9 Questions
What version of the Password and Access Control Policy is the document?
Version 0.1
Which requirement(s) does the policy aim to meet?
PCI DSS requirements 7.1 & 7.2 and 8.5
Which authentication principle is User Authentication based on?
Principle of least privilege and need-to-know basis
Which authentication mechanisms are required for secure authentication?
Operating System, Web, Voice, Email, Fax, White Mail, Remote Access, and Network Device
What action may result from the violation of the policy?
Disciplinary action, including termination of employment
Who needs to approve the deviation from the policy?
Security Management Team and/or Legal Counsel
What type of accounts should be monitored and changed periodically?
Vendors' remote access accounts
What is the basis for assigning unique IDs to all users?
Passwords must not be shared
What is required for remote access to the cardholder network?
Two-factor authentication
Study Notes
Password and Access Control Policy
- The document is a draft version 0.1 of the Password and Access Control Policy.
- The policy is created to meet PCI DSS requirements 7.1 & 7.2 and 8.5.
- It applies to all systems and assets owned, managed, or operated by the organization.
- The roles and responsibilities outlined include HR Role/Line Manager, Information Security Manager, and Systems Administrators.
- User Authentication is based on the principle of least privilege and need-to-know basis.
- Secure mechanisms for authentication are required for Operating System, Web, Voice, Email, Fax, White Mail, Remote Access, and Network Device.
- Passwords must not be shared, and unique IDs are assigned to all users.
- Access Control Configurations specify password requirements, including length, character types, reuse, history, lockout, and duration.
- Two-factor authentication is required for remote access to the cardholder network.
- Vendors' remote access accounts should be monitored and changed periodically.
- Violation of the policy may lead to disciplinary action, including termination of employment.
- Deviation from the policy requires a valid business case and approval by the Security Management Team and/or Legal Counsel.
Test your knowledge on the draft version 0.1 of the Password and Access Control Policy, which is created to meet PCI DSS requirements and specifies rules for user authentication, secure mechanisms, password configurations, and consequences for policy violations.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
