Password and Access Control Policy Draft 0.1

Password and Access Control Policy Document

• The document is a draft version 0.1 of the Password and Access Control Policy.
• The purpose of the policy is to establish specific responsibilities and practices to minimize risks and protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the organization.
• The roles and responsibilities include HR role/line managers informing IT of new employees, changes to access rights, and leavers, and the Information Security Manager approving access requests and auditing user and access lists.
• User authentication is based on job classification and function, with access privileges granted on a need-to-know basis.
• Non-authenticated or shared user IDs are prohibited, and every user must use a unique user ID and password.
• Authentication mechanisms must be suited for the delivery channel, such as automated access control systems or alternative control procedures.
• Operating system access authentication requires a secure mechanism for remote or console access, with role-based access control and password authentication.
• Web authentication requires a secure mechanism and role-based access control with password authentication.
• Voice authentication requires verifying the identity of callers and being aware of social engineering attacks.
• Email authentication involves treating incoming emails with caution, scanning attachments for viruses, and confirming sender identity.
• Access control configurations include not sharing passwords, assigning unique IDs, changing default passwords, and using strong passwords with a history and lockout policy.