Hello Security folks,
Wanted to get your opinion about the account lockout control. Especially I am interested in some exact threshold numbers if available in any of the security related frameworks out there. I checked a few but neither NIST, nor PCI, nor HIPAA or the ISO have e recommendation of for example 3/5/10. I know it's up to the company and a lot of things to be considered however - do you know if there's framework where that is given a value?
The control should be based on organizational policy (and risk). There are some best practice documents that include recommended values, however; these are just recommendations. If your organization does not have a policy (or regulatory requirement) that defines a value, perform a risk assessment over the control and let management make the decision.
Two best practices you can review are the Center For Internet Security Benchmarks and the DISA Security Technical Implementation Guides. For example, CIS recommends a lockout threshold of 10 or less for Windows Server 2012 R2 (this is just an example, you should review the applicable benchmark).
Here are the links:
I hope this helps point you in the right direction for some research.
You really should look at what works best for your agency. A framework is just that a frame that you make work for your needs. The higher your need for security the stricter your controls are going to be. If you have a user base that is constantly forgetting passwords and you set it too strict (i.e 3 fails before lockout instead of 5), your helpdesk is going to be overwhelmed OR they will just write them down, which defeats your security measures.
I'm on my 3RD Federal agency in 6 years assisting with IAM. They all very.
I think the wind is more predictable then most of the CISO's in the government.