Updated December 2015
This article covers the screensaver timeout, that is the length of time a session will receive no input from the user by either the keyboard or the mouse before a password is required to unlock the session.
You may also be interested in our article covering the Idle session limits on the hosted application service which is the length of time a session will receive no input from the user by either the keyboard or the mouse before a session is logged off: http://faq.scomis.org/kb3055/
You have to enter your password after your session on the service has remained IDLE for over 10 minutes. This means that if no keyboard or mouse input is received from the user within 10 minutes the session is locked.
This behaviour is intended and by design.
We apply a default 10 minute timeout to the session when users access our service. This means that if no keyboard or mouse input is received from the user within 10 minutes the session is locked and the user will need to enter their password when returning to use the system. This is one of the ways your data is protected where for example a workstation in a classroom could be left unattended, this system ensures unauthorised access to the system would not be possible once the session has locked.
Scomis take data security as one of our highest priorities, therefore safeguarding data is treated with the utmost importance throughout the organisation. A compromised user’s login to the service could expose the entirety of your school’s pupil, parental, employee and financial data, as such it must be treated with respect and be protected appropriately.
We (Scomis), as a data processor and you (the customer), as a data controller are regulated by the Data Protection Act (DPA) 1998. The seventh principle of the data protection act covers security where it states that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. source: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/“
As evidence of our continual commitment to data security and to provide assurance to our customers we are currently undertaking ISO27001 certification which is the international standard for information security management.
To comply with this standard the technical control states that we should:
“Terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver”
To achieve this we apply the following policies to our service for the screen saver timeout:
Default Timeout (10 minutes)
Considering the sensitivity of the data available through our service we apply a 10 minute timeout to user sessions by default.
Extended Timeout (30 minutes)
If the customer (school) considers it appropriate, for example where a user generally accesses the service from a secure location (not a classroom or public reception area) we can extend the timeout to 30 minutes on a per user basis.
If you would like this applied to one or more users please log a call with the service desk by email or through our self-service portal. The request needs to be authorised by someone with responsibility for SIMS in school, e.g. the Head teacher, SIMS Data Manager, School Business Manager or Network Manager.
Frequently asked questions related to this issue…
Question: I am the SIRO (Senior Information Risk Owner) for my school (typically the head teacher), I therefore hold the responsibility for my School’s data and disagree with this policy and your determination of the risk and/or of the sensitivity of data. I would like my account or all of my school’s user accounts to have a longer timeout.
Response: In addition to the reasons already listed any data security incident could seriously affect the reputation of your School as the data controller and Scomis / Devon County Council as a data processor so unfortunately we do not allow individual exceptions to this policy for any customers of our service.
We also encourage you to research the possible financial implications of failing to implement the appropriate controls supporting the 7th principle of the DPA: https://ico.org.uk/action-weve-taken/data-security-incident-trends should any incident occur.
Question: I am facing resistance / complaints from my staff regarding our move onto your service, especially around the time out policy on the screensaver.
Response: If you have recently moved onto our service we find that when it is communicated to staff that this is in the interest of safeguarding pupil data and better data security and that the policy supports your school’s obligations under the Data Protection after a few days the login process becomes second nature.
Question: I am struggling to make users see why this is an appropriate measure to protect our schools data.
Response: A good analogy can be drawn from the personal online banking systems we all commonly use which may help you gain users understanding.
The data held within your SIMS / FMS database is significantly more important both in terms of financial and reputational loss than an individual’s finances.
Ask yourself / users would you be happy if all the staff in your school had a shared login to your own personal online banking system with a 2 hour timeout?
Your personal finances would therefore be at the mercy of all of the users in school and their ability to secure your data by remembering to lock their systems manually.
As far as we know all online banking systems have a similar timeout set to our default policy.
Scomis can also offer training around data security for your users, please log a call with the service desk if you would like to know more.
kb8433 8433 timeout