Automatic Termination of Inactive User Sessions
User sessions are ended and computers rebooted daily and after inactivity to enhance security.
Plain language
This control is about automatically ending user sessions and restarting computers after a set period of inactivity or at the end of each day. It's important because if someone leaves their computer logged in and walks away, anyone can access sensitive information, potentially leading to data breaches or misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Session TerminationOfficial control statement
On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted.
Why it matters
If inactive sessions are not terminated and PCs not restarted after hours, unattended logins can be abused to access sensitive data and enable data theft.
Operational notes
Confirm idle timeouts trigger session termination and that a daily, after-hours restart is scheduled and logged; review failures/overrides and remediate promptly.
Implementation tips
- IT team should configure systems: Set up computers so that they automatically log off users and restart after a preset time of inactivity—say 10 or 15 minutes. Use your computer’s settings to set these timers and ensure they activate outside business hours.
- HR should inform staff: Communicate to employees that this system will log them out and restart if left idle, and remind them to save their work. This can be done via email or during a staff meeting, so everyone knows to save their work regularly.
- Managers should review settings: Regularly check that auto-logout and restart settings are functioning as intended. Managers can do this by looking at IT system logs or getting feedback from staff who notice if the session didn’t end as expected.
- IT team should ensure updates are smooth: Perform computer reboots outside of working hours to reduce interruptions. Schedule these through your system management tool to happen at times like 3 AM.
- Managers should monitor compliance: Conduct checks to see that all workstations are part of this configuration. Randomly pick a few computers and verify if they log off and restart appropriately after inactivity.
Audit / evidence tips
-
Asksystem configuration documents: Request the IT policy that details session termination and computer restart settings
Gooddocument will show precise idle time limits and reboot schedules
-
AskIT logs: Request automated logs from the IT system showing computer session terminations
-
Askemployee communication records: Request copies of the emails or meeting notes informing staff about the session termination policy
Goodwill have timely communication preceding policy enforcement
-
Asksystem update schedules: Request schedules or records of after-hours reboots from IT
Goodset of schedules will clearly outline routine, off-hours times and details about affected systems
-
Askemployees about downtime awareness: Request feedback surveys or meeting notes on staff awareness of idle log-offs
Cross-framework mappings
How ISM-0853 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.7 | ISM-0853 requires user sessions to be terminated after inactivity and systems to be restarted daily outside business hours | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-0853 requires inactive user sessions to be terminated after an appropriate period of inactivity and for workstations to be restarted ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.