210 – Delete information from mobile devices

Summary

The system must delete the information from mobile devices after 10 failed authentication attempts.

Description

The purpose of this requirement is to mitigate the risk of data exposure in the event that an unauthorized user gains physical access to the mobile device and then try to brute force authentication by making several attempts systematically.

Supported In

Advanced: True

References

• CWE-307. Improper restriction of excessive authentication attempts
• CWE-459. Incomplete cleanup
• EPRIVACY-4_1a. Security of processing
• SOC2-C1_2. Additional criteria for confidentiality
• CCPA-1798_105. Consumer's right to delete personal information
• MITRE-M1036. Account use policies
• CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
• CMMC-AC_L2-3_1_21. Portable storage use
• CMMC-MP_L2-3_8_7. Removable media
• FEDRAMP-AC-7_2. Unsuccessful logon - Purge, wipe mobile device
• FEDRAMP-MP-6. Media sanitization
• ISO27002-8_1. User endpoint devices
• IEC62443-UC-2_3. Use control for portable and mobile devices
• NIST800171-1_18. Control connection of mobile devices
• SIGLITE-SL_142. Is there a mobile device management solution in place?
• SIG-M_1_25. End user device security
• ISO27001-8_1. User endpoint devices

Last updated

2024/01/18