks, excessive timeout values, or failed authentication attempts
- Interview IT administrators to confirm exception handling processes, verify override controls for exempted devices, and validate monitoring for policy drift or circumvention attempts