Go to kintent.com

Docy Child

Updated on February 28, 2023

AUTH-13 Automatic account lockout

Estimated reading: 2 minutes 531 views

What is this control about?

To further prevent unauthorized access to critical systems, system administrators must consider the enabling of the following features:

  • Automatic logoff of online sessions after a predetermined time can help prevent an intruder from getting access to a system
  • Automatic Account Lockout sets a limit of sign-in attempts which can help prevent unauthorized access

These two are mandatory requirements for customers preparing for HIPAA compliance. However for any other customers, this is a best practice and not a requirement.

Available tools in the marketplace

Tools:
 No tools recommendation for this section

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • Best practices from OWASP (Open Web Application Security Project)

Control implementation

Document a procedures for terminating an electronic session. Ensure it includes the following component:

  • requirements for a password-protected screensaver
  • the timeout and logout requirements (HIPAA requirement is 5 minutes)
  • the event to trigger an account lockout (lock out configuration settings for maximum failed attempts)

Enforce the procedures documented on all critical systems.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

  • Provide a session timeout policy
  • Provide a screenshot of the screensaver configurations that shows timeout
  • Provide a screenshot of the password configurations that shows the maximum failed attempts allowed

Evidence example

From the suggested action above, an example is provided below.

1.    Provide a session timeout policy.

This sentence was included in your workforce or asset management policy to define the maximum time and session duration.

HIPAA requirements dictates that 30 minutes of inactivity may be appropriate for individuals whose roles do not involve ePHI access, creation, or maintenance, a lesser period of inactivity (e.g., 10 minutes) may be appropriate for data stewards, data custodians, and others who regularly come into contact with ePHI.

AUTH 1213 screenshot1

2. Provide a screenshot of the screensaver configurations that shows time out.

Example shows the session duration.

Google search

AUTH 1213 screenshot2

3. Provide a screenshot of the password configurations that shows the maximum failed attempts allowed.

On AWS, this can be set up through your Identity Provider.

AUTH 1213 screenshot3

Logical Access - Previous AUTH-6 Role Based Access Next - Logical Access BIZOPS-25 Internal Assessment

Join the conversation

ON THIS PAGE
SUBSCRIBE
FlightSchool
SHARE THIS ARTICLE
Twitter Facebook LinkedIn
FlightSchool by TrustCloud

FlightSchool is the fun way to learn about compliance, trust, and TrustCloud’s products.

© 2023 TrustCloud Corporation. All rights reserved.
TrustOps® is a registered trademark of TrustCloud Corporation.

FlightSchool RSS Feed

TOPICS

Platform

ABOUT US

AICPA
Monitored by TrustCloud

❤️  Joyfully crafted by a 100% distributed team.