Password and Access Control Policy Overview

Questions and Answers

PDF Questions PDF Answers

Which industry standard does the Password and Access Control Policy aim to meet?

ISO 27001

GDPR

PCI DSS (correct)

HIPAA

Who is responsible for informing IT about new employees, changes to access rights, and leavers?

Systems administrators

Network devices

Information Security Manager

HR role/line manager (correct)

What is the role of the Information Security Manager in relation to access requests?

Enforce access configurations

Review and approve access requests (correct)

Maintain password history

Implement lockout settings

When must systems administrators adhere to the Password and Access Control Policy?

When making changes to access privileges

How are user authentication and access privileges determined?

Based on business needs

What is prohibited in terms of user IDs?

Shared user IDs

What type of authentication is required for remote access to the cardholder network?

Two-factor authentication

What is required for passwords in terms of length and character combination?

At least 8 characters long, combination of upper and lower case letters, numbers, and special characters

What must network devices use for access?

Encrypted protocols

Study Notes

Password and Access Control Policy

• The Password and Access Control Policy is a document that outlines specific responsibilities, conditions, and practices for access control in order to protect physical assets and sensitive information.
• The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
• Systems administrators must adhere to the policy when making changes to access privileges and ensure that all systems enforce the configurations in the policy.
• User authentication is based on job classification and function, and access privileges are assigned according to business needs.
• Non-authenticated or shared user IDs are prohibited, and every user must use a unique user ID and password.
• Secure mechanisms for authentication are required for operating system access, web applications, voice inquiries, email, fax, and remote access.
• Network devices must use encrypted protocols for access.
• Passwords must not be shared, must be at least 8 characters long, and include a combination of upper and lower case letters, numbers, and special characters.
• Password history is maintained, lockout settings are implemented, and two-factor authentication is required for remote access to the cardholder network.

Description

Explore the responsibilities, conditions, and practices outlined in the Password and Access Control Policy to protect physical assets and sensitive information. Learn about the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and the roles involved in enforcing the policy.