3.1.10—Access Control - Derived
>Control Description
>Discussion
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday.
Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern session lock activation?
- •What is the maximum idle time before session lock?
- •How are session lock requirements communicated to users?
- •Who approves session timeout configurations?
- •What exceptions exist to session lock requirements?
Technical Implementation:
- •How do you enforce automatic session lock after inactivity?
- •What technical mechanisms lock sessions (screensavers, OS controls)?
- •How are session lock timeout settings configured and enforced?
- •What controls prevent users from disabling session locks?
- •How do remote access sessions implement automatic lock?
Evidence & Documentation:
- •Can you demonstrate session lock configuration settings?
- •What evidence shows session locks activate after defined idle time?
- •Can you provide GPO or MDM policies enforcing session timeouts?
- •What audit logs track session lock events?
- •What compliance scans verify session lock enforcement?
Ask AI
Configure your API key to use AI features.