Educause Security Discussion mailing list archives
Re: Exception to Session Logoff Policy
From: "Carroll, Tim" <Carrolltd () ROANESTATE EDU>
Date: Thu, 28 Jan 2016 13:08:41 +0000
Thanks Antonio and everyone else who responded. Your comments and suggestions were very helpful. Regards, Tim Carroll 865-882-4560 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Antonio Crespo Sent: Wednesday, January 27, 2016 4:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Exception to Session Logoff Policy Hello All, We implemented a lockout after 15 minutes of inactivity as a standard for systems across the college at the operating system level. We couldn't enforce it at the application level due to business cases, so some applications have longer timeouts. Exception requests come to Information Security for review and we've approved a few exceptions based on business case/risk. Our academic technical support team also leverages Presentation Mode in Windows 8 for temporary extensions, like board meetings or events on campus. I hope this helps. -- Best Regards, Antonio Crespo Senior Director, IT Security Barnard College "Passwords are like toothbrushes: don’t share them, and change them periodically!" ***This message is intended for the use of the addressee and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in this message is strictly unauthorized and prohibited. If you have received this message in error, please notify the sender by reply e-mail and delete the message from your system. Opinions, conclusions or other statements in this message are neither given nor endorsed by Barnard College. This email is for informational purposes only and not meant to bind the sender or Barnard College.*** On Fri, Jan 22, 2016 at 4:36 PM, Eric Lukens <eric.lukens () uni edu<mailto:eric.lukens () uni edu>> wrote: Just the same, if a user leaves the lab and forgot to log off, do you want their session available for 60 minutes? Of course, there are other ways for the users to solve the problem themselves that you'd likely never know about... http://www.cru-inc.com/products/wiebetech/mouse_jiggler/ On Fri, Jan 22, 2016 at 2:34 PM, Hugh Burley <Hburley () tru ca<mailto:Hburley () tru ca>> wrote:
We have instituted a 15 minute screen lock on idle time. All exceptions, of which there have been few, are made by the CIO and clearly documented with a business case. Hugh Burley Manager Information Security Thompson Rivers University BCCOL 223 Phone: 250-852-6351<tel:250-852-6351> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Carroll, Tim Sent: Friday, January 22, 2016 9:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Exception to Session Logoff Policy Good Morning, I have a request from an Academic Organization to change the session logoff time from our standard 15 minutes of inactivity to 60 minutes to accommodate teaching in dedicated labs. After researching for a standard I can find no clear consensus; although 15 minutes seems to be the most commonly adopted. OMB M-06-16 (PDF) U.S. Presidential Memorandum Protection of Sensitive Agency Information recommends time-out after 30 minutes; NIST SP800-46 suggests 15 minutes; Standards among Higher Education institutions vary widely from 1 to 30 minutes depending on where the computer is located and what data is being accessed. My question is, what automatic logoff standard are you using and do you allow for exceptions? What sources do you cite to support your decision if any? Regards, Tim Tim Carroll Assistant Vice President and Chief Information Officer Information Technology Roane State Community College carrolltd () roanestate edu<mailto:carrolltd () roanestate edu> 865-882-4560<tel:865-882-4560> ________________________________ This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately.
-- Eric C. Lukens IT Security Compliance & Policy Analyst ITS-Information Security Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 (319) 273-7434<tel:%28319%29%20273-7434> http://www.uni.edu/elukens/ "Security is a process, not a product." Bruce Schneier ________________________________ This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately.
Current thread:
- Exception to Session Logoff Policy Carroll, Tim (Jan 22)
- Re: Exception to Session Logoff Policy Hugh Burley (Jan 22)
- Re: Exception to Session Logoff Policy Eric Lukens (Jan 22)
- Re: Exception to Session Logoff Policy Antonio Crespo (Jan 27)
- Re: Exception to Session Logoff Policy Carroll, Tim (Jan 28)
- Re: Exception to Session Logoff Policy Eric Lukens (Jan 22)
- Re: Exception to Session Logoff Policy Hugh Burley (Jan 22)
- <Possible follow-ups>
- Re: Exception to Session Logoff Policy Michael Van Norman (Jan 22)
- Re: Exception to Session Logoff Policy Bellina, Brendan (Jan 22)
- Re: Exception to Session Logoff Policy Frank Barton (Jan 22)
- Re: Exception to Session Logoff Policy Bellina, Brendan (Jan 22)
- Re: Exception to Session Logoff Policy Stefan Wahe (Jan 22)