9 Questions
Who is responsible for informing IT of new employees, changes to access rights, and leavers?
HR Role/Line Manager
Who reviews and approves access requests and audits user and access lists on a quarterly basis?
Information Security Manager
Who must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations?
Systems Administrators
What is the basis for user authentication?
Job classification and function
What is prohibited for user authentication?
Non-authenticated and shared/group user IDs
What type of access requires secure authentication mechanisms?
Operating system access
What type of access must be via an encrypted protocol, except for local console access?
Network device access
What are included in access control configurations?
Unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access
What does the Password and Access Control Policy set out responsibilities and practices to protect?
Physical assets and sensitive information
Study Notes
Password and Access Control Policy Document Control
- The Password and Access Control Policy sets out responsibilities and practices to protect physical assets and sensitive information.
- The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
- The policy applies to all systems and assets owned, managed, or operated by the company.
- HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers.
- The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
- Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations.
- User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
- Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and password.
- Different authentication mechanisms are used for different delivery channels (e.g., automated access control system or manual control procedures).
- Secure authentication mechanisms are required for operating system access, web applications, voice enquiries, email, fax, and remote access.
- Network device access must be via an encrypted protocol, except for local console access.
- Access control configurations include unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access.
Learn about the Password and Access Control Policy that outlines responsibilities and practices for protecting physical assets and sensitive information, meeting PCI DSS requirements, and ensuring secure access control configurations.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free