Password and Access Control Policy Document Summary

Password and Access Control Policy Document Summary

• The document is a draft of a Password and Access Control Policy for a company, with version 0.1 and the date of issuance not specified.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The roles and responsibilities outlined include those of HR Role/Line Manager, Information Security Manager, and Systems Administrators.
• The policy emphasizes user authentication, operating system access authentication, web authentication, voice authentication, email authentication, fax authentication, white mail authentication, remote access authentication, and network device authentication.
• Passwords must not be shared, and all users should have unique IDs before gaining access to systems.
• Passwords must be at least 8 characters long and include a combination of upper case letters, lower case letters, numbers, and special characters. Password history is maintained for at least 4 passwords.
• Password lockout is set to 6 attempts, with a lockout duration of 30 minutes.
• Two-factor authentication is required for remote access to the cardholder network.
• Vendor remote access accounts should be monitored and changed regularly.
• Access to databases containing cardholder data should have a separate authentication layer, and queries must be restricted to database administrators.
• Deviation from the policy is only permitted with a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.
• The document references the Payment Card Industry Data Security Standard.