3.1.8—Access Control - Derived
Derived Requirement
>Control Description
Limit unsuccessful logon attempts.
>Discussion
This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components.
Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your password policy and how is it enforced?
- •What unsuccessful logon attempt limits are defined in policy?
- •Who approves password complexity and age requirements?
- •How often is the password policy reviewed and updated?
- •What process exists for password reset requests?
Technical Implementation:
- •How do you enforce password complexity, length, and age requirements?
- •What technical controls limit unsuccessful authentication attempts?
- •How are accounts locked after failed login attempts?
- •What systems enforce password history and prevent reuse?
- •How do you implement multi-factor authentication?
Evidence & Documentation:
- •Can you show password policy settings in Active Directory or IAM?
- •What logs demonstrate account lockouts after failed attempts?
- •Can you provide evidence of password complexity enforcement?
- •What reports show password age and expiration compliance?
- •What audit findings verify password policy adherence?
Ask AI
Configure your API key to use AI features.