Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2597
  • Last Modified:

Security - Recommended Browser Session Timeout

Based on PCI, HIPPA, etc, and other industry Security Standards what should the browser session timeout value be when dealing with sensitive customer data?  Please state your source as well as your recommendation.
0
TheTone
Asked:
TheTone
  • 2
1 Solution
 
ahoffmannCommented:
there is no such definition
you need to make your own opinion according the thread agent you expect and the risk it may have in your business and/or business data
then you need to make a goog balance betwwen security and usability
good idle timeout (time where no action is done in this session) is 15-30 minutes, IMHO

but keep in mind, that you need to implement this in the server-side application *and not* rely on just a browser-side implementation
0
 
TheToneAuthor Commented:
Found the actual factual definitions that I was looking for:

PCI-DSS 8.5.1.15 - 15 minutes
If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

PCI-DSS 12.3.8 - Modems - 15 minutes
Automatic disconnect of modem sessions after a specific period of inactivity

PCI-DSS 12.3.9 - Vendors using Modems - 15 minutes
Activation of modems for vendors only when needed by vendors, with immediate deactivation after use

HIPPA 164.312 - "Pretermined Time" Doesn't Specify exact timeout
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

ISO/IEC 27002-2005 9.1.5, 11.3.1, 11.3.2,11.3.3 - Control Specification IS-17 - Create Policy
Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

ISO/IEC 27002-2005 11.2.3, 11.5.5 - Control Specification SA-02 - 15 minutes
Re-enter password to reactivate terminal after session idle time for more than 15 minutes.

DoD Department of Defense 8420.01 - Information Assurance for Classifed WLAN's - 30 minutes
Use a session timeout capability, not to exceed 30 minutes.
0
 
TheToneAuthor Commented:
I researched this all day reading all the actual security specifications for PCI, HIPPA, ISO/EC 27002-2005 which I was hoping someone else already did.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now