AC-10: CONCURRENT SESSION CONTROL
TAILORED FOR INDUSTRIAL CONTROL SYSTEM
ISC Control Baseline:
- High
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
SUPPLEMENTAL GUIDANCE
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.
ICS SUPPLEMENTAL GUIDANCE
The number, account type, and privileges of concurrent sessions takes into account the roles and responsibilities of the affected individuals. Example compensating controls include providing increased auditing measures.
RELATED CONTROLS:
CONTROL ENHANCEMENTS
NO CONTROL ENHANCEMENTS
REFERENCES:
- NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY