Solved

Security - Recommended Browser Session Timeout

Posted on 2012-04-04
3
2,110 Views
Last Modified: 2012-04-10
Based on PCI, HIPPA, etc, and other industry Security Standards what should the browser session timeout value be when dealing with sensitive customer data?  Please state your source as well as your recommendation.
0
Comment
Question by:TheTone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37809567
there is no such definition
you need to make your own opinion according the thread agent you expect and the risk it may have in your business and/or business data
then you need to make a goog balance betwwen security and usability
good idle timeout (time where no action is done in this session) is 15-30 minutes, IMHO

but keep in mind, that you need to implement this in the server-side application *and not* rely on just a browser-side implementation
0
 

Accepted Solution

by:
TheTone earned 0 total points
ID: 37810609
Found the actual factual definitions that I was looking for:

PCI-DSS 8.5.1.15 - 15 minutes
If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

PCI-DSS 12.3.8 - Modems - 15 minutes
Automatic disconnect of modem sessions after a specific period of inactivity

PCI-DSS 12.3.9 - Vendors using Modems - 15 minutes
Activation of modems for vendors only when needed by vendors, with immediate deactivation after use

HIPPA 164.312 - "Pretermined Time" Doesn't Specify exact timeout
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

ISO/IEC 27002-2005 9.1.5, 11.3.1, 11.3.2,11.3.3 - Control Specification IS-17 - Create Policy
Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

ISO/IEC 27002-2005 11.2.3, 11.5.5 - Control Specification SA-02 - 15 minutes
Re-enter password to reactivate terminal after session idle time for more than 15 minutes.

DoD Department of Defense 8420.01 - Information Assurance for Classifed WLAN's - 30 minutes
Use a session timeout capability, not to exceed 30 minutes.
0
 

Author Closing Comment

by:TheTone
ID: 37826739
I researched this all day reading all the actual security specifications for PCI, HIPPA, ISO/EC 27002-2005 which I was hoping someone else already did.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cloud-based technologies and services will continue to grow in popularity in 2017 thanks to the simple, scalable and cost-effective solutions they deliver. Here are three areas where cloud adoption is poised to really take off.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question