>Can anyone point me to the actual government documents (CMS and DOD) >pertaining to the security requirement for unattended (15 minutes) connections.
US Government seemly imposed rules are confusing. What I know it comes from the NIST 800-53 document under the category of AC-12; www.nist.gov and search on "sp 800-53". Depending on the level you choose, all they say is you must have some session timeout. Once you conform to this, then each agency puts forth their own security policy to show they conform to NIST 800- 53. For example, here is one I know about "All 'Agency X' workstations must use password-protected screensavers. Your workstation screensaver activates if you dont use your keyboard or mouse for 15 minutes, and you must reenter your password to be able to use your workstation. This prevents unauthorized access to your workstation and the network while your workstation is unattended. If you are going to leave your mainframe terminal session unattended for any period of time, you should log off of the system. If you dont use your keyboard for more than 30 minutes, the system will automatically log you off." So is the 15 minutes a given - no. But within the policy made, some applications may want to apply 10 minutes to some and 30 to others. I leave that to the application owner to mandate. So whatever passes the auditors comes out OK. Saying one does not timeout anybody (just locking the keyboard) did not fly and some definite timeout period needed to be implemented. Jim ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
