Password and Access Control Policy

Questions and Answers

Who is responsible for informing IT of new employees, changes to access rights, and leavers?

• Security Management Team
• HR role/line manager (correct)
• Information Security Manager
• Systems Administrators

Who approves access requests and audits user and access lists on a quarterly basis?

• Security Management Team
• HR role/line manager
• Systems Administrators
• Information Security Manager (correct)

Which systems and assets does the Password and Access Control Policy apply to?

• Systems and assets owned by the HR department
• All systems and assets in the IT department
• Systems and assets owned, managed, or operated by the company (correct)
• Systems and assets owned by the Information Security Manager

What is the principle of user authentication based on?

Job classification and function (C)

What is prohibited in terms of user IDs in the Password and Access Control Policy?

Non-authenticated and shared/group user IDs (D)

What are the requirements for passwords in the Password and Access Control Policy?

At least 8 characters with a mix of upper and lower case letters, numbers, and special characters (C)

What should be utilized for remote access in the Password and Access Control Policy?

Two-factor authentication (B)

What should be done with vendor remote access accounts?

Monitored, passwords changed regularly, and unused accounts deactivated (C)

What is required for deviations from the Password and Access Control Policy?

A valid business case reviewed and approved by the Security Management Team and/or Legal Counsel (C)

Flashcards are hidden until you start studying

Study Notes

Password and Access Control Policy Document Control Summary

• The Password and Access Control Policy sets out specific responsibilities, conditions, and practices to minimize risks and protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager approves access requests and audits user and access lists on a quarterly basis.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure systems enforce the configurations in the policy.
• User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
• Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and personal secret password.
• Different authentication mechanisms are required for user, operating system, web, voice, email, fax, white mail, remote access, and network device authentication.
• Passwords must not be shared, must be at least 8 characters with a mix of upper and lower case letters, numbers, and special characters.
• Password history is maintained, password lockout and duration are set, and remote access should utilize two-factor authentication.
• Vendor remote access accounts should be monitored, passwords changed regularly, and unused accounts deactivated.
• Violations of the policy may result in disciplinary action, and deviations require a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.

Description

Learn about the responsibilities, conditions, and practices outlined in the Password and Access Control Policy to minimize risks and safeguard physical assets and sensitive information within a company. Understand the importance of user authentication, unique user IDs, password requirements, access request approvals, and enforcement of configurations.