Back

Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards.


CONTROL ID
04490
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Configure session timeout and reauthentication settings according to organizational standards., CC ID: 12460

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Applications should be configured to logout the users after a specific period of inactivity. The application must ensure rollover of incomplete transactions and otherwise ensure integrity of data in case of a log out. (Critical components of information security 11) c.26., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should ensure the authenticated session, together with its encryption protocol, remains intact throughout the interaction with the customer. Measures to detect and terminate hijacked sessions should be implemented. To reduce the risk of an attacker from maintaining a hijacked session indefini… (§ 14.2.9, Technology Risk Management Guidelines, January 2021)
  • Configure portable computing devices to automatically lock upon a period of inactivity, whereby a password is required to resume usage. (Annex A1: Portable Computing & Removable Storage Media Security 45, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted. (Security Control: 0853; Revision: 1, Australian Government Information Security Manual, March 2021)
  • On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. (Control: ISM-0853; Revision: 3, Australian Government Information Security Manual, June 2023)
  • activates after a maximum of 15 minutes of user inactivity, or if manually activated by users (Control: ISM-0428; Revision: 9; Bullet 1, Australian Government Information Security Manual, June 2023)
  • On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. (Control: ISM-0853; Revision: 3, Australian Government Information Security Manual, September 2023)
  • activates after a maximum of 15 minutes of user inactivity, or if manually activated by users (Control: ISM-0428; Revision: 9; Bullet 1, Australian Government Information Security Manual, September 2023)
  • Automatic logout based on inactivity should be disabled, even though it might sound like a good idea. There are several reasons why it should be disabled: 1. It can close applications without the user's approval. 2. Open applications could prevent successful automatic logout. 3. It could disrupt wor… (Pg 85, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Servers should be protected against unauthorized access by invoking time-out facilities that automatically log off computer devices (that connect to the server) after a set period of inactivity, clear screens and require users to sign-on again before restoring screens. (CF.07.02.05c, The Standard of Good Practice for Information Security)
  • Servers should be protected against unauthorized access by invoking time-out facilities that automatically log off computer devices (that connect to the server) after a set period of inactivity, clear screens and require users to sign-on again before restoring screens. (CF.07.02.08c, The Standard of Good Practice for Information Security, 2013)
  • Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity. (Control 16.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Policies and procedures shall be established to require that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documents and user computing sessions had been disabled after an established period of inactivity. (HRS-12, Cloud Controls Matrix, v3.0)
  • Automatically lock workstation sessions after a standard period of inactivity. (CIS Control 16: Sub-Control 16.11 Lock Workstation Sessions After Inactivity, CIS Controls, 7.1)
  • Automatically lock workstation sessions after a standard period of inactivity. (CIS Control 16: Sub-Control 16.11 Lock Workstation Sessions After Inactivity, CIS Controls, V7)
  • Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. (CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets, CIS Controls, V8)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Automatically stop user access to health information after a predetermined period of inactivity. (§ 170.315 (d) (5) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Automatically stop user access to health information after a predetermined period of inactivity. (§ 170.315 (d) (5) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Users shall directly … (§ 5.5.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use. (App A Tier 2 Objectives and Procedures C.3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use. (Exam Tier II Obj 3.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [FedRAMP Assignment: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions] of inactivity. (SC-10 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [FedRAMP Assignment: no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions] of inactivity. (SC-10 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. (AC-12 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Terminate the network connection associated with a communications session at the end of the session or after [FedRAMP Assignment: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions] of inactivity. (SC-10 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. (AC-12 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Terminate the network connection associated with a communications session at the end of the session or after [FedRAMP Assignment: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions] of inactivity. (SC-10 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. (AC-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. (AC-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL2, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session, regardless of user activity. Reauthentication of the subscriber SHALL be repeated … (4.2.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL1, reauthentication of the subscriber SHOULD be repeated at least once per 30 days during an extended usage session, regardless of user activity. The session SHOULD be terminated (i.e., logged out)… (4.1.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL3, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session, regardless of user activity, as described in Section 7.2. Reauthentication of the … (4.3.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Due to the distributed nature of a federated system, the subscriber is capable of terminating sessions with the IdP and RP independently of one another. The RP SHALL NOT assume that the subscriber has an active session at the IdP past the establishment of the federated log in. The IdP SHALL NOT assu… (5.3 ¶ 2, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization requires that users log out when {organizationally documented description of when to log out}. (AC-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {organizationally documented information resources}. (AC-12(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that users log out when {organizationally documented description of when to log out}. (AC-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. (AC-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. (AC-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. (SC-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. (AC-12 Control, TX-RAMP Security Controls Baseline Level 2)
  • The information system terminates the network connection associated with a communications session at the end of the session or after [TX-RAMP Assignment: no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions] of inactivity. (SC-10 Control, TX-RAMP Security Controls Baseline Level 2)