IAM-18—Account Lockout: Cardholder Data Environments

>Control Description

Users are locked out of information systems after 6 invalid attempts for a minimum of 30 minutes, or until an administrator enables the user ID.

Theme

Technology

Type

Preventive

Policy/Standard

Access Management Procedure

>Implementation Guidance

1. Ensure that user lock out parameters are defined and implemented to lockout after 6 invalid attempts for minimum 30 minutes.

>Testing Procedure

1. Inspect Organization's Authentication Standard to determine whether the policies contain requirements for the account lockout post failed login attempts. 2. Inspect the logical access systems setting to determine that account lockout policy is configured with Organization password requirements to lock a user's account after 6 failed attempts for a minimum of 30 minutes or until it is reset by a System Administrator

>Audit Artifacts

E-IAM-16

E-IAM-26

>Framework Mappings

Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.

Cyber Essentials
1

TX-RAMP
2

AC-2(5)

AC-7

Ask AI

Configure your API key to use AI features.

>Control Description

Theme

Type

Policy/Standard

>Implementation Guidance

>Testing Procedure

>Audit Artifacts

>Framework Mappings

CIS Controls1

FedRAMP Rev 52

PCI DSS1

Cyber Essentials1

TX-RAMP2

Ask AI

CIS Controls
1

FedRAMP Rev 5
2

PCI DSS
1

Cyber Essentials
1

TX-RAMP
2