TheTone
asked on
Security - Recommended Browser Session Timeout
Based on PCI, HIPPA, etc, and other industry Security Standards what should the browser session timeout value be when dealing with sensitive customer data? Please state your source as well as your recommendation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I researched this all day reading all the actual security specifications for PCI, HIPPA, ISO/EC 27002-2005 which I was hoping someone else already did.
you need to make your own opinion according the thread agent you expect and the risk it may have in your business and/or business data
then you need to make a goog balance betwwen security and usability
good idle timeout (time where no action is done in this session) is 15-30 minutes, IMHO
but keep in mind, that you need to implement this in the server-side application *and not* rely on just a browser-side implementation