Predetermined Time of Inactivity
Definition
Predetermined time of inactivity is the defined period a system, application, workstation, or user session may remain idle before a protective action occurs, such as locking the screen, requiring re-authentication, ending the session, or logging the user out. It is an access control safeguard designed to reduce the chance that an unattended device or open application can be used by someone who is not authorized. The time period is usually documented in a security policy and implemented through application settings, operating system configuration, identity provider controls, endpoint management tools, or administrative scripts. The appropriate duration depends on the sensitivity of the system, user role, working environment, and operational risk. For example, a public kiosk, administrator console, or finance system may require a shorter inactivity period than a low-risk internal knowledge base. In compliance programs, this control helps show that access is not only granted appropriately, but also limited when users are no longer actively using a system.
Real-World Examples
SaaS session timeout
A cloud application automatically signs users out after a defined period without keyboard, mouse, or browser activity.
Workstation auto-lock
An employee laptop locks after several minutes of inactivity and requires the user to re-authenticate before work can continue.
Privileged admin console
An administrative dashboard uses a shorter idle timeout because the account can make sensitive configuration changes.
Shared operations terminal
A manufacturing floor terminal ends inactive sessions so the next worker cannot access the previous user's account.
A predetermined time of inactivity is the maximum idle period allowed before a system takes protective action, such as locking a screen, ending a session, or requiring re-authentication. It helps prevent unattended sessions from becoming unauthorized access points.
Idle timeout is based on a lack of user activity, such as no clicks, typing, or requests. Session timeout may refer to any limit on a session, including inactivity-based limits, fixed maximum session duration, or both.
Compliance programs commonly expect organizations to limit access when users are no longer actively using a system. Automatic logoff or session lock reduces the risk that someone else can use an unattended device, browser session, or privileged account.
The right inactivity period depends on system sensitivity, user role, device type, work environment, and business needs. Higher-risk systems, shared devices, and privileged accounts usually justify shorter timeouts than low-risk internal tools.
An inactivity timeout policy defines how long systems may remain idle, which systems are in scope, what action occurs after the limit is reached, and who approves exceptions. It should be practical, measurable, and consistently enforced.
Automatic logout can be configured through application settings, identity and access management controls, endpoint management policies, operating system settings, or custom session handling. The implementation should match the documented policy and be tested regularly.
Best practices include setting shorter timeouts for sensitive systems, applying consistent rules across similar applications, requiring re-authentication after timeout, documenting exceptions, and reviewing settings after major system or risk changes.
It reduces the window of opportunity for someone to use an unattended active session. This is especially important for shared workspaces, remote work, privileged accounts, customer data systems, and devices used in public or semi-public environments.
Useful evidence may include documented policy requirements, configuration screenshots, endpoint management settings, application session settings, identity provider policies, test results, system logs, and records showing periodic review of timeout values.
Information Security & GRC requirements generally expect organizations to define, implement, monitor, and review inactivity timeout controls for systems where unattended access could create risk. The requirement should be supported by policy, technical configuration, and evidence of operation.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-07 | WatchDog GRC Team | Initial publication |
