Draft Password and Access Control Policy Document

Password and Access Control Policy Document

• The document is a draft version 0.1 of the Password and Access Control Policy.
• It outlines roles and responsibilities for HR, Information Security Manager, and Systems Administrators.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• User authentication is based on business needs and the principle of least privilege.
• Different authentication mechanisms are specified for various access points like operating systems, web applications, email, and voice.
• Passwords must be at least 8 characters long and include upper and lower case letters, numbers, and special characters.
• Password history is maintained for at least 4 passwords, and password lockout is set to 6 attempts with a duration of 30 minutes.
• Remote access to the cardholder network should utilize two-factor authentication.
• Vendors' remote access accounts should be monitored and changed regularly.
• Violations of the policy may result in disciplinary action, including termination of employment.
• Deviation from the policy is allowed only with a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.
• The document references the Payment Card Industry Data Security Standard (PCI DSS).