Password and Access Control Policy Draft (v0.1)

Password and Access Control Policy Document

• The document is a draft version of the Password and Access Control Policy, with a version number of 0.1 and has been issued as a draft by an unspecified organization.
• The policy aims to address critical access needs while minimizing risks and protecting physical assets and sensitive information, specifically to satisfy PCI DSS requirements 7.1, 7.2, and 8.5.
• It applies to all systems and assets owned, managed, or operated by the organization.
• The roles and responsibilities outlined in the policy include those of HR Role / Line Manager, Information Security Manager, and Systems Administrators.
• The policy specifies user authentication requirements, such as assigning access privileges based on business needs, implementing a default "deny-all" setting, and prohibiting the use of shared or group user IDs.
• It also outlines authentication requirements for various systems, including operating systems, web applications, email, fax, voice, and remote access, emphasizing the use of secure mechanisms and role-based access control.
• Access control configurations include requirements for unique passwords, password length, complexity, history maintenance, lockout settings, two-factor authentication for remote access, and management of vendor access accounts.
• The policy enforces disciplinary action for employees violating the policy and permits deviations only with a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.
• The document does not include specific definitions, but it references the Payment Card Industry Data Security Standard.
• The Information Security Manager or equivalent is initially assigned ownership of the document, but job titles/descriptions should be appropriately edited.
• The policy includes a table of contents and document revision history, and it specifies stakeholders for document distribution and their corresponding roles (P=Producer, C=Contributor, R=Reviewer, A=Authoriser, I=for information only).
• The policy is subject to an annual review, and it provides a template for company use, which should be tailored to the specific organization's requirements.