STATE of ARIZONA
TITLE: Session Controls Government Statewide Information STANDARD Technology
Effective Date: October 10, 2008 P800-S825 Rev 2.0 Agency
The Government Information Technology Agency (GITA) shall develop, implement and maintain a coordinated statewide plan for information technology (IT) (A.R.S. ? 41-3504(A (1))), including, the adoption of statewide technical, coordination, and security standards (A.R.S. ? 41-3504(A (1(a)))).
The purpose of this standard is to coordinate budget unit and State efforts to prevent unauthorized access to critical systems via workstations left unattended. Unattended workstations logged into networks, systems, and applications may allow unauthorized access to critical information and resources.
This applies to all budget units. Budget unit is defined as a department, commission, board, institution or other agency of the state organization receiving, expending or disbursing state funds or incurring obligations of the state including the Arizona Board of Regents but excluding the universities under the jurisdiction of the Arizona Board of Regents the community college districts and the legislative or judicial branches. A.R.S. ? 41-3501(2).
The Budget Unit Chief Executive Officer (CEO), working in conjunction with the Budget Unit Chief Information Officer (CIO), shall be responsible for ensuring the effective implementation of Statewide Information Technology Policies, Standards, and Procedures (PSPs) within each budget unit.
The following session controls provide minimum requirements for preventing unauthorized access to information, systems, applications, and networks via unattended workstations at budget units, regardless of location, throughout the State. Requirements shall be documented and maintained as part of, and in accordance with, Statewide Standard P800-S810, Account Management.
4.1 SESSION/SYSTEM TIMEOUT: Budget units shall develop, implement, and
communicate procedures for:
; Automatic session timeouts to be in place on multi-user information
systems and remote communication systems, with the maximum period of
inactivity set commensurate with the sensitivity of information housed on
the individual system.
; All system users to log off at the end of the business day, regardless of the
sensitivity of information on the system. If budget unit business
Standard P800-S825 Rev 2.0 Effective: October 10, 2008
Session Controls Page 2 of 3
requirements necessitate a deviation, rationale and procedures shall be
; Locking screensavers to be in use on all personal computers (including
laptops). Screensavers shall be automatically activated by the personal
computer’s operating system after a specific period of inactivity. The
period of inactivity shall be determined by the budget unit. 4.2 PASSWORD PROTECTION FOR LOCKING SCREENS: Requirements for
password strength used on locking screen savers shall be determined by the
capabilities of the applicable operating system. Passwords used to unlock
screens shall meet requirements of Statewide Standard P800-S820,
Authentication and Directory Services, unless otherwise prevented by the
capabilities of the applicable operating system.
4.3 LOCKOUT BASED ON UNSUCCESSFUL LOGON ATTEMPTS: Budget
units shall establish, document, implement, and communicate a requirement for
locking an account from further use following a maximum number of detected,
unsuccessful login attempts. Budget unit password resetting procedures shall
ensure that the correct account holder is requesting the reset. 4.4 STRONG AUTHENTICATION: In controlling the authenticity of local
and/or remote user identities, it is recommended that budget unit’s provide at
least two of the three authentication methods as identified in the Statewide
Standard P800-S820 Authentication and Directory Services, authentication by
knowledge, authentication by ownership, and/or authentication by
4.5 ACCESS (SECURITY EVENT) LOGS: Access logs, if available, shall be
turned on and protected from accidental or deliberate overwriting. Access logs
should be proactively analyzed, correlated with other logs, and evaluated.
Systems should be configured to log information locally, and the logs should
be sent to a remote system. Logs should contain details of:
; Access by types of user;
; Servicing activities;
; Failed sign-on attempts;
; Error / exception conditions; and
; Sufficient information to identify individual userIDs, resources, and
information accessed, access paths, and patterns of access.
Access logs shall be maintained for a period of time determined by the business
needs of the budget unit. Budget units shall establish and document access log
retention requirements. Storage and backup of access logs shall be in
accordance with Statewide Standard P800-S870, Backups.
5 DEFINITIONS AND ABBREVIATIONS
Refer to the PSP Glossary of Terms located on the GITA website at http://www.azgita.gov/policies_standards/ for definitions and abbreviations.
Standard P800-S825 Rev 2.0 Effective: October 10, 2008
Session Controls Page 3 of 3
6.1. A. R. S. ? 41-621 et seq., “Purchase of Insurance; coverage; limitations,
6.2. A. R. S. ? 41-1335 ((A (6 & 7))),“State Agency Information.”
6.3. A. R. S. ? 41-1339 (A),“Depository of State Archives.”
6.4. A. R. S. ? 41-1461, “Definitions.”
6.5. A. R. S. ? 41-1463, “Discrimination; unlawful practices; definition.”
6.6. A. R. S. ? 41-1492 et seq., “Prohibition of Discrimination by Public Entities.”
6.7. A. R. S. ? 41-2501 et seq., “Arizona Procurement Codes, Applicability.”
6.8. A. R. S. ? 41-3501, “Definitions.”
6.9. A. R. S. ? 41-3504, “Powers and Duties of the Agency.”
6.10. A. R. S. ? 41-3521, “Information Technology Authorization Committee;
members; terms; duties; compensation; definition.”
6.11. A. R. S. ? 44-7041, “Governmental Electronic Records.”
6.12. Arizona Administrative Code, Title 2, Chapter 7, “Department of Administration
Finance Division, Purchasing Office.”
6.13. Arizona Administrative Code, Title 2, Chapter 10, “Department of
Administration Risk Management Section.”
6.14. Arizona Administrative Code, Title 2, Chapter 18, “Government Information
6.15. Statewide Policy P100, Information Technology.
6.16. Statewide Policy P800, IT Security.
6.16.1. Statewide Standard P800-S810, Account Management.
6.16.2. Statewide Standard P800-S820, Authentication and Directory Services.
6.17. State of Arizona Target Security Architecture,