All Agency-owned information resources shall adopt Center for Internet Security (CIS) Benchmarks Level I standards for session lock policies, or implement a session lock that takes effect after 15 minutes of inactivity for normal users and 5 minutes for privileged users, whichever is more stringent.
Unauthorized users access operating systems by physically or logically accessing valid inactive and/or unattended sessions.
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.
User sessions are locked after a period of user inactivity (e.g., 15 minutes for example).
No statewide control
Obtain access control policy; procedures addressing session lock; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records and ascertain if
(I) the organization defines in the security plan, explicitly or by reference, the time period of user inactivity after which the information system initiates a session lock;
(ii) the information system initiates a session lock after the organization-defined time period of inactivity;
(iii) the information system provides the capability for users to directly initiate session lock mechanisms; and
(iv) the information system maintains the session lock until the user reestablishes access using appropriate identification and authentication procedures.