Re: Exception to Session Logoff Policy

[Eric Lukens <eric.lukens () UNI EDU>]

Just the same, if a user leaves the lab and forgot to log off, do you
want their session available for 60 minutes? Of course, there are
other ways for the users to solve the problem themselves that you'd
likely never know about...

http://www.cru-inc.com/products/wiebetech/mouse_jiggler/



On Fri, Jan 22, 2016 at 2:34 PM, Hugh Burley <Hburley () tru ca> wrote:
> We have instituted a 15 minute screen lock on idle time. All exceptions, of
> which there have been few, are made by the CIO and clearly documented with a
> business case.
>
>
>
> Hugh Burley
>
> Manager Information Security
>
> Thompson Rivers University
>
> BCCOL 223
>
> Phone: 250-852-6351
>
>
>
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carroll, Tim
> Sent: Friday, January 22, 2016 9:25 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Exception to Session Logoff Policy
>
>
>
> Good Morning,
>
>
>
> I have a request from an Academic Organization to change the session logoff
> time from our standard 15 minutes of inactivity to 60 minutes to accommodate
> teaching in dedicated labs.  After researching for a standard I can find no
> clear consensus; although 15 minutes seems to be the most commonly adopted.
> OMB M-06-16 (PDF) U.S. Presidential Memorandum Protection of Sensitive
> Agency Information recommends time-out after 30 minutes; NIST SP800-46
> suggests 15 minutes; Standards among Higher Education institutions vary
> widely from 1 to 30 minutes depending on where the computer is located and
> what data is being accessed.
>
>
>
> My question is, what automatic logoff standard are you using and do you
> allow for exceptions?  What sources do you cite to support your decision if
> any?
>
>
>
> Regards,
>
>
>
> Tim
>
> Tim Carroll
>
> Assistant Vice President and Chief Information Officer
>
> Information Technology
>
> Roane State Community College
>
> carrolltd () roanestate edu
>
> 865-882-4560
>
>
>
>
>
> ________________________________
>
>
> This email is intended for the addressee and may contain privileged
> information. If you are not the addressee, you are not permitted to use or
> copy this email or its attachments nor may you disclose the same to any
> third party. If this has been sent to you in error, please delete the email
> and notify us by replying to this email immediately.



-- 
Eric C. Lukens
IT Security Compliance & Policy Analyst
ITS-Information Security
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

"Security is a process, not a product."  Bruce Schneier