Educause Security Discussion mailing list archives
Re: Exception to Session Logoff Policy
From: Michael Van Norman <mvn () UCLA EDU>
Date: Fri, 22 Jan 2016 17:35:46 +0000
This is a no brainer — change the session timer (at least for the labs in question). Regardless of things suggested by standards, why would you let a document meant to cover a wide range of use cases trump an actual, concrete, local business requirement? One of the key pillars of information security is availability. If the policy is making the resource unavailable when it needs to be available, the policy is the security breach. /Mike On 1/22/16, 9:25 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Carroll, Tim" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Carrolltd () ROANESTATE EDU<mailto:Carrolltd () ROANESTATE EDU>> wrote: Good Morning, I have a request from an Academic Organization to change the session logoff time from our standard 15 minutes of inactivity to 60 minutes to accommodate teaching in dedicated labs. After researching for a standard I can find no clear consensus; although 15 minutes seems to be the most commonly adopted. OMB M-06-16 (PDF) U.S. Presidential Memorandum Protection of Sensitive Agency Information recommends time-out after 30 minutes; NIST SP800-46 suggests 15 minutes; Standards among Higher Education institutions vary widely from 1 to 30 minutes depending on where the computer is located and what data is being accessed. My question is, what automatic logoff standard are you using and do you allow for exceptions? What sources do you cite to support your decision if any? Regards, Tim Tim Carroll Assistant Vice President and Chief Information Officer Information Technology Roane State Community College carrolltd () roanestate edu<mailto:carrolltd () roanestate edu> 865-882-4560 ________________________________ This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately.
Current thread:
- Exception to Session Logoff Policy Carroll, Tim (Jan 22)
- Re: Exception to Session Logoff Policy Hugh Burley (Jan 22)
- Re: Exception to Session Logoff Policy Eric Lukens (Jan 22)
- Re: Exception to Session Logoff Policy Antonio Crespo (Jan 27)
- Re: Exception to Session Logoff Policy Carroll, Tim (Jan 28)
- Re: Exception to Session Logoff Policy Eric Lukens (Jan 22)
- Re: Exception to Session Logoff Policy Hugh Burley (Jan 22)
- <Possible follow-ups>
- Re: Exception to Session Logoff Policy Michael Van Norman (Jan 22)
- Re: Exception to Session Logoff Policy Bellina, Brendan (Jan 22)
- Re: Exception to Session Logoff Policy Frank Barton (Jan 22)
- Re: Exception to Session Logoff Policy Bellina, Brendan (Jan 22)
- Re: Exception to Session Logoff Policy Stefan Wahe (Jan 22)