Session Inactivity Timeout

As part of CivicPlus’s ongoing efforts to implement security and privacy controls in line with the National Institute of Standards and Technology (NIST) 800-53 requirements, Agenda and Meeting Management Select, formerly CivicClerk, includes a session inactivity timeout feature. This feature will allow system administrators to configure a session inactivity timeout in Agenda and Meeting Management Select in accordance with local access control policies. The minimum allowed configuration is 3 minutes, and the maximum allowed timeout is 120 minutes. By default, this feature is configured at 120 minutes.

What does this mean for users?

• System administrators may either leave the timeout at the default configuration of 120 minutes or they can follow the configuration instructions to set a custom session timeout. Users who are completely inactive in Agenda and Meeting Management Select for the designated period of time will receive a warning message alerting them that they have been inactive and notifying them that they will be automatically logged out in two minutes.
• If the user acknowledges by clicking the “Ok” button, it will reset the user’s activity clock and allow them to remain logged in to Agenda and Meeting Management Select. If the user does not acknowledge and the two-minute period elapses, the user will be logged out and any unsaved changes will be lost. The user’s browser will display a message telling the user that they have been logged out of Agenda and Meeting Management Select due to inactivity and giving a link to log back in.
• Upon login, they will land on the same page they were on prior to logout.

If a user is automatically logged out due to inactivity, will their changes be saved?

• Agenda and Meeting Management Select does not autosave work in Agendas, Events, Items, or Analytics, so work in any of these modules will NOT be saved before session inactivity timeout. Autosave is enabled in the Live Meeting Manager.
• To remind users to periodically save their work, we have implemented an “Unsaved Changes” alert that will remind users working on Items that they have unsaved changes. This alert will appear if a user has made a change to an agenda item and has not yet saved the changes.

Can we opt out or disable this feature?

• This feature will be rolled out to all Agenda and Meeting Management Select customers. There is no ability to opt out. However, if you choose not to configure the default, the timeout for your site will be set at 120 minutes.

Resources

In regard to any security controls, we advise that you look to the National Institute of Standards and Technology (NIST) 800-53 Revision 4 for more information. As it relates to this feature in Agenda and Meeting Management Select, the control in question would be Access Control 12 (AC-12). While NIST defines this control, it’s up to individual system administrators to set internal organizational policy. This feature is intended to allow administrators the ability to configure Agenda and Meeting Management Select to adhere to their policy for up to 120 minutes, which is the maximum allowed duration.

• Configure Session Inactivity Timeout
• National Institute of Standards and Technology Cybersecurity and Privacy Reference Tool