Password and Access Control Policy Quiz

Questions and Answers

True or false: The Password and Access Control Policy is only applicable to physical assets.

False

True or false: The policy is designed to comply with the PCI DSS requirements.

True

True or false: The policy applies to all systems and assets owned, managed, or operated by the company.

True

True or false: HR Role/Line Manager is responsible for informing IT about new employees, access rights changes, and leavers.

True

True or false: The Information Security Manager reviews and approves access requests on a monthly basis.

False

True or false: Systems Administrators are not required to adhere to the policy when making changes to access privileges.

False

True or false: User authentication is based solely on job classification.

False

True or false: Non-authenticated and shared/group user IDs are allowed.

False

True or false: Different authentication mechanisms are required for different delivery channels.

True

Study Notes

Password and Access Control Policy Document Control

• The Password and Access Control Policy sets out responsibilities and practices to protect physical assets and sensitive information.
• The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
• The policy applies to all systems and assets owned, managed, or operated by the company.
• HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations.
• User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
• Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and password.
• Different authentication mechanisms are used for different delivery channels (e.g., automated access control system or manual control procedures).
• Secure authentication mechanisms are required for operating system access, web applications, voice enquiries, email, fax, and remote access.
• Network device access must be via an encrypted protocol, except for local console access.
• Access control configurations include unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access.