Podcast
Questions and Answers
Who is responsible for informing IT of new employees, changes to access rights, and leavers?
Who is responsible for informing IT of new employees, changes to access rights, and leavers?
- Systems Administrators
- Payment Card Industry Data Security Standard
- HR Role/Line Manager (correct)
- Information Security Manager
Who reviews and approves access requests and audits user and access lists on a quarterly basis?
Who reviews and approves access requests and audits user and access lists on a quarterly basis?
- Information Security Manager (correct)
- Payment Card Industry Data Security Standard
- Systems Administrators
- HR Role/Line Manager
Who must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations?
Who must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations?
- Payment Card Industry Data Security Standard
- HR Role/Line Manager
- Systems Administrators (correct)
- Information Security Manager
What is the basis for user authentication?
What is the basis for user authentication?
What is prohibited for user authentication?
What is prohibited for user authentication?
What type of access requires secure authentication mechanisms?
What type of access requires secure authentication mechanisms?
What type of access must be via an encrypted protocol, except for local console access?
What type of access must be via an encrypted protocol, except for local console access?
What are included in access control configurations?
What are included in access control configurations?
What does the Password and Access Control Policy set out responsibilities and practices to protect?
What does the Password and Access Control Policy set out responsibilities and practices to protect?
Flashcards are hidden until you start studying
Study Notes
Password and Access Control Policy Document Control
- The Password and Access Control Policy sets out responsibilities and practices to protect physical assets and sensitive information.
- The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
- The policy applies to all systems and assets owned, managed, or operated by the company.
- HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers.
- The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
- Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations.
- User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
- Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and password.
- Different authentication mechanisms are used for different delivery channels (e.g., automated access control system or manual control procedures).
- Secure authentication mechanisms are required for operating system access, web applications, voice enquiries, email, fax, and remote access.
- Network device access must be via an encrypted protocol, except for local console access.
- Access control configurations include unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about the Password and Access Control Policy that outlines responsibilities and practices for protecting physical assets and sensitive information, meeting PCI DSS requirements, and ensuring secure access control configurations.
