[Sigia-l] time-out session lengths, security, and user tasks

[Christy Mylks]

Hello All:
I hope this isn't considered off-topic for this list, but I have a question 
that comes up sometimes when designing for websites with security issues. 
Are there any actual standards (official or conventional) for how long you 
can let your users remain "inactive" on a secure site before it times out 
on them?

In this case, I have a targeted site for external users who work in a 
highly interruptive environment (stop and take phone calls, call and verify 
something they're processing, etc.). Their tasks and work processes mean 
that they'll need to have the site up for awhile. However, the IT 
department says that a 20-minute timeout for secure sites is required by 
"industry standards" in security. These two needs conflict pretty heavily, 
so I'd like some verification of the magic 20 minutes number. (Also, this 
isn't national security, credit cards or other financial security, just 
"sensitive" information like pricing and competitive analyses--sort of a 
tier 2 or 3 in security.)

Does anyone have any insight or resources for the time-out intervals? 
Naturally, I can improve the current situation by at least throwing up a 
"your session is about to expire, click OK to extend it" type of box, but 
I'd like to do better if possible. Talking to the end users has shown this 
is driving them crazy.

Thanks,
Christy

Christy Mylks, Usability Analysis and Design
Cognetics Corporation
<http://www.cognetics.com>http://www.cognetics.com
christy at cognetics.com
301-587-7549