RE: To what does everyone set QINACTIVE to autolog off inactiveusers? -- MIDRANGE-L

Good points Patrick and a well reasoned note. And the topic of users leaving
a session without logging off is indeed a good one. But leaving for even a
couple of seconds would cause the same "hole" as 10 minutes, 20 minutes,
etc. as far as proving someone didn't do something. Short of logging off
EVERY time you step away (or securing the session some other way) will allow
the lawyers to have a field day :-)

JMHO,

Chuck

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Monday, August 15, 2005 6:29 PM
To: Midrange Systems Technical Discussion
Subject: Re: To what does everyone set QINACTIVE to autolog off
inactiveusers?

I would respond to this question differently (which will probably not be
nearly as satisfying as other responses)...

My take on this question:
You're asking the wrong question of the wrong people.

Why? Because your policy, whatever it should be is not driven by what other
organizations happen to do.  How concerned your organization is with the
amount of time before an inactive session is logged off is entirely a
business decision for which, ultimately (especially because of SOX), your
corporate officers are responsible.  Decisions other organizations make are
likely to not be valid for yours.

These sorts of questions SHOULD be addressed in your organization's
security policy.  If your policy is to rely on a windows screen saver and
not automatically end the session, then that is a perfectly valid decision.
In fact, if they make an informed decision to not worry about this
potential exposure at all, that is also a rational decision. Many people
might not agree, but it is a rational business decision -- assuming the
officers really do understand the risks/rewards.  If not covered in a
security policy (or in the absence of one), the decision must still be made
by your organization.

So, in the same situation, I would pose the following question to my
management:
"If we choose not to automatically end inactive OS/400 sessions, we accept
the risk that an untrustworthy employee can use someone else's session and
thus use the rights and privileges of another employee.  We will probably
never be able to prove that the person that started the session did or did
not actually perform some action.  This can result in potentially large
negative financial consequences for our organization.  On the other hand,
if we set the QINACTIVE value to a very small period of time, we could
impact the productivity of some employees.  The lower we set it, the more
potential productivity impact, the higher we set it the greater amount of
risk we assume.  What is our organization's policy?  My opinion is that we
should set this value to X minutes [provide rationale here].  However,
ultimately this is a management decision.  I will implement whatever
management determines the policy should be."

Then I would make sure that the decision, if not already covered in a
written policy, was provided to me in writing (or save the e-mail).

I hope this helps just a little...

Patrick