Body
While there is some flexibility, Washington’s community and technical colleges are required to adhere to federal and industry data security standards to determine the timeout (lockout) period. Currently, each pillar — Campus Solutions (CS), Finance (FIN), Human Capital Management (HCM) — is set to time out after 20 minutes of inactivity.
SBCTC-ITD Memorandum
Dear colleagues:
We have received systemwide feedback about ctcLink sessions timing out, so wanted to take this opportunity to explain the rationale behind session timeouts.
As cyber threats have evolved, authentication processes used in the past have become less reliable. Stronger authentication means malicious actors must expend greater resources to undermine the authentication process. Current processes are intended to protect sensitive data access for the following reasons:
- Security: Session timeouts are a security measure designed to protect sensitive information and prevent unauthorized access. When a user leaves a system without properly logging out or closing their session, it creates an opportunity for someone else to access the system and potentially compromise data or perform malicious activities.
- User Privacy: Session timeouts help protect user privacy by preventing others from accessing their accounts or sensitive information if they accidentally leave their sessions unattended.
- Risk Mitigation: Users may unintentionally leave their sessions unattended on shared or public devices, increasing the chances of unauthorized access. Session timeouts help minimize this risk by automatically ending idle sessions.
Timeout requirements
While there is some flexibility, Washington’s community and technical colleges are required to adhere to federal and industry data security standards to determine the timeout (lockout) period.
Currently, each pillar — Campus Solutions (CS), Finance (FIN), Human Capital Management (HCM) — is set to time out after 20 minutes of inactivity. By comparison, your bank session may time out at two to ten minutes.
If you have multiple ctcLink pillar pages open, for example CS and HCM, but are only working in HCM pages, your CS session may be timed out when you return to the CS screen.
NOTE: If your session is timing out while you are actively working in a pillar screen, please submit a service ticket and describe the situation. Please include the time it happened, note the pillar (CS, FIN, HCM), and how many browsers/Peoplesoft tabs were open.
Why 20 Minutes?
The timeout values are based on common industry practices for accessing information.
Industry standard for common idle timeouts ranges are two to five minutes for high-value applications and 15 to 30 minutes for low-risk applications, so the college system landed on 20 minutes for consistency across all ctcLink pillars.
In the future—once all colleges have established the extra protection of multifactor authentication (MFA) for employee and student access to ctcLink—we may be able to revisit our policy as a system to extend the timeout to 30 minutes.
Compliance Standards
Below are highlights of the federal and industry standards we follow to secure ctcLink data.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a widely accepted set of policies and procedures intended to optimize security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. PCI auditors recommend no more than 15 minutes for any idle session before a user is asked to re-authenticate their session.
Committee on National Security Systems
CNSSI-1253 Security Categorization and Control Selection for National Security Systems Control, Section AC-11: Session lock not to exceed 30 minutes.
National Institute of Standards and Technology (NIST)
Digital Identity Guidelines: Authentication and Lifecycle Management (NIST Special Publication 800-63B) 4.2.3 Reauthentication: Reauthentication of the subscriber SHALL be repeated following any period of inactivity lasting 30 minutes or longer. The session SHALL be terminated (i.e., logged out) when either of these time limits is reached.
Thank you for your understanding. Please reach out if you have any questions. Again, if your session is timing out while you are actively working in a pillar screen, please submit a service ticket and describe the situation.
Thank you,
-Grant
Grant Rodeheaver
Deputy Executive Director / CIO, IT Division
Washington State Board for Community and Technical Colleges
grodeheaver@sbctc.edu • o: 360-704-3939 • c: 360-280-4733
sbctc.edu • Twitter: @SBCTCWashington • Facebook: @WASBCTC