The risk for unauthorized access or inappropriate viewing of information increases for organizations if session timeouts are not in place for systems to secure logon.

Additionally, logon “time of day” limitations may be appropriate to reduce the risk of unauthorized access for sensitive or high-risk systems. Session timeouts and time-of-day limitations are the focus of pitfall #35 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.

System time-outs should conceal information that is visible on the display (e.g., monitor) with a publicly viewable image (e.g., a screen saver) after a maximum of ten to fifteen minutes of inactivity. Session time-outs should close network sessions after thirty to sixty minutes of inactivity. Systems should require users to re-establish access using appropriate identification and authentication processes after a screen saver lock is active or a session is terminated.

For your most sensitive systems, your organization may choose to implement time of day logon restrictions. This is helpful if there are specific systems that only require standard user access during standard times and days (e.g., 7:00 AM to 6:00 PM, Monday through Friday).

Implementing time-of-day logon restrictions will enable your organization to easily determine if any authorized accounts have aberrant access attempts. Abnormal access attempts outside of normal business hours may be early indicators of a potential security incident or data breach to which your organization will need to immediately respond.

While these time-of-day controls are generally easy to implement, they may present a change in culture within your organization. Focus on the balance between security and operations. Your Security Program should not preclude operational tasks from being performed, but rather support them being performed securely. Logging and alerting on abnormal logon attempts should not preclude the access being granted but deliver alerts to the appropriate monitoring personnel for further investigation to secure logon.