Back

Configure session timeout and reauthentication settings according to organizational standards.


CONTROL ID
12460
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Terminate all dependent sessions upon session termination., CC ID: 16984
  • Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards., CC ID: 04490
  • Display an explicit logout message when disconnecting an authenticated communications session., CC ID: 10093
  • Invalidate session identifiers upon session termination., CC ID: 10649


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A licensed or registered person should set up stringent password policies and session timeout controls in its internet trading system, which include: (1.6. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • Banks should regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity. (Critical components of information security 17) x., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The examples where increased authentication strength may be required, given the risks involved include : administration or other privileged access to sensitive or critical IT assets, remote access through public networks to sensitive assets and activities carrying higher risk like third-party fund t… (Critical components of information security 5) (v), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Session time-out: An online session would be automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained. This prevents an attacker from keeping an internet banking session alive indefinitely. (Critical components of information security g) ¶ 2 15. f., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An online session would need to be automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained. This prevents an attacker from keeping an internet banking session alive indefinitely. (Critical components of information security g) ¶ 2 13., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Re-establishment of any session after interruption should require normal user identification, authentication, and authorization. Moreover, strong server side validation should be enabled. (Critical components of information security g) iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An authenticated session, together with its encryption protocol, should remain intact throughout the interaction with the customer. Else, in the event of interference, the session should be terminated and the affected transactions resolved or reversed out. The customer should be promptly notified of… (Critical components of information security g) ¶ 2 7., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should ensure the authenticated session, together with its encryption protocol, remains intact throughout the interaction with the customer. Measures to detect and terminate hijacked sessions should be implemented. To reduce the risk of an attacker from maintaining a hijacked session indefini… (§ 14.2.9, Technology Risk Management Guidelines, January 2021)
  • ensures that the screen does not enter a power saving state before the screen or session lock is activated (Security Control: 0428; Revision: 6; Bullet 3, Australian Government Information Security Manual, March 2021)
  • requires the user to reauthenticate to unlock the system (Security Control: 0428; Revision: 6; Bullet 4, Australian Government Information Security Manual, March 2021)
  • requires users to authenticate to unlock the session (Control: ISM-0428; Revision: 9; Bullet 4, Australian Government Information Security Manual, June 2023)
  • On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. (Control: ISM-0853; Revision: 3, Australian Government Information Security Manual, June 2023)
  • ensures that the screen does not enter a power saving state before the session or screen lock is activated (Control: ISM-0428; Revision: 9; Bullet 3, Australian Government Information Security Manual, June 2023)
  • requires users to authenticate to unlock the session (Control: ISM-0428; Revision: 9; Bullet 4, Australian Government Information Security Manual, September 2023)
  • On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. (Control: ISM-0853; Revision: 3, Australian Government Information Security Manual, September 2023)
  • ensures that the screen does not enter a power saving state before the session or screen lock is activated (Control: ISM-0428; Revision: 9; Bullet 3, Australian Government Information Security Manual, September 2023)
  • If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. (8.1.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. (8.1.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. (8.1.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? (8.1.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? (8.1.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? (8.1.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session? (8.1.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For a sample of system components, inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less. (8.1.8, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine system configuration settings to verify that system/session idle timeout features for user sessions have been set to 15 minutes or less. (8.2.8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. (3.3.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application gives the option to terminate all other active sessions after a successful password change (including change via password reset/recovery), and that this is effective across the application, federated login (if present), and any relying parties. (3.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. (CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets, CIS Controls, V8)
  • Terminate (automatically) user sessions after a defined condition. (AC.3.019, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Terminate (automatically) user sessions after a defined condition. (AC.3.019, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Terminate (automatically) user sessions after a defined condition. (AC.3.019, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Users shall directly … (§ 5.5.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Users shall directly … (§ 5.5.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL1, reauthentication of the subscriber SHOULD be repeated at least once per 30 days during an extended usage session, regardless of user activity. The session SHOULD be terminated (i.e., logged out)… (4.1.3 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • SHALL time out and not be accepted after the times specified in Sections 4.1.4, 4.2.4, and 4.3.4, as appropriate for the AAL. (7.1 ¶ 3 7., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Continuity of authenticated sessions SHALL be based upon the possession of a session secret issued by the verifier at the time of authentication and optionally refreshed during the session. The nature of a session depends on the application, including: (7.2 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Periodic reauthentication of sessions SHALL be performed to confirm the continued presence of the subscriber at an authenticated session (i.e., that the subscriber has not walked away without logging out). (7.2 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • A session SHALL NOT be extended past the guidelines in Sections 4.1.3, 4.2.3, and 4.3.3 (depending on AAL) based on presentation of the session secret alone. Prior to session expiration, the reauthentication time limit SHALL be extended by prompting the subscriber for the authentication factor(s) sp… (7.2 ¶ 4, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Apply a session time-out that terminates all sessions and requires re-authentication after no more than 15 minutes of inactivity (30 minutes for CICS). Users shall not circumvent this control by deploying automated software mechanisms, or any other strategies, to prevent session time-outs. (ADDITIONAL REQUIREMENTS ¶ 12, Policy 622: Remote Access, 622-00)
  • A passcode or PIN will be required to unlock the device after two minutes of inactivity. (REQUIREMENTS 2.2., Standard 638S1: Mobile Device Management, 638S1-01)
  • A passcode or PIN will be required to unlock the device after two minutes of inactivity. (REQUIREMENTS 2.2., Standard 638S2: Mobile Device Use, 638S2-01)