Access control functionality encompasses all access to the system and data from both the application side and the user side. It covers access by users, administrators, and special accounts used to transfer data between systems. All accounts should meet or consider the following characteristics whether they are user accounts or administrator accounts.
Do accounts have minimum complexity rules which meet account and password policy specifications including:
Minimum length of account name.
Minimum length of password.
Minimum password complexity rules.
Account lockout rules:
Accounts may not be shared. Are any accounts shared?
Session timeout - An inactive session should timeout in a maximum period of time. The timeout should close open files and connections and require the user to log in again. (15 minutes)
Should multiple factor authentication be used depending on the security needs? Multiple factor authentication uses more than one of 1)What the authenticator knows, 2)What the authenticator has, and 3) What the authenticator is.
How many invalid login attempts in a given period of time will force an account to be locked? (4 attempts maximum)
How long to reset the invalid login counter? (30 minutes minimum)
How long before a locked account is reset? (30 minutes minimum)
Minimum password age (1 day)
Maximum password age*