Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Deyan
Contributor I
‎08-27-2018 09:49 AM
‎08-27-2018 09:49 AM

Account lockout, NIST/ISO/HIPAA etc.

Hello Security folks,

 

Wanted to get your opinion about the account lockout control. Especially I am interested in some exact threshold numbers if available in any of the security related frameworks out there. I checked a few but neither NIST, nor PCI, nor HIPAA or the ISO have e recommendation of for example 3/5/10. I know it's up to the company and a lot of things to be considered however - do you know if there's framework where that is given a value?

Reply
0 Kudos
5 Replies
Cousy14
Newcomer II
‎08-27-2018 02:21 PM
‎08-27-2018 02:21 PM

Deyan,

 

The control should be based on organizational policy (and risk). There are some best practice documents that include recommended values, however; these are just recommendations. If your organization does not have a policy (or regulatory requirement) that defines a value, perform a risk assessment over the control and let management make the decision.

 

Two best practices you can review are the Center For Internet Security Benchmarks and the DISA Security Technical Implementation Guides. For example, CIS recommends a lockout threshold of 10 or less for Windows Server 2012 R2 (this is just an example, you should review the applicable benchmark).

 

Here are the links:

https://www.cisecurity.org/

 

https://iase.disa.mil/stigs/Pages/index.aspx

 

I hope this helps point you in the right direction for some research.

Reply
Lucio
Viewer II
‎08-28-2018 03:52 AM
‎08-28-2018 03:52 AM

Hi Deyan,
the PCI DSS standard has two requirements about account lockout policy:
Req 8.1.6 - "Limit repeated access attempts by locking out the user ID after not more than six attempts."
Req 8.1.7 - "Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID."
I hope this is helpful for you.

Best regards,
Luciano
Reply
0 Kudos
CISOScott
Community Champion
‎08-28-2018 06:56 AM
‎08-28-2018 06:56 AM

You really should look at what works best for your agency. A framework is just that a frame that you make work for your needs. The higher your need for security the stricter your controls are going to be. If you have a user base that is constantly forgetting passwords and you set it too strict (i.e 3 fails before lockout instead of 5), your helpdesk is going to be overwhelmed OR they will just write them down, which defeats your security measures.

Reply
0 Kudos
Deyan
Contributor I
‎08-28-2018 07:36 AM
‎08-28-2018 07:36 AM

Agree with all of you - just needed to know if there are any exact values in the public papers somewhere. THank you all for your comments.

Reply
0 Kudos
Flyslinger2
Community Champion
‎08-28-2018 07:40 AM
‎08-28-2018 07:40 AM

I'm on my 3RD Federal agency in 6 years assisting with IAM.  They all very. 

 

I think the wind is more predictable then most of the CISO's in the government.

Reply
0 Kudos