AM-05 Access Management

Session Management / Timeout

Unattended sessions are automatically secured.

Domain: Access Management
Control type: Preventive
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS Cyber Hygiene

What good looks like

Sessions auto-lock/terminate after defined inactivity and require re-authentication.

Risk if it fails

Hijack of unattended sessions.

How Tess tests it

3 tests — each concludes only on cited evidence.

Inactivity-timeout policy defined

Design

Procedure: Inspect the policy.
Expected: Timeout threshold stated.
Sample: 1 (design inspection)
Evidence: Timeout configuration/screenshots.

Timeout enforced on workstations/OS

Operating

Procedure: Inspect configuration.
Expected: Auto-lock at threshold.
Sample: 25 (or full config inspection)
Evidence: Timeout configuration/screenshots.

Timeout enforced on apps and VPN

Operating

Procedure: Inspect configuration.
Expected: Re-authentication required.
Sample: 25 (or full config inspection)
Evidence: Timeout configuration/screenshots.

Evidence Tess looks for

Timeout configuration/screenshots.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-05 against your evidence?