3.1.11 has a weight of -1 points

(Access Control Family) 11/22

Terminate (automatically) a user session after a defined condition

Video:

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for NIST 800-171 Control 3.1.11

Control Title:
Session Termination

Control Number:
3.1.11

Purpose:
This document outlines the existing measures implemented to automatically terminate user-initiated logical sessions after specific conditions. These measures are crucial to protect the organization’s data and to minimize potential unauthorized access risks.

Control Requirement (NIST 800-171):
Terminate (automatically) user sessions after defined conditions.

Current Implementation:

  1. Local Computer Inactivity Lock:
    User sessions on local systems have been configured to auto-lock after 15 minutes of inactivity.

  2. Office 365 Session Configuration:
    The Office 365 environment strictly adheres to the recommended session timeout configurations, as specified in the Microsoft’s session timeout guidelines: Session Timeouts in Microsoft 365.

  3. Session Termination Mechanism:
    Once users log off their systems or if there’s a system shutdown, the user session is terminated. Subsequent access requires users to re-authenticate and re-establish their session.

  4. Conditional Access Policy:
    An active Conditional Access Policy has been applied to manage and regulate sign-in frequencies.

  5. VPN Session Timeout:
    The current VPN policy is set to terminate user sessions after 180 minutes of idle time.

  6. Idle Time Termination:
    The primary condition determining session termination is the user’s idle time. Local systems are set to measure idle time up to 15 minutes before initiating a session lock and the subsequent termination of user access.

Compliance and Monitoring:

  1. User Awareness:
    All users have been trained and are fully aware of the session termination policy.

  2. Continuous Monitoring:
    Active monitoring mechanisms are in place to ensure that session timeout configurations remain consistent and intact across all platforms.

  3. Regular Policy Review:
    The session timeout configurations and associated policies undergo regular reviews to ensure they align with the organization’s evolving security goals and the current cybersecurity environment.

Responsible Parties:
The IT department and the Network Security team oversee and ensure the strict implementation of this control.

Example of Plan of Action and Milestones ( POA & M):

Tasks/Actions:

  1. Periodic Auditing:

    • Description: Conduct a quarterly audit to ensure that session termination controls are adhered to across all platforms.
    • Status: Not started.
  2. User Training and Awareness:

    • Description: Organize bi-annual training sessions for all employees on the importance of session termination and how to ensure their sessions remain secure.
    • Status: Not started.
  3. Update Conditional Access Policy:

    • Description: Review and potentially revise the Conditional Access Policy to address new technological and cybersecurity challenges.
    • Status: Not started.
  4. Optimize VPN Session Timeout:

    • Description: Evaluate the effectiveness of the 180-minute VPN session timeout and consider potential adjustments to enhance security.
    • Status: Not started.
  5. Improve Monitoring Mechanisms:

    • Description: Implement more sophisticated session monitoring tools to identify and rectify any unauthorized or prolonged sessions swiftly.
    • Status: Not started.
  6. Check Configurations in Office 365:

    • Description: Review and ensure that Office 365 configurations align with organizational security standards and best practices.
    • Status: Not started.
  7. Review Azure Active Directory Settings:

    • Description: Audit Azure Active Directory configurations to ensure that user sessions and access controls are set up securely.
    • Status: Not started.

Responsible Parties: IT department, Network Security team, and Cloud Administration team.


Remarks: The organization must allocate necessary resources and budget for the successful completion of the tasks in this POA&M. Periodic reviews should also be conducted to assess the effectiveness of the actions taken.

 

RELEVANT INFORMATION:

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.