computers timing out

Posted By: Tessie

computers timing out - 08/18/11 06:29 PM

Our home office has our computers timing out every 15 minutes which is a real pain. Is there any reg or rule regarding having them time out or does the Home Office make up their rules?
Posted By: Reads Regs

Re: computers timing out - 08/18/11 06:52 PM

This is probably part of your bank's information security program. You are required to safeguard customer information. If a CSR walks away from a desk and leaves customer information on his/her computer screen, another customer could see it. To prevent this, some banks have set up automatic timeouts.

The following document on the FFIEC references automatic timeouts but does not state after how long it should kick in. http://ithandbook.ffiec.gov/it-booklets/...vironments.aspx

Refer to the interagency guidelines on information security. OCC Appendix B to Part 170
Posted By: Doug Hendrickson

Re: computers timing out - 08/18/11 07:14 PM

The time out periods are going to be a function of your bank. They sometimes depend on the location of your computer and the sensitivity of the information you usually access (e.g., a new accounts or loan processor may time-out prior to a back-office operations person).

Our corporate standard is 5 minutes and you're expected to enable the screen saver (which is passowrd protected) if you leave your desk. It's an inconvenience, but as a former IT security officer it's pretty much standard practice.
Posted By: rlcarey

Re: computers timing out - 08/20/11 01:56 PM

I was just in a bank where the time-out was 2 minutes.
Posted By: Russ Horn

Re: computers timing out - 08/23/11 07:54 PM

I agree with Reads Regs, this is probably part of your Information Security Program - and, while the FFIEC guidance does not specify the time interval before the lockout, most institutions put the time at 15 min. or less (depending on exposure and risk) - also, it is good to note the Visa PCI/DSS standards require a lockout after no more than 15 minutes (PCI 8.5.15 - see quote below) - while not all banks or bank systems may fall under these requirements, they are a good standard to follow...

"PCI 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session."

I hope this helps some.

Thanks,
Russ