Re: Exception to Session Logoff Policy

[Frank Barton <bartonf () HUSSON EDU>]

One thing that we are working with right now, is that different groups on
campus may have different requirements for auto-lock/auto-logoff. Where it
gets very fun is when people are dual-roled.

I would ask if the time-out needs to be set for certain users, or certain
computers.

Either way, Document Everything.

Good Luck
Frank

On Fri, Jan 22, 2016 at 1:25 PM, Bellina, Brendan <bbellina () ucla edu> wrote:

> I don’t have additional standards to point you to, but I do think it
> reasonable that you respond to the statement of business need with vetted
> standards as you are doing. It may be that the business need is a
> preference rather than a requirement and that may not warrant it being an
> exception to your standard policy.  Even if it is an exception then that
> should be documented so that it can be reviewed in the future since
> business requirements change. Good luck.
>
> Regards,
>
> Brendan Bellina
> Identity Mgmt. Architect, IT Services, UCLA
> ✉ bbellina () ucla edu   ☏ +1 310 206 3131
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Michael Van Norman <
> mvn () UCLA EDU>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Friday, January 22, 2016 at 9:35 AM
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Exception to Session Logoff Policy
>
> This is a no brainer — change the session timer (at least for the labs in
> question).  Regardless of things suggested by standards, why would you let
> a document meant to cover a wide range of use cases trump an actual,
> concrete, local business requirement?  One of the key pillars of
> information security is availability.  If the policy is making the resource
> unavailable when it needs to be available, the policy is the security
> breach.
>
> /Mike
>
> On 1/22/16, 9:25 AM, "The EDUCAUSE Security Constituent Group Listserv on
> behalf of Carroll, Tim" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of
> Carrolltd () ROANESTATE EDU> wrote:
>
> Good Morning,
>
>
>
> I have a request from an Academic Organization to change the session
> logoff time from our standard 15 minutes of inactivity to 60 minutes to
> accommodate teaching in dedicated labs.  After researching for a standard I
> can find no clear consensus; although 15 minutes seems to be the most
> commonly adopted.  OMB M-06-16 (PDF) U.S. Presidential Memorandum
> Protection of Sensitive Agency Information recommends time-out after 30
> minutes; NIST SP800-46 suggests 15 minutes; Standards among Higher
> Education institutions vary widely from 1 to 30 minutes depending on where
> the computer is located and what data is being accessed.
>
>
>
> My question is, what automatic logoff standard are you using and do you
> allow for exceptions?  What sources do you cite to support your decision if
> any?
>
>
>
> Regards,
>
>
>
> Tim
>
> Tim Carroll
>
> Assistant Vice President and Chief Information Officer
>
> Information Technology
>
> Roane State Community College
>
> carrolltd () roanestate edu
>
> 865-882-4560
>
>
>
> ------------------------------
>
> This email is intended for the addressee and may contain privileged
> information. If you are not the addressee, you are not permitted to use or
> copy this email or its attachments nor may you disclose the same to any
> third party. If this has been sent to you in error, please delete the email
> and notify us by replying to this email immediately.


-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University