Originally Posted by tafische
Too short and you run the risk of making users angry.
one thing i think its very important for an administrator to learn is that you need to enforce security policies as you see fit - not what will make your users comfortable. granted, i do think 5 mins would be an overkill, but anything in the 30-60 minute range would be more than sufficient.
set expectations early on and don't let your guard down. if someone wants to question the security of confidential information, then they best never think about working for a large public corporation that complies within federal regulations.