Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
annual basis. This review should be structured such that one<br />
third <strong>of</strong> accounts per system are reviewed each year.<br />
4.3. Session Management<br />
The following are the Non-Mandatory Baselines that support the Session Management<br />
section <strong>of</strong> the Default Security Requirements:<br />
4.3.1. Configure Systems for Secure Access<br />
Agencies should ensure that systems are configured in such a way as to<br />
support and enhance user access and permission restrictions:<br />
4.3.1.a System Use Notification<br />
• System use notifications should, at a minimum, specify that:<br />
o Access is to a system owned by the organization.<br />
o Access to and actions within the system are monitored,<br />
recorded and may be audited.<br />
o Unauthorized access is not permitted and is a criminal<br />
<strong>of</strong>fence.<br />
o System use implies consent to these strictures.<br />
4.3.1.b System Lock-Out<br />
• Session lock resulting from authentication failure should occur<br />
after five failed authentication attempts that occur within a<br />
fifteen minute time period and should last for a minimum <strong>of</strong><br />
30 minutes.<br />
4.3.1.c Session Lock and Termination<br />
• Session lock should apply only to sessions that are initiated by<br />
end users and not to system-initiated sessions. Session lockout<br />
should occur after twenty minutes <strong>of</strong> inactivity.<br />
• Session termination should apply only to sessions that are<br />
initiated by end users and to system-initiated sessions. Session<br />
termination should occur after twenty minutes <strong>of</strong> inactivity.<br />
4.3.2. Configure Systems for Secure Communication<br />
Agencies should limit the potential <strong>of</strong> security threats bridging systems and <strong>of</strong><br />
data leaking inadvertently by restricting inter-system communications:<br />
4.3.2.a Intra and Inter-System Authentication<br />
• Systems that have very low or low risk impact should be<br />
identified by TCP/IP address.<br />
• Systems that have moderate risk impact should be identified<br />
by MAC and TCP/IP address.<br />
• Systems that have high risk impact should be identified by<br />
TCP/IP and MAC address as well as either 802.1x or Radius<br />
authentication.<br />
8