Title: The application must ensure the screen display is obfuscated when an application session lock event occurs.
Vulnerability ID: V-32158
IA Controls: None
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined. This is typically at the operating system-level, but may be at the application-level.
When the application design specifies the application rather than the operating system will determine when to lock the session, the application session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed.
An example of obfuscation is a screensaver creating a viewable pattern that overwrites the entire screen rendering the screen contents unreadable.
Databases do not typically perform session locking activities. This requirement is NA for databases.
Check Text: This check is NA for databases.
Fix Text: This fix is NA for databases.[divider]