[tafische]

So what have other BES admins found to be an acceptable IT policy for the security timeout on a device?

Too short and you run the risk of making users angry.

Too long and it does no good.

I hear arguements for 30 minutes, 2 hours, 8 hours, 1 week. All valid pros/cons.

I would like to hear what has worked for your org and why...thx

[NJBlackBerry]

60 minutes. Not too short; not too long.

[jibi]

Quote:

Originally Posted by tafische

Too short and you run the risk of making users angry.

one thing i think its very important for an administrator to learn is that you need to enforce security policies as you see fit - not what will make your users comfortable. granted, i do think 5 mins would be an overkill, but anything in the 30-60 minute range would be more than sufficient.

set expectations early on and don't let your guard down. if someone wants to question the security of confidential information, then they best never think about working for a large public corporation that complies within federal regulations.

[NJBlackBerry]

For those of us that may still have some old 950/957s hanging around. You have to upgrade them to 2.7. With the older 2.6 OS, the 60 minute security lockout is handled like 60 seconds. And that is a greast way to piss off your customers!

[tafische]

Quote:

one thing i think its very important for an administrator to learn is that you need to enforce security policies as you see fit - not what will make your users comfortable.

I agree. But you do have to have a balance. You have to do what makes sense for the business looking at all aspects. I am in a situation where there has been no forced locking for years. Someone is now trying to force out a 30 minute policy which is making the Execs who pay the bill very unhappy.

There is a middle ground here, which I think would be from 1-2 hours.

[NJBlackBerry]

Or you document and exclude the executives.....

[dshearon]

I am using a 20 minute lockout at my company... i get a little grief every now and then but once i talk with the end user one on one they understand.

As an IT Admin's Data integrity is our biggest responsibility. Let just one sensitive email get into the hands of the public becuase an exec left his blackberry at a diner and see if he doesnt wish it was set to lock earlier.

[jibi]

Quote:

Originally Posted by dshearon

As an IT Admin's Data integrity is our biggest responsibility. Let just one sensitive email get into the hands of the public becuase an exec left his blackberry at a diner and see if he doesnt wish it was set to lock earlier.

couldn't have said it better myself.

[xmorpheus]

15 mins here - and we have a particularly stringent security policy as well for exactly the same reasons as dshearon states.

In general if anyone complains:
"if you're important enough to have a Blackberry, then your data is too important to just give to some bloke in the airport" :p

[rgeorge]

We use 30 minutes. We would have liked to go shorter but it does have a big impact especially for those who use the device as their #1 email client.

Now, with that said, imposing a timeout and security policy is easier thanks to Paris Hilton. Even though her actual sidekick itself was not what was hacked, most of the news sites were reporting it that way and it gets people thinking about what they have on their phone/pda.

[nobla]

Ours is set to 10 minutes, it was set to 5 originally but the users got too shirty about it

[tgray]

Our security team is requesting 10 minutes because they advise it is a security standard in our industry. I will be arguing for perhaps 15 minutes - the same as our workstations.

[DownByLaw123]

What I have done is mirror our LAN login password policies as closely as possible. The password characteristics, the amount of retries, the time length to expire of the password, etc... all mirror our LAN policies. As far as this timeout policy, mine is set to 10 minutes, since that is the time when our desktop/laptops' screensavers kick in and lock up the PCs - if it's passed through my company's security group to get on the LAN policy I figure I'm covered by emulating it on the BES...
-Brian