Some users may fail in their first couple of attempts to sign on to the system because they have forgotten their password. This is understandable. A large number of invalid sign-on attempts, however, may indicate that someone is trying to "crack" a password or to access an account to which they are not authorized. Regular auditing should monitor the number of invalid sign-on attempts per profile.
The Invalid Sign-On Attempts report will show the number of invalid sign-ons since the last successful sign-on, but if you have security auditing turned on using the QAUDLVL system value, all invalid attempts to access data will be recorded to the security audit journal, including all failed sign-on attempts.
|
PowerTech Recommendations Use the Compliance Monitor 'Invalid Sign-on Attempts' report to monitor all invalid sign-on attempts. |
Invalid Sign-On Attempts Report
Click to view expanded excerpt
from report
|
Relevant Standards:
COBIT DS5.3 - Identity Management All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.
COBIT
DS5.4 –
User Account Management
COBIT DS5.5 - Security Testing, Surveillance and Monitoring Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.
ISO 27002 (17799) 11.2.4 - Review of User Access Rights Management should review users' access rights at regular intervals using a formal process. |