Login activity alerts on each account
Demonstrate that all user accounts are configured to automatically notify account owners of login activity in real time or near-real time, enabling timely detection of unauthorized access.
Description
What this control does
This control requires that each user account be configured to generate and deliver real-time or near-real-time alerts upon login events, including successful and failed authentication attempts. Alerts may be delivered via email, SMS, mobile push notification, or in-app notification to the account owner. The control provides account holders with immediate visibility into access activity, enabling rapid detection of unauthorized login attempts or compromised credentials before attackers can exploit access.
Control objective
What auditing this proves
Demonstrate that all user accounts are configured to automatically notify account owners of login activity in real time or near-real time, enabling timely detection of unauthorized access.
Associated risks
Risks this control addresses
- Delayed detection of credential compromise allowing attackers prolonged unauthorized access to systems and data
- Account takeover via stolen credentials going unnoticed until secondary indicators such as fraudulent transactions emerge
- Credential stuffing attacks succeeding without triggering user awareness or incident response
- Insider threat actors using compromised credentials of legitimate users without detection
- Session hijacking or token theft enabling silent persistence within user accounts
- Compliance violations due to lack of timely notification of security events to affected individuals
- Lateral movement by attackers using compromised accounts that remain undetected by legitimate owners
Testing procedure
How an auditor verifies this control
- Obtain the complete inventory of user account types and authentication systems in scope for the control (web applications, SaaS platforms, VPNs, privileged access systems).
- Review system configuration documentation and notification settings for each authentication system to identify login alerting capabilities and current configurations.
- Select a representative sample of user accounts across different account types, roles, and authentication systems (minimum 10-15 accounts or 10% of population, whichever is larger).
- For each sampled account, access the account notification settings directly or via administrative console to verify login alert configuration is enabled.
- Perform test logins for each sampled account from a controlled test device or location and verify that alerts are generated and delivered to the account owner within the defined timeframe.
- Review alert content to confirm it includes critical details such as timestamp, source IP address or location, device information, and authentication method used.
- Interview a sample of account owners to verify they receive, understand, and know how to respond to login alerts.
- Review incident response logs or helpdesk tickets to identify instances where users reported suspicious login alerts and confirm appropriate investigation occurred.
Where this control is tested