| 2.2 Service Level
14. Service Expired Page | |
|---|
| 2.2.14 Service Expired Page: | | This page uses terminology about "private web pages" that should strictly to termed as "containers" that may show one or more web pages. It is the container that is replaced with the expired page, rather than the web page contents of the container. This is a minor technicality that can be overlooked by most people. |
| How does it work: | | Public expired page 1008 is configured to refresh every container after 3678 seconds. An exception is that some selected dashboards (between 09:00 and 17:00) will be refreshed with themselves after 2345 seconds. |
| Business Requirement: | | Regardless of training and education, a few people choose not to sign-off and choose to leave their desktop computer on overnight. A small number of people identity its time to go home and they simply walk away from their desk without closing any page and without signing off. This creates a security vulnerability where a criminal could take over the session, retrieve data they are not entitled to see and change data as if they were the person who walked away. | | Public web pages are not subject to any threat or security vulnerability - this page is only concerned with private web pages. |
| Threat Analysis: | | The persons session remains valid for 61 minutes and then will automatically expire. This create a small risk where the persons session could be taken over by another person in the one hour after they leave their desk. This is no different risk to a person who leaves their computer signed-on during their lunch or tea break. | | The risk is managed as 61 minutes so a person will not have to signed in again after a walk round the office or taking a phone call Some people who process sensitive data will have this 61 minutes reduced to 16 minutes. Some people who have continual access may have this 61 minutes refreshed every 42 minutes until 17:00 hours. |
| Next Morning: | | The person who walked away from their computer the evening before may expect to see the same pages open showing private and confidential data. In fact, every web page has a life cycle where it will be automatically replaced with the fixed "expired page" after 61 minutes. The effect is that the person will see the "expired page" with a "Sign Off" button and no other navigation - they must sign-off before they can proceed. |
| Business Rules: | | People must be educated to click the sign-off button before they leave at the end of day. Those that choose not the sign-off create a security vulnerability that is a disiplinary matter. Every page that is left open will be automatically changed to the "expired page", 61 minutes after the web page was originally opened. |
| Expired Page: | | This is an educational reminder of the security risks taken by not signing off. The only navigation available to the person is to click the "Sign Off" button - top right. From the "signed off page" the person is able to click the "sign in" button and sign in as normal. |
| Technical: | | A private web page may contain many links but those links are only valid for up to 61 minutes. Every link is dependent on a session and session life is no more than 61 minutes. A private link created one day can never be used the next day. |
| Dashboard Refresh: | | Certain identified dashboards may be assigned a "daily" life cycle from 09:00 to 17:00. Between these hours, the dashboard page will be automatically refreshed every 42 minutes. This service is only extended to those people who are classified as full time "daily" working with the application services. People using ad-hoc services are limited to viewing a web page for only 61 minutes. |
|
|