AC-7 Unsuccessful Login Attempts
Control: Enforce a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period.
Illustrative Controls and TIBCO LogLogic Solution
Cost-effective technical and procedural measures are deployed and kept current to establish user identification, implement authentication and enforce access rights. All logins to network devices, operating systems or platforms, databases and applications must be reviewed to ensure only authorized and appropriate personnel have access. Monitor and verify all user access to programs and data. Review access to ensure there is segregation of duties, and all access privileges are properly assigned and approved.
To satisfy this control objective, administrators must assess the authentication mechanisms used to validate user credentials (new and existing) for healthcare reporting systems to support the validity of transactions. Server and application activities must be monitored for locked-out and enabled accounts as they can represent malicious activities.