3.1.10 has a weight of -1 points

(Access Control Family) 10/22

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

 

Video:

Example of Sysytem Security Plan (SSP):

Session Locking and User Session Termination


Purpose:
To ensure that user sessions are securely managed, preventing unauthorized access during temporary absences or after certain conditions that warrant session termination.

Assessment Points:

Session Lock Properties:
Check the properties of session locks, including their triggering conditions, such as periods of inactivity or user-induced locks. Confirm that the displayed patterns or images during the locked phase don’t display sensitive information.

Difference Between Session Lock and Logout:
Ensure that users understand the distinction between a session lock and a full logout. Emphasize the importance of logging out at the end of the workday or during extended absences.

User Session Termination Properties:
Inspect the conditions leading to automatic session termination. These can include user inactivity, certain incident responses, or system usage time restrictions.

Implementation Details:

  • Sessions are programmed to lock automatically after 15 minutes of user inactivity. A password input is needed for users to regain access.
  • For display during session lock, a variety of non-sensitive images or patterns are used.
  • Employees receive guidance to lock their screens manually when departing from their workspace temporarily.
  • An additional security measure requires users to reauthenticate following an hour of inactivity, upheld by a specific conditional access policy.
  • All local computer user sessions are set to lock after 15 minutes of inactivity.
  • Session limits within the Office 365 environment are based on this article.
  • After a session termination, users must sign back in to initiate a new session within the network.
  • A Conditional Access Policy is also employed to regulate sign-in frequencies.
  • Users are educated on the distinction between session locks and logouts, with continuous monitoring of session activities for any discrepancies or unauthorized access attempts.
  • Proper documentation detailing session management policies, user guidelines, and any related updates is regularly maintained and reviewed.

Example of Plan of Action and Milestones ( POA & M):


Title:
Session Locking and User Session Termination Enhancement Plan


Purpose:
To further strengthen the management of user sessions, minimizing the risk of unauthorized access during user inactivity, and refining session termination protocols.


Milestones:

1. Assessment and Documentation Review:

  • Description: Review current session management policies, user guidelines, and any related documentation to identify gaps or areas of improvement.

2. User Education and Training:

  • Description: Conduct workshops to educate users on the importance of session locks, the difference between session locks and logouts, and the risks of extended inactivity. Reinforce the necessity of logging out during long absences.

3. Technical Review of Session Lock Properties:

  • Description: Examine the current session lock properties, images, or patterns used during the lock phase, and assess for potential improvements.

4. Conditional Access Policy Re-evaluation:

  • Description: Re-assess the existing conditional access policy in light of recent cyber threats and determine if changes are needed, especially concerning reauthentication intervals.

5. Upgrade and Implementation:

  • Description: Implement the identified improvements in session lock properties and any changes to the conditional access policy. Ensure that all systems comply with the updated standards.

6. Monitoring and Feedback:

  • Description: Establish continuous monitoring of session activities. Gather feedback from users about their experiences and any challenges faced. Use this feedback to further refine and improve session management practices.

7. Documentation Update:

  • Description: Update all session management policies, user guidelines, and any related documentation to reflect the recent changes and improvements.

Example Conditional Access Policy:


Conditional Access Policy: Sign-in Frequency Regulation


Purpose:
To ensure that users periodically re-authenticate, reducing the risk of unauthorized access during extended sessions, and refining session security protocols.


Scope:
This policy applies to all users accessing the organization’s systems, applications, and data, regardless of their location or device used.


Policy Details:

  1. Sign-in Frequency Limitation:

    • Users must re-authenticate every X hours, irrespective of their activity status.
    • After the stipulated time, users are automatically prompted to sign in again to continue their session.
  2. Exceptions:

    • Critical roles, as defined by the organization (e.g., System Administrators or Emergency Response Teams), may have different sign-in frequency requirements. Exceptions are documented and regularly reviewed.
  3. Device Compliance:

    • Devices must meet the organization’s security standards to qualify for extended sign-in frequencies. Non-compliant devices are subjected to more frequent sign-in prompts.
  4. Location-based Frequency Alteration:

    • Sign-in frequencies might be adjusted based on the user’s geographical location. Access from unfamiliar or high-risk locations may trigger more frequent re-authentication prompts.
  5. Notification of Sign-out:

    • Users will receive a notification 10 minutes before an automatic sign-out due to inactivity or reaching the maximum allowed session duration.
  6. Emergency Overrides:

    • In case of emergencies or critical tasks, users can request a temporary override of the sign-in frequency limitation. Such overrides are granted on a case-by-case basis and documented.

Responsibilities:

  • IT Department:

    • Implement, monitor, and enforce the Conditional Access Policy across the organization’s systems.
    • Review and update the list of compliant devices and their related sign-in frequencies.
  • HR and Training Departments:

    • Ensure that all users are aware of and understand the Conditional Access Policy, especially the sign-in frequency regulation.
    • Conduct training sessions if necessary.
  • Users:

    • Comply with the policy, ensuring they re-authenticate when prompted.
    • Report any issues or potential vulnerabilities associated with the sign-in process.

Review and Update:
The policy will be reviewed semi-annually or whenever significant changes are made to the organization’s infrastructure, whichever comes first.

RELEVANT INFORMATION:

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday. Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.