APP018: Session Inactivity Timeout
Does the application enforce a session timeout after a period of inactivity not exceeding 30 minutes? Are the users required to re-authenticate after session timeout? [Note that where enforcement is provided by the password protected screen saver, Application/SSO enforcement is not required for intranet based applications.]
Acceptable Criteria: Inactivity timeout for the client should be implemented to prevent unauthorized access of an active login session when the user is not present. It is a business decision to set the defaults values for its applications based on the risk level of its applications. Typically, it ranges from a few minutes to 30 minutes. For example, a high-risk, high-value trading application may set the default inactivity timeout to 2 minutes, while a los risk application may set it to 30 minutes. Activity includes any input to the endpoint (mouse, keyboard, touch screen, etc.). Where enforcement is provided by the password protected screen saver, Application/SSO enforcement is not required.
Unacceptable Criteria: No default inactivity timeout is being enforced.