CIS Safeguard 4.3 requires the configuration of automatic session locking on assets. For general purpose operating systems, the period must not exceed 15 minutes, and for mobile devices it should not be longer than 2 minutes.

Going back to Safeguard 1.1 you have your inventory of devices which includes the mobile devices and computers that have the potential to store or process data for your business. So if you are allowing personal devices to store or process your data then they must be inventoried and connected to a device manager to allow you to configure and ensure this setting is established and active.

It doesn't matter if you're working at home, an airport, or at a conference and you're just stepping away for a few minutes. The key thing is teaching the culture that your computer or mobile device should be locked if you're not using it, so #LockItUp.

Getting your team to live in a cybersecurity culture takes time but is a critical step to promoting cybersecurity. It starts with training and setting expectations. When you're not training your team then that culture will be the Wild West and another episode of the Blame Game.

If you are using a local Technology provider then they can push and manage this policy, otherwise Active Directory, Microsoft Entra ID (Azure AD), Mobile Device Managers, Microsoft Intune and others all have group policies or settings you can establish to ensure this is established and it's already included in what you are paying.

Safeguard 4.3 is required for every implementation group and if you're requiring it today then it's past time to educate and activate the settings.

If you don't require it and a laptop is breached or stolen, then you should assume that any potential data on it could be compromised and that may trigger a breach notification depending on the data and your local regulations.

Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)