Skip to content
Home » IT Policies » Device Locking Policy

Device Locking Policy

Document ID: DLP-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Device Locking Policy is to establish requirements for automatically and manually locking endpoint devices to prevent unauthorized access to organizational systems and information.

Proper device locking reduces the risk of unauthorized access, data exposure, insider threats, and accidental disclosure of sensitive information when devices are left unattended.

2. Scope

This policy applies to:

  • Employees
  • Contractors
  • Consultants
  • Temporary workers
  • Interns
  • Volunteers
  • Board members
  • Vendors
  • Third-party service providers
  • Managed Service Providers (MSPs)
  • Any individual authorized to use organizational devices

This policy applies to:

  • Desktop computers
  • Laptop computers
  • Mobile devices
  • Tablets
  • Virtual desktops
  • Thin clients
  • Workstations
  • Organization-owned devices
  • Approved BYOD devices
  • COPE (Company-Owned, Personally Enabled) devices

This policy applies regardless of whether devices are used:

  • On-site
  • Remotely
  • At home
  • While traveling
  • At customer locations

3. Policy Statement

All endpoint devices that access organizational resources shall automatically lock after a period of inactivity and shall require approved authentication before access is restored.

Users are responsible for manually locking their devices whenever they leave them unattended.

4. Guiding Principles

The organization follows these principles:

  • Security by Default
  • Least Privilege
  • Individual Accountability
  • Protection of Organizational Information
  • Zero Trust
  • Continuous Protection
  • Risk Reduction

5. Manual Device Locking

Users shall manually lock their devices whenever:

  • Leaving their workspace
  • Attending meetings
  • Working in public locations
  • Leaving devices unattended
  • Traveling
  • Whenever unauthorized individuals may gain physical access

Locking a device is required even for brief absences.

6. Automatic Device Locking

Devices shall automatically lock after a defined period of inactivity.

Automatic locking requirements shall:

  • Be centrally managed where feasible
  • Apply consistently across managed devices
  • Require user authentication to resume use
  • Follow organizational security standards

The specific inactivity timeout shall be defined in supporting technical standards based on organizational risk.

7. Authentication After Lock

After a device is locked, access shall require approved authentication.

Authentication methods may include:

  • Passwords
  • Passphrases
  • Multi-Factor Authentication (MFA), where required
  • Biometrics
  • Smart cards
  • Passkeys
  • Hardware security keys

Authentication shall comply with the Authentication Policy.

8. Mobile Device Locking

Mobile devices accessing organizational resources shall:

  • Automatically lock after inactivity
  • Require approved authentication
  • Enable screen lock protections
  • Protect notifications containing sensitive information where technically feasible

Biometric authentication may be used where approved.

9. Public and Shared Environments

Users working in:

  • Airports
  • Hotels
  • Customer locations
  • Shared offices
  • Conference facilities
  • Public workspaces

shall exercise additional caution by:

  • Locking devices immediately when unattended
  • Positioning screens to reduce unauthorized viewing
  • Preventing unauthorized physical access
  • Maintaining physical control of portable devices

10. Screen Saver Security

Where supported, managed devices shall:

  • Use password-protected screen savers or equivalent lock mechanisms
  • Activate automatically after the approved inactivity period
  • Prevent unauthorized access until authentication is completed

11. Administrative Sessions

Administrative workstations and privileged administrative sessions shall follow enhanced locking requirements.

Privileged users shall:

  • Lock devices whenever unattended
  • Protect privileged sessions from unauthorized viewing
  • Reauthenticate after lock events where required

12. Device Configuration

Device locking configurations shall be:

  • Centrally managed where appropriate
  • Protected from unauthorized modification
  • Periodically reviewed
  • Consistent with organizational endpoint security standards

Users shall not disable or alter required locking configurations without authorization.

13. Lost or Unattended Devices

Users shall immediately report:

  • Lost devices
  • Stolen devices
  • Devices left unattended in unsecured locations
  • Suspected unauthorized access
  • Physical tampering

Incident handling shall follow the Incident Response Policy.

14. Monitoring

The organization may monitor compliance with device locking requirements through:

  • Endpoint management systems
  • Device configuration management
  • Security audits
  • Endpoint compliance reporting
  • Security monitoring tools

Monitoring shall comply with applicable laws and organizational policies.

15. Exceptions

Exceptions require:

  • Documented business justification
  • Risk assessment
  • Management approval
  • Information Security approval where applicable
  • Compensating security controls
  • Periodic review

Examples may include:

  • Kiosk systems
  • Industrial control systems
  • Digital signage
  • Specialized operational technology (OT) devices

16. Responsibilities

Executive Management

  • Support secure endpoint practices
  • Allocate appropriate resources
  • Promote policy compliance

Managers

  • Ensure employees understand this policy
  • Support compliance
  • Address policy violations

IT Department

  • Configure device locking settings
  • Enforce centralized security configurations
  • Monitor endpoint compliance
  • Maintain endpoint management systems

Information Security

  • Define device locking standards
  • Assess compliance
  • Investigate security incidents
  • Conduct security awareness training

Users

  • Lock devices whenever unattended
  • Protect assigned devices
  • Report lost or compromised devices
  • Comply with organizational security requirements

17. Compliance

Compliance with this policy is mandatory.

Violations may result in:

  • Restriction of device access
  • Removal of system access
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

18. Policy Review

This policy shall be reviewed at least annually or following:

  • Significant technology changes
  • Security incidents
  • Regulatory updates
  • Organizational restructuring
  • Audit findings

19. Related Policies

  • Information Security Policy
  • Endpoint Security Policy
  • Computer Use Policy
  • Mobile Device Policy
  • Bring Your Own Device (BYOD) Policy
  • Company-Owned, Personally Enabled (COPE) Policy
  • Authentication Policy
  • Access Control Policy
  • Least Privilege Policy
  • Remote Access Policy
  • Physical Security Policy
  • Logging and Monitoring Policy
  • Incident Response Policy

Document Objective

This Device Locking Policy establishes the organization’s requirements for manually and automatically locking endpoint devices to prevent unauthorized access to organizational systems and information. It provides a vendor-neutral framework for securing desktops, laptops, mobile devices, virtual desktops, and other endpoints through consistent locking controls, authentication requirements, and centralized configuration management. This policy supports secure operations across on-premises, cloud, remote, and hybrid work environments and aligns with recognized security frameworks and standards, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.