nerdexam
(ISC)2

CISSP · Question #240

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

The correct answer is A. organization policy.. The session timeout requirement is the maximum amount of time that a user can be inactive on an application before the session is terminated and the user is required to re-authenticate. The best reason for determining the session timeout requirement is the organization policy, as

Submitted by manish99· Mar 5, 2026Software Development Security

Question

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

Options

  • Aorganization policy.
  • Bindustry best practices.
  • Cindustry laws and regulations.
  • Dmanagement feedback.

How the community answered

(51 responses)
  • A
    75% (38)
  • B
    4% (2)
  • C
    6% (3)
  • D
    16% (8)

Explanation

The session timeout requirement is the maximum amount of time that a user can be inactive on an application before the session is terminated and the user is required to re-authenticate. The best reason for determining the session timeout requirement is the organization policy, as it reflects the organization's risk appetite, security objectives, and compliance obligations. The organization policy should specify the appropriate session timeout value for different types of applications and data, based on their sensitivity and criticality.

Topics

#application security#session management#security policy#organizational standards

Community Discussion

No community discussion yet for this question.

Full CISSP Practice