Controls

Terug naar overzicht
Version

SB.9.012 Session Timeout

Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description

After a period of inactivity in an application, the user session should be locked and require re-authentication.

Activity in another application from the same identity provider may be considered continued activity.

Specification

Depending on the security levels of the IT system, the maximum duration of the session is as follows:

  1. Low: 30 days
  2. Medium: 1 day
  3. High: 8 hours