Podcast
Questions and Answers
True or false: The Password and Access Control Policy is only applicable to physical assets.
True or false: The Password and Access Control Policy is only applicable to physical assets.
False (B)
True or false: The policy is designed to comply with the PCI DSS requirements.
True or false: The policy is designed to comply with the PCI DSS requirements.
True (A)
True or false: The policy applies to all systems and assets owned, managed, or operated by the company.
True or false: The policy applies to all systems and assets owned, managed, or operated by the company.
True (A)
True or false: HR Role/Line Manager is responsible for informing IT about new employees, access rights changes, and leavers.
True or false: HR Role/Line Manager is responsible for informing IT about new employees, access rights changes, and leavers.
True or false: The Information Security Manager reviews and approves access requests on a monthly basis.
True or false: The Information Security Manager reviews and approves access requests on a monthly basis.
True or false: Systems Administrators are not required to adhere to the policy when making changes to access privileges.
True or false: Systems Administrators are not required to adhere to the policy when making changes to access privileges.
True or false: User authentication is based solely on job classification.
True or false: User authentication is based solely on job classification.
True or false: Non-authenticated and shared/group user IDs are allowed.
True or false: Non-authenticated and shared/group user IDs are allowed.
True or false: Different authentication mechanisms are required for different delivery channels.
True or false: Different authentication mechanisms are required for different delivery channels.
Study Notes
Password and Access Control Policy Document Control
- The Password and Access Control Policy sets out responsibilities and practices to protect physical assets and sensitive information.
- The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
- The policy applies to all systems and assets owned, managed, or operated by the company.
- HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers.
- The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
- Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations.
- User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
- Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and password.
- Different authentication mechanisms are used for different delivery channels (e.g., automated access control system or manual control procedures).
- Secure authentication mechanisms are required for operating system access, web applications, voice enquiries, email, fax, and remote access.
- Network device access must be via an encrypted protocol, except for local console access.
- Access control configurations include unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
