Solved

Security - Recommended Browser Session Timeout

Posted on 2012-04-04
3
1,856 Views
Last Modified: 2012-04-10
Based on PCI, HIPPA, etc, and other industry Security Standards what should the browser session timeout value be when dealing with sensitive customer data?  Please state your source as well as your recommendation.
0
Comment
Question by:TheTone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37809567
there is no such definition
you need to make your own opinion according the thread agent you expect and the risk it may have in your business and/or business data
then you need to make a goog balance betwwen security and usability
good idle timeout (time where no action is done in this session) is 15-30 minutes, IMHO

but keep in mind, that you need to implement this in the server-side application *and not* rely on just a browser-side implementation
0
 

Accepted Solution

by:
TheTone earned 0 total points
ID: 37810609
Found the actual factual definitions that I was looking for:

PCI-DSS 8.5.1.15 - 15 minutes
If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

PCI-DSS 12.3.8 - Modems - 15 minutes
Automatic disconnect of modem sessions after a specific period of inactivity

PCI-DSS 12.3.9 - Vendors using Modems - 15 minutes
Activation of modems for vendors only when needed by vendors, with immediate deactivation after use

HIPPA 164.312 - "Pretermined Time" Doesn't Specify exact timeout
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

ISO/IEC 27002-2005 9.1.5, 11.3.1, 11.3.2,11.3.3 - Control Specification IS-17 - Create Policy
Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

ISO/IEC 27002-2005 11.2.3, 11.5.5 - Control Specification SA-02 - 15 minutes
Re-enter password to reactivate terminal after session idle time for more than 15 minutes.

DoD Department of Defense 8420.01 - Information Assurance for Classifed WLAN's - 30 minutes
Use a session timeout capability, not to exceed 30 minutes.
0
 

Author Closing Comment

by:TheTone
ID: 37826739
I researched this all day reading all the actual security specifications for PCI, HIPPA, ISO/EC 27002-2005 which I was hoping someone else already did.
0

Featured Post

ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IE issues 1 47
chrome and edge version of getElementById("p").attributes("title").value 2 44
youtube blocking politics 4 82
Customising IE behaviour on certain pages 2 67
Cloud-based technologies and services will continue to grow in popularity in 2017 thanks to the simple, scalable and cost-effective solutions they deliver. Here are three areas where cloud adoption is poised to really take off.
Learn how the use of a bunch of disparate tools requiring a lot of manual attention led to a series of unfortunate backup events for one company.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question