RE: To what does everyone set QINACTIVE to autologoff inactiveusers?

Exactly Patrick,

That they do and that does none of us any good. As you note, you cannot
possibly paint security with one brush stroke, it is a multi-pronged deal to
say the least and as you note, different for every business.

Chuck

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Tuesday, August 16, 2005 11:08 AM
To: Midrange Systems Technical Discussion
Subject: RE: To what does everyone set QINACTIVE to autologoff
inactiveusers?

Chuck,

Your absolutely right.  Leaving a system for any amount of time creates an
exposure. That's why I would suggest a policy that includes the requirement
for employees to lock their screen everytime they leave their workstation.
However, depending on the circumstances, I might also automatically end the
session after some period of time too.

When analyzing risks you must take into account the probability of the
adverse consequences related to that risk.  So, while an X minute value for
QINACTIVE doesn't eliminate the exposure, it can significantly reduce the
probability of adverse consequences by reducing the window of opportunity
(i.e. the time that the exposure can be exploited) for that exposure.

In most cases, if not all, it is not possible to eliminate risk.
Everything you do with respect to security is aimed at reducing risk -- not
eliminating it.  But, unfortunately, most of us -- including many security
industry experts/ISVs -- talk in terms of "secure" and "un-secure."

Patrick