Control: The information system automatically terminates a remote session after [Assignment: organization-defined time period] of inactivity.

Supplemental Guidance: A remote session is initiated whenever an organizational information system is accessed by a user (or an information system) communicating through an external, non- organization-controlled network (e.g., the Internet).

Control Enhancements: (1) Automatic session termination applies to local and remote sessions.

Baseline: LOW Not Selected MOD AC-12 HIGH AC-12 (1)

Family: Access Control

Class: Technical

ISO 17799 mapping: 11.3.2, 11.5.5

COBIT 4.1 mapping: None.