Industry standards for Timeout Session.
Does anyone happen to know what best practices or what the default timeout session is for Archer? I'm trying to confirm if 15 minutes is the best practice standard adopted by most Archer System Administrators and if that is what is suggested by industry standards. Thanks
Good question! I am not sure what the industry standard is or what the best practice is, therefore, I configure this based on each company's needs. I have seen where the lower this number is, the more likely a user will lose their information that they are working on when adding or editing a record. You want to avoid a user losing their work while at the same keep security a concern. Depending on how many fields are in an app or questionnaire that the end user has to fill out and how often they save does contribute to this number. I typically have multiple security parameters, where the default parameter will have the shortest time. Here is what I start with and adjust as needed:
- General User. Set as default. 10 minute session with a 2 minute session timeout warning.
- Alternate parameter. 60 minute session with 5 minute session timeout warning.
Great, thank you Nolan! Someone was trying to tell me yesterday that RSA published a formal time in the user guide/manual, but I didn't see such a thing.
From a risk perspective I would base the session timeout on guidance from your security control framework. As an example, NIST provides specific guidance within SP 800-63 that might be of some assistance: NIST SP 800-63 Digital Identity Guidelines.
Another item to consider for application session timeouts on standard user accounts would be any session lock configurations from idle time within the operating system, e.g. a screensaver is applied after 30 minutes of idle time that locks the workstation. You might also have local security policies or standards that define session lockout values that should be reviewed.