Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-7(2)

unsuccessful logon attempts  | purge / wipe mobile device

assessment objective:

Determine if:

ac-7(2)[1]

the organization defines mobile devices to be purged/wiped after organization-defined number of consecutive, unsuccessful device logon attempts;

ac-7(2)[2]

the organization defines purging/wiping requirements/techniques to be used when organization-defined mobile devices are purged/wiped after organization-defined number of consecutive, unsuccessful device logon attempts;

ac-7(2)[3]

the organization defines the number of consecutive, unsuccessful logon attempts allowed for accessing mobile devices before the information system purges/wipes information from such devices; and

ac-7(2)[4]

the information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after organization-defined number of consecutive, unsuccessful logon attempts.

potential assessment methods and objects:

Examine: [select from: Access control policy; procedures addressing unsuccessful login attempts on mobile devices; information system design documentation; information system configuration settings and associated documentation; list of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts; list of purging/wiping requirements or techniques for mobile devices; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms implementing access control policy for unsuccessful device logon attempts].