3.13.9 has a weight of -1 points

(System and Communication Protection Family 9/16

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Example of Sysytem Security Plan (SSP):

  1. Termination of Network Connections
  2. Policy Statement: The organization shall terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity to enhance security and prevent unauthorized access.
  3. Purpose: This policy ensures the timely disconnection of network connections to reduce the risk of unauthorized access or data breaches resulting from idle or lingering connections.
  4. Scope: The policy applies to all internal and external networks used by the organization, including communication sessions within and between systems.
  5. Implementation: The organization shall configure systems to automatically terminate network connections when a communication session ends or after a defined period of user inactivity.
  6. Connection Termination Methods: Network connections must be terminated by de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level for sessions utilizing a single operating system-level connection.
  7. Inactivity Period: The organization may establish time periods for user inactivity based on the type of network access or specific network requirements.
  8. Compliance: Compliance with this policy is essential to prevent unauthorized access and potential security breaches resulting from prolonged or unattended network connections.
  9. Continuous Monitoring: Regularly monitor network connections to ensure timely termination of sessions after inactivity or session completion.
  10. User Awareness: Educate users about the importance of logging out or ending communication sessions to ensure proper network connection termination.
  11. Documentation: Maintain records of connection termination configurations and inactivity periods for audit and compliance purposes.
  12. Review and Updates: The policy shall be reviewed periodically and updated as necessary to align with changing security needs and technology advancements.
  13. Enforcement: Failure to comply with this policy may result in disciplinary actions as per the organization’s established procedures.
  14. Communication: Communicate the policy and its requirements to all relevant personnel to promote understanding and adherence.

Example of Plan of Action and Milestones ( POA & M):

Milestone 1: Policy Development and Communication

Develop a comprehensive “Network Connection Termination Policy” that clearly outlines the purpose, scope, implementation, and inactivity period for connection termination. Communicate the policy to all relevant personnel within the organization. [Target Date]

Milestone 2: Identification of Network Connections

Identify all internal and external networks used by the organization, including communication sessions within and between systems. Ensure that all these network connections are included in the scope of the policy. [Target Date]

Milestone 3: Implementation of Automatic Termination

Configure systems to automatically terminate network connections when a communication session ends or after a defined period of user inactivity. Implement appropriate methods for connection termination at the operating system and application levels. [Target Date]

Milestone 4: Inactivity Period Establishment

Establish appropriate time periods for user inactivity based on the type of network access or specific network requirements. Determine the most suitable inactivity period for each network connection. [Target Date]

Milestone 5: Compliance and Monitoring

Monitor network connections regularly to ensure that sessions are promptly terminated after inactivity or session completion. Assess compliance with the policy requirements and take corrective actions if needed. [Target Date]

Milestone 6: User Awareness and Training

Conduct training and awareness programs for all users to educate them about the importance of logging out or ending communication sessions to ensure proper network connection termination. Foster a culture of responsible network usage. [Target Date]

Milestone 7: Documentation and Reporting

Maintain records of connection termination configurations and inactivity periods for audit and compliance purposes. Ensure that documentation is up-to-date and readily available when needed. [Target Date]

Milestone 8: Policy Review and Updates

Periodically review the “Network Connection Termination Policy” to ensure its effectiveness in preventing unauthorized access and security breaches resulting from lingering connections. Update the policy as needed to address emerging security needs and advancements. [Target Date]

Milestone 9: Enforcement and Disciplinary Actions

Enforce compliance with the policy and establish procedures for disciplinary actions in case of policy violations. Ensure that non-compliance is appropriately addressed and corrected. [Target Date]

Milestone 10: Stakeholder Communication

Regularly communicate the policy and its requirements to all relevant personnel within the organization. Foster understanding and adherence to the policy across all departments and teams. [Target Date]

 

RELEVANT INFORMATION:

This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP addresses or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses

 



Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.