Password and Access Control Policy Overview

Questions and Answers

PDF Questions PDF Answers

Which role is responsible for informing IT of new employees, changes to access rights, and leavers?

HR role/line manager (correct)

Systems Administrator

IT Manager

Information Security Manager

Who reviews and approves requests for system access and audits user and access lists quarterly?

HR role/line manager

Systems Administrator

IT Manager

Information Security Manager (correct)

What must Systems Administrators adhere to when making changes to access privileges and ensuring system configurations are enforced?

Information Security Policy

IT Policy

Password Policy

Access Control Policy (correct)

What is user authentication based on?

Job classification and function

What type of user IDs are prohibited?

Non-authenticated and shared/group user IDs

What should be used for user authentication for operating system access, web applications, voice inquiries, email, fax, and remote access?

Secure mechanisms

What type of authentication must network devices use, except for local console access?

Encrypted protocols

What are included in access control configurations?

All of the above

What type of authentication should be utilized for remote access to the cardholder network?

Two-factor authentication

Study Notes

Password and Access Control Policy

• The Access Control Policy is designed to minimize risks and protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager reviews and approves requests for system access and audits user and access lists quarterly.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure system configurations are enforced.
• User authentication is based on job classification and function, with access granted only on a need-to-know basis.
• Non-authenticated and shared/group user IDs are prohibited, and unique user IDs and passwords must be used.
• Authentication mechanisms must be appropriate for the delivery channel and implemented with the necessary strength.
• Secure mechanisms for user authentication are required for operating system access, web applications, voice inquiries, email, fax, and remote access.
• Network device authentication must use encrypted protocols, except for local console access.
• Access control configurations include unique IDs, unique passwords, password changes, password complexity, password history, and lockout settings.
• Remote access to the cardholder network should utilize two-factor authentication, and vendor remote access accounts should be monitored and changed regularly.

Description

This quiz provides an overview of the Access Control Policy designed to safeguard physical assets and sensitive information. It covers roles and responsibilities, user authentication, authentication mechanisms, secure mechanisms, network device authentication, and access control configurations.