Security - Recommended Browser Session Timeout

Based on PCI, HIPPA, etc, and other industry Security Standards what should the browser session timeout value be when dealing with sensitive customer data?  Please state your source as well as your recommendation.
TheToneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
there is no such definition
you need to make your own opinion according the thread agent you expect and the risk it may have in your business and/or business data
then you need to make a goog balance betwwen security and usability
good idle timeout (time where no action is done in this session) is 15-30 minutes, IMHO

but keep in mind, that you need to implement this in the server-side application *and not* rely on just a browser-side implementation
0
TheToneAuthor Commented:
Found the actual factual definitions that I was looking for:

PCI-DSS 8.5.1.15 - 15 minutes
If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

PCI-DSS 12.3.8 - Modems - 15 minutes
Automatic disconnect of modem sessions after a specific period of inactivity

PCI-DSS 12.3.9 - Vendors using Modems - 15 minutes
Activation of modems for vendors only when needed by vendors, with immediate deactivation after use

HIPPA 164.312 - "Pretermined Time" Doesn't Specify exact timeout
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

ISO/IEC 27002-2005 9.1.5, 11.3.1, 11.3.2,11.3.3 - Control Specification IS-17 - Create Policy
Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

ISO/IEC 27002-2005 11.2.3, 11.5.5 - Control Specification SA-02 - 15 minutes
Re-enter password to reactivate terminal after session idle time for more than 15 minutes.

DoD Department of Defense 8420.01 - Information Assurance for Classifed WLAN's - 30 minutes
Use a session timeout capability, not to exceed 30 minutes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TheToneAuthor Commented:
I researched this all day reading all the actual security specifications for PCI, HIPPA, ISO/EC 27002-2005 which I was hoping someone else already did.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.