cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Deyan
Contributor I

Account lockout, NIST/ISO/HIPAA etc.

Hello Security folks,

 

Wanted to get your opinion about the account lockout control. Especially I am interested in some exact threshold numbers if available in any of the security related frameworks out there. I checked a few but neither NIST, nor PCI, nor HIPAA or the ISO have e recommendation of for example 3/5/10. I know it's up to the company and a lot of things to be considered however - do you know if there's framework where that is given a value?

5 Replies
Cousy14
Newcomer II

Deyan,

 

The control should be based on organizational policy (and risk). There are some best practice documents that include recommended values, however; these are just recommendations. If your organization does not have a policy (or regulatory requirement) that defines a value, perform a risk assessment over the control and let management make the decision.

 

Two best practices you can review are the Center For Internet Security Benchmarks and the DISA Security Technical Implementation Guides. For example, CIS recommends a lockout threshold of 10 or less for Windows Server 2012 R2 (this is just an example, you should review the applicable benchmark).

 

Here are the links:

https://www.cisecurity.org/

 

https://iase.disa.mil/stigs/Pages/index.aspx

 

I hope this helps point you in the right direction for some research.

Lucio
Viewer II

Hi Deyan,
the PCI DSS standard has two requirements about account lockout policy:
Req 8.1.6 - "Limit repeated access attempts by locking out the user ID after not more than six attempts."
Req 8.1.7 - "Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID."
I hope this is helpful for you.

Best regards,
Luciano
CISOScott
Community Champion

You really should look at what works best for your agency. A framework is just that a frame that you make work for your needs. The higher your need for security the stricter your controls are going to be. If you have a user base that is constantly forgetting passwords and you set it too strict (i.e 3 fails before lockout instead of 5), your helpdesk is going to be overwhelmed OR they will just write them down, which defeats your security measures.

Deyan
Contributor I

Agree with all of you - just needed to know if there are any exact values in the public papers somewhere. THank you all for your comments.

Flyslinger2
Community Champion

I'm on my 3RD Federal agency in 6 years assisting with IAM.  They all very. 

 

I think the wind is more predictable then most of the CISO's in the government.