Repeated account lockouts are investigated before reauthorising access.
Topic
Account lockouts
Applicable to
all
History
Priority
should
Mar 2022
Removed
The existing recommendation to monitoring account logons and logoffs (ISM-0584) was merged with recommendations regarding operating system event logging (ISM-0582). Furthermore, a new recommendation to monitor account lockouts (i.e. event ID 4740) was introduced. Finally, the existing recommendation to investigate account lockouts (ISM-0431) was rescinded as it is now more accurately covered by ISM-1747 relating to monitoring and responding to unusual operating system event logs – in this case instances of suspicious account lockouts.
2015
Agencies should ensure that repeated account lockouts are investigated before reauthorisingaccess.
2010
Agencies should ensure that repeated account lockouts are investigated before reauthorising access.