GRCWatch
Sign inStart free trial

CIS Control 4.3: Configure Automatic Session Locking on Enterprise Assets

Session locking prevents unauthorized access when employees step away from their devices. CIS Control 4.3 requires automatic locking after defined inactivity periods—15 minutes for desktops, 2 minutes for mobile—to reduce credential theft and lateral movement risks. Implement this control to protect sensitive data and maintain compliance across your asset fleet.

What this means

Automatic session locking activates a password-protected lock screen after a device remains inactive for a set duration. For general-purpose operating systems (Windows, macOS, Linux), the inactivity timeout cannot exceed 15 minutes. For mobile devices (iOS, Android), the threshold drops to 2 minutes due to higher portability and loss risk. This control ensures unattended devices cannot be exploited by unauthorized users or malware.

How to comply

  1. 1.Inventory all enterprise assets including desktops, laptops, and mobile devices
  2. 2.Configure OS-level screensaver/lock settings with maximum 15-minute inactivity timeout for general-purpose devices
  3. 3.Set mobile device auto-lock to 2 minutes or less via MDM policies
  4. 4.Require password entry to resume after lock (disable biometric-only bypass for high-risk assets)
  5. 5.Document timeout policies in your security baseline and acceptable use policy
  6. 6.Test lock activation across device types and OS versions
  7. 7.Monitor compliance through endpoint management tools or MDM dashboards
  8. 8.Retrain users on locking protocols and emergency unlock procedures

Evidence auditors look for

  • Screenshots of Group Policy Objects (GPO) or MDM policies enforcing screen lock timeout settings
  • Endpoint management tool reports showing device compliance with lock timeout configurations
  • Mobile device management (MDM) policy documentation with auto-lock settings for iOS and Android
  • Registry exports or configuration files demonstrating screensaver timeout parameters
  • Audit logs from Active Directory or Azure AD showing policy deployment dates
  • User acceptance training records acknowledging session locking requirements
  • Third-party assessment reports validating lock timeout compliance across asset inventory

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers session lock configurations across your Windows, macOS, and mobile fleet, tracks compliance gaps in real-time, and generates audit-ready evidence for CIS 4.3 assessments without manual endpoint reviews.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 4.1 — Establish and Maintain a Secure Configuration ProcessCIS 4.2 — Establish and Maintain a Secure Configuration Baseline for Network InfrastructureCIS 5.3 — Configure Data Access Control ListsCIS 6.1 — Establish and Maintain an Inventory of Accounts