Password and Access Control Policy Overview

Password and Access Control Policy

• The Access Control Policy is designed to minimize risks and protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager reviews and approves requests for system access and audits user and access lists quarterly.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure system configurations are enforced.
• User authentication is based on job classification and function, with access granted only on a need-to-know basis.
• Non-authenticated and shared/group user IDs are prohibited, and unique user IDs and passwords must be used.
• Authentication mechanisms must be appropriate for the delivery channel and implemented with the necessary strength.
• Secure mechanisms for user authentication are required for operating system access, web applications, voice inquiries, email, fax, and remote access.
• Network device authentication must use encrypted protocols, except for local console access.
• Access control configurations include unique IDs, unique passwords, password changes, password complexity, password history, and lockout settings.
• Remote access to the cardholder network should utilize two-factor authentication, and vendor remote access accounts should be monitored and changed regularly.