AUTH-13 Automatic Account Lockout

What is AUTH-13 Automatic Account Lockout Control?

Automatic account lockout control talks about how to further prevent unauthorized access to critical systems. System administrators must consider enabling the following features:

• Automatic logoff of online sessions after a predetermined time can help prevent an intruder from getting access to a system.
• Automatic Account Lockout sets a limit on sign-in attempts, which can help prevent unauthorized access.

These two are mandatory requirements for customers preparing for HIPAA compliance. However, for any other customers, this is a best practice and not a requirement.

Available tools in the marketplace

Tools

No tool recommendation is made for this section.

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• Best practices from OWASP (Open Web Application Security Project)

Control implementation

To implement this control,

1. Document the procedures for terminating an electronic session. Ensure it includes the following components:
   
   1. Requirements for a password-protected screensaver
   2. The timeout and logout requirements (the HIPAA requirement is 5 minutes)
   3. The event to trigger an account lockout (lockout configuration settings for maximum failed attempts)
2. Enforce the procedures documented on all critical systems.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide a session timeout policy.
2. Provide a screenshot of the screensaver configuration that shows a timeout.
3. Provide a screenshot of the password configuration that shows the maximum number of failed attempts allowed.

Evidence example

From the suggested action above, an example is provided below.

1. Provide a session timeout policy.
   This section is included in your workforce or asset management policy to define the maximum time and session duration.
   HIPAA requirements dictate that 30 minutes of inactivity may be appropriate for individuals whose roles do not involve ePHI access, creation, or maintenance; a lesser period of inactivity (e.g., 10 minutes) may be appropriate for data stewards, data custodians, and others who regularly come into contact with ePHI.
   
2. Provide a screenshot of the screensaver configuration that shows a timeout.
   The following screenshot shows the session duration.
   Google search
   
3. Provide a screenshot of the password configuration that shows the maximum number of failed attempts allowed.
   The following screenshot shows that on AWS, this can be set up through your “Identity Provider”.