3.1.8 has a weight of -1 points

(Access Control Family) 8/22

Limit unsuccessful logon attempts.

 

Video:

Example of Sysytem Security Plan (SSP):

      1. The organization established logon attempt thresholds, determining the maximum number of unsuccessful logon attempts allowed before initiating lockout measures.
      2. Appropriate thresholds were defined based on the sensitivity of the system and the organization’s risk tolerance.
      3. Automatic lockout mechanisms were implemented by configuring systems to temporarily lockout user accounts after exceeding the specified logon attempt threshold.
      4. Operating system settings were configured to reflect the defined logon attempt thresholds and automatic lockout mechanisms.
      5. Mechanisms within applications were implemented to handle unsuccessful logon attempts and initiate appropriate lockout actions.
      6. Monitoring and logging capabilities were implemented to capture and analyze logon attempts, particularly unsuccessful ones.
      7. Policies and procedures regarding logon attempt threshold limits, lockout mechanisms, delay algorithms, and associated policies were documented.
      8. These policies and procedures were effectively communicated to system administrators and users to ensure understanding and compliance

Example of Plan of Action and Milestones ( POA & M):

Milestone 1: Logon Attempt Thresholds and Lockout Measures

Task 1: Establish logon attempt thresholds, determining the maximum number of unsuccessful logon attempts allowed before initiating lockout measures.                         Task 2: Define appropriate thresholds based on the sensitivity of the system and the organization’s risk tolerance.                                                                                            Task 3: Implement automatic lockout mechanisms by configuring systems to temporarily lockout user accounts after exceeding the specified logon attempt threshold.     

Task 4: Configure operating system settings to reflect the defined logon attempt thresholds and automatic lockout mechanisms.                                                    Completion date: November 30, 2023.


Milestone 2: Lockout Mechanisms within Applications

Task 1: Implement mechanisms within applications to handle unsuccessful logon attempts and initiate appropriate lockout actions.                                                            Task 2: Configure applications to track and respond to logon attempts, applying the defined logon attempt thresholds and lockout measures.                                             Task 3: Test and verify the functionality of the lockout mechanisms within applications.  

Completion date: December 15, 2023.


Milestone 3: Monitoring and Logging of Logon Attempts

Task 1: Implement monitoring and logging capabilities to capture and analyze logon attempts, particularly unsuccessful ones.                                                                          Task 2: Configure systems and applications to generate log entries for logon attempts and store them in a centralized log management system.                                                   Task 3: Establish log review procedures to regularly analyze logon attempt logs for security monitoring and identification of potential attacks.                                           Completion date: January 31, 2024.


Milestone 4: Documentation of Policies and Procedures

Task 1: Document policies and procedures regarding logon attempt threshold limits, lockout mechanisms, delay algorithms, and associated policies.                                      Task 2: Include details such as lockout duration, lockout release procedures, and account recovery processes.                                                                                               Task 3: Ensure the policies and procedures align with industry best practices and regulatory requirements.                                                                                          Completion date: February 28, 2024.


Milestone 5: Communication and Training

Task 1: Effectively communicate the logon attempt threshold policies and lockout mechanisms to system administrators and users.                                                             Task 2: Provide training and awareness programs to ensure understanding and compliance with the logon attempt policies and associated procedures.                           Task 3: Regularly reinforce the importance of adhering to logon attempt thresholds and lockout measures.                                                                                                               Completion date: March 31, 2024.

RELEVANT INFORMATION:

This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.