Podcast
Questions and Answers
What version of the Password and Access Control Policy is the document?
What version of the Password and Access Control Policy is the document?
- Version 1.0
- Version 0.2
- Version 0.1 (correct)
- Version 0.5
Which requirement(s) does the policy aim to meet?
Which requirement(s) does the policy aim to meet?
- PCI DSS requirements 7.1 & 7.2 and 8.5 (correct)
- HIPAA compliance standards
- ISO 27001 requirement 5.2
- NIST SP 800-53 controls
Which authentication principle is User Authentication based on?
Which authentication principle is User Authentication based on?
- Principle of least privilege and need-to-know basis (correct)
- Principle of unrestricted access
- Principle of excessive privilege
- Principle of shared credentials
Which authentication mechanisms are required for secure authentication?
Which authentication mechanisms are required for secure authentication?
What action may result from the violation of the policy?
What action may result from the violation of the policy?
Who needs to approve the deviation from the policy?
Who needs to approve the deviation from the policy?
What type of accounts should be monitored and changed periodically?
What type of accounts should be monitored and changed periodically?
What is the basis for assigning unique IDs to all users?
What is the basis for assigning unique IDs to all users?
What is required for remote access to the cardholder network?
What is required for remote access to the cardholder network?
Flashcards are hidden until you start studying
Study Notes
Password and Access Control Policy
- The document is a draft version 0.1 of the Password and Access Control Policy.
- The policy is created to meet PCI DSS requirements 7.1 & 7.2 and 8.5.
- It applies to all systems and assets owned, managed, or operated by the organization.
- The roles and responsibilities outlined include HR Role/Line Manager, Information Security Manager, and Systems Administrators.
- User Authentication is based on the principle of least privilege and need-to-know basis.
- Secure mechanisms for authentication are required for Operating System, Web, Voice, Email, Fax, White Mail, Remote Access, and Network Device.
- Passwords must not be shared, and unique IDs are assigned to all users.
- Access Control Configurations specify password requirements, including length, character types, reuse, history, lockout, and duration.
- Two-factor authentication is required for remote access to the cardholder network.
- Vendors' remote access accounts should be monitored and changed periodically.
- Violation of the policy may lead to disciplinary action, including termination of employment.
- Deviation from the policy requires a valid business case and approval by the Security Management Team and/or Legal Counsel.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge on the draft version 0.1 of the Password and Access Control Policy, which is created to meet PCI DSS requirements and specifies rules for user authentication, secure mechanisms, password configurations, and consequences for policy violations.
