AC-12-727 Session Termination

Session Termination

AC-12-727
Session Termination
Access Control
Protect
Account Management
MOD, HIGH
P2
No
January 20, 2018

Privileged access user accounts shall terminate their session after 4 hours of inactivity, or 12 hours of total session time, if the information resource supports such a behavior. Standard user accounts do not require session termination.

Inadequate session limit mechanisms may expose sensitive information or operating systems to unauthorized access.
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
Users account are logged out have a defined period.
No statewide control
Obtain documents relating to security safeguards and ascertain if the information system automatically terminates a user session when trigger events or conditions are met (such as organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use).