AU

APP018: Session Inactivity Timeout

Does the application enforce a session timeout after a period of inactivity not exceeding 30 minutes? Are the users required to re-authenticate after session timeout? [Note that where enforcement is provided by the password protected screen saver, Application/SSO enforcement is not required for intranet based applications.]

Guidance:

Acceptable Criteria: Inactivity timeout for the client should be implemented to prevent unauthorized access of an active login session when the user is not present. It is a business decision to set the defaults values for its applications based on the risk level of its applications. Typically, it ranges from a few minutes to 30 minutes. For example, a high-risk, high-value trading application may set the default inactivity timeout to 2 minutes, while a los risk application may set it to 30 minutes. Activity includes any input to the endpoint (mouse, keyboard, touch screen, etc.). Where enforcement is provided by the password protected screen saver, Application/SSO enforcement is not required.

Unacceptable Criteria: No default inactivity timeout is being enforced.

Replies
  • MD

    The QuickView Security Policy does support session inactivity timeout.

    Select Configuration > Security > Policies. QuickView will display the following page:

    Enter the desired idle time allowed in minutes in the field shown above an click on OK.

    You can monitor your idle time by selecting Tools > System Information. QuickView displays the following page and under Idle Time you can see the time so far and how much remains before you are automatically logged off.

    If you allow the idle timeout to be exceeded, you will get the following alert:


    Additional References: Security Policies

Please Sign In to submit new tickets or to reply to existing ones.

Ticket ID

T-00019

Created

January 21, 2021 05:53 PM

Product

QuickView