topic Re: Account lockout, NIST/ISO/HIPAA etc. in Industry News

Account lockout, NIST/ISO/HIPAA etc.

Deyan — Mon, 27 Aug 2018 13:49:24 GMT

Hello Security folks,

Wanted to get your opinion about the account lockout control. Especially I am interested in some exact threshold numbers if available in any of the security related frameworks out there. I checked a few but neither NIST, nor PCI, nor HIPAA or the ISO have e recommendation of for example 3/5/10. I know it's up to the company and a lot of things to be considered however - do you know if there's framework where that is given a value?

Re: Account lockout, NIST/ISO/HIPAA etc.

Cousy14 — Mon, 27 Aug 2018 18:21:57 GMT

Deyan,

The control should be based on organizational policy (and risk). There are some best practice documents that include recommended values, however; these are just recommendations. If your organization does not have a policy (or regulatory requirement) that defines a value, perform a risk assessment over the control and let management make the decision.

Two best practices you can review are the Center For Internet Security Benchmarks and the DISA Security Technical Implementation Guides. For example, CIS recommends a lockout threshold of 10 or less for Windows Server 2012 R2 (this is just an example, you should review the applicable benchmark).

Here are the links:

https://www.cisecurity.org/

https://iase.disa.mil/stigs/Pages/index.aspx

I hope this helps point you in the right direction for some research.

Re: Account lockout, NIST/ISO/HIPAA etc.

Lucio — Tue, 28 Aug 2018 07:52:34 GMT

Hi Deyan,
the PCI DSS standard has two requirements about account lockout policy:
Req 8.1.6 - "Limit repeated access attempts by locking out the user ID after not more than six attempts."
Req 8.1.7 - "Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID."
I hope this is helpful for you.

Best regards,
Luciano

Re: Account lockout, NIST/ISO/HIPAA etc.

CISOScott — Tue, 28 Aug 2018 10:56:42 GMT

You really should look at what works best for your agency. A framework is just that a frame that you make work for your needs. The higher your need for security the stricter your controls are going to be. If you have a user base that is constantly forgetting passwords and you set it too strict (i.e 3 fails before lockout instead of 5), your helpdesk is going to be overwhelmed OR they will just write them down, which defeats your security measures.

Re: Account lockout, NIST/ISO/HIPAA etc.

Deyan — Tue, 28 Aug 2018 11:36:17 GMT

Agree with all of you - just needed to know if there are any exact values in the public papers somewhere. THank you all for your comments.

Re: Account lockout, NIST/ISO/HIPAA etc.

Flyslinger2 — Tue, 28 Aug 2018 11:40:02 GMT

I'm on my 3RD Federal agency in 6 years assisting with IAM. They all very.

I think the wind is more predictable then most of the CISO's in the government.