As far as I know there is no regulation behind the amount of time that a session needs to last. This will depend on the requirement that was set out in your design documents. There should be a corresponding test in your testing documentation to verify the session time is working correctly.
For password failure limit the norm seems to be 3 attempts for an application and usually 5 for network login, again this depends on the policy your company sets out.
For password no-reuse I’m not sure exactly what this means please clarify.
Password expiry is usually between 60 to 90 days again this depends on your policy.
Its usually set at 15 minutes where there is no activity
Q2:What is the exact limit for password no-reuse
I have it set as you cannot re-use the same password for 10 times, but you can set it at anything you want.
Q3:What is exact limit for password failure limit
Its usually set as failed after 3 attempts.
Q4:what is the limit for password expiry
60-90 days, longer depending on your access level. Say it was a simple piece of software and you only had the options to press start or stop then you could have a limit of 120 days or even longer.
Just a follow-up note from Graham’s and Ruth’s posts…
One of the things that’s continually hammered home regarding Part 11 is that decisions should be risk based. Ruth’s post alluded to it with the mention of security levels.
I believe (and please correct me if I’m wrong) that the numbers cited by both Graham and Ruth are generally considered de-facto standards and are not driven by either regulation or published standard. It is conceivable (to me, at least) that a risk analysis for a particular system could conclude that users would never have to change their password!
You are responsible for demonstrating that you have sufficient controls for your system and sufficiency is determined by your risk analysis. If you arbitrarily choose password controls without any backing from a risk analysis, an auditor would be able to pick your system apart if they were so inclined. Now, given the current state of Part 11 enforcement, that may not be so likely if you choose to use the de-facto standards cited above (they are sound policies) without any supporting rationale. Just be careful and don’t be caught unaware.
For password no-reuse I’m not sure exactly what this means please clarify
This meand that user should not use the recently used passwords up to how manydays.
This will be in dyas only. After 5 or 10 or 15 dyas. If we given for 3 days. then user can not change the passwrd to re-used password with in the 3 days. after 3 days it will allows to use the same password.
I think you can understand now about password no-reuse.