Solved

Security - Recommended Browser Session Timeout

Posted on 2012-04-04
3
2,003 Views
Last Modified: 2012-04-10
Based on PCI, HIPPA, etc, and other industry Security Standards what should the browser session timeout value be when dealing with sensitive customer data?  Please state your source as well as your recommendation.
0
Comment
Question by:TheTone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37809567
there is no such definition
you need to make your own opinion according the thread agent you expect and the risk it may have in your business and/or business data
then you need to make a goog balance betwwen security and usability
good idle timeout (time where no action is done in this session) is 15-30 minutes, IMHO

but keep in mind, that you need to implement this in the server-side application *and not* rely on just a browser-side implementation
0
 

Accepted Solution

by:
TheTone earned 0 total points
ID: 37810609
Found the actual factual definitions that I was looking for:

PCI-DSS 8.5.1.15 - 15 minutes
If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

PCI-DSS 12.3.8 - Modems - 15 minutes
Automatic disconnect of modem sessions after a specific period of inactivity

PCI-DSS 12.3.9 - Vendors using Modems - 15 minutes
Activation of modems for vendors only when needed by vendors, with immediate deactivation after use

HIPPA 164.312 - "Pretermined Time" Doesn't Specify exact timeout
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

ISO/IEC 27002-2005 9.1.5, 11.3.1, 11.3.2,11.3.3 - Control Specification IS-17 - Create Policy
Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

ISO/IEC 27002-2005 11.2.3, 11.5.5 - Control Specification SA-02 - 15 minutes
Re-enter password to reactivate terminal after session idle time for more than 15 minutes.

DoD Department of Defense 8420.01 - Information Assurance for Classifed WLAN's - 30 minutes
Use a session timeout capability, not to exceed 30 minutes.
0
 

Author Closing Comment

by:TheTone
ID: 37826739
I researched this all day reading all the actual security specifications for PCI, HIPPA, ISO/EC 27002-2005 which I was hoping someone else already did.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question