The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented. The intended audience for this Control includes, but is not limited to, all information resource owners and custodians.

The information resource owner, or designee shall:

• 1.1

  Prevent access to an information resource by initiating a session lock after no more than 15 minutes of inactivity or upon receiving a request from a user; and

• 1.2

  Retain the session lock until the user reestablishes access using established identification and authentication procedures.