compliance controls are associated with this Policy definition 'Terminate user session automatically' (4502e506-5f35-0df4-684f-b326e3cc7093)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
3.4 |
CIS_Azure_1.1.0_3.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.4 |
3 Storage Accounts |
Ensure that shared access signature tokens expire within an hour |
Shared |
The customer is responsible for implementing this recommendation. |
Expire shared access signature tokens within an hour. |
link |
3 |
| CIS_Azure_1.3.0 |
3.4 |
CIS_Azure_1.3.0_3.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.4 |
3 Storage Accounts |
Ensure that shared access signature tokens expire within an hour |
Shared |
The customer is responsible for implementing this recommendation. |
Expire shared access signature tokens within an hour. |
link |
3 |
| CIS_Azure_1.4.0 |
3.4 |
CIS_Azure_1.4.0_3.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.4 |
3 Storage Accounts |
Ensure that Shared Access Signature Tokens Expire Within an Hour |
Shared |
The customer is responsible for implementing this recommendation. |
Expire shared access signature tokens within an hour. |
link |
3 |
| CIS_Azure_2.0.0 |
3.6 |
CIS_Azure_2.0.0_3.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.6 |
3 |
Ensure that Shared Access Signature Tokens Expire Within an Hour |
Shared |
n/a |
Expire shared access signature tokens within an hour.
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour. |
link |
3 |
| FedRAMP_High_R4 |
AC-12 |
FedRAMP_High_R4_AC-12 |
FedRAMP High AC-12 |
Access Control |
Session Termination |
Shared |
n/a |
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
AC-12 |
FedRAMP_Moderate_R4_AC-12 |
FedRAMP Moderate AC-12 |
Access Control |
Session Termination |
Shared |
n/a |
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23.
References: None. |
link |
1 |
| hipaa |
1114.01h1Organizational.123-01.h |
hipaa-1114.01h1Organizational.123-01.h |
1114.01h1Organizational.123-01.h |
11 Access Control |
1114.01h1Organizational.123-01.h 01.03 User Responsibilities |
Shared |
n/a |
Covered or critical business information is not left unattended or available for unauthorized individuals to access, including on desks, printers, copiers, fax machines, and computer monitors. |
|
2 |
| ISO27001-2013 |
A.11.2.8 |
ISO27001-2013_A.11.2.8 |
ISO 27001:2013 A.11.2.8 |
Physical And Environmental Security |
Unattended user equipment |
Shared |
n/a |
Users shall ensure that unattended equipment has appropriate protection. |
link |
2 |
| ISO27001-2013 |
A.9.4.2 |
ISO27001-2013_A.9.4.2 |
ISO 27001:2013 A.9.4.2 |
Access Control |
Secure log-on procedures |
Shared |
n/a |
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
link |
17 |
| NIST_SP_800-171_R2_3 |
.1.11 |
NIST_SP_800-171_R2_3.1.11 |
NIST SP 800-171 R2 3.1.11 |
Access Control |
Terminate (automatically) a user session after a defined condition. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use. |
link |
1 |
| NIST_SP_800-53_R4 |
AC-12 |
NIST_SP_800-53_R4_AC-12 |
NIST SP 800-53 Rev. 4 AC-12 |
Access Control |
Session Termination |
Shared |
n/a |
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23.
References: None. |
link |
1 |
| NIST_SP_800-53_R5 |
AC-12 |
NIST_SP_800-53_R5_AC-12 |
NIST SP 800-53 Rev. 5 AC-12 |
Access Control |
Session Termination |
Shared |
n/a |
Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
link |
1 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
| PCI_DSS_v4.0 |
8.2.8 |
PCI_DSS_v4.0_8.2.8 |
PCI DSS v4.0 8.2.8 |
Requirement 08: Identify Users and Authenticate Access to System Components |
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle |
Shared |
n/a |
If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. |
link |
2 |