Password and Access Control Policy: Responsibilities and Practices

Password and Access Control Policy Document Control

• The Password and Access Control Policy sets out responsibilities and practices to protect physical assets and sensitive information.
• The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
• The policy applies to all systems and assets owned, managed, or operated by the company.
• HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations.
• User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
• Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and password.
• Different authentication mechanisms are used for different delivery channels (e.g., automated access control system or manual control procedures).
• Secure authentication mechanisms are required for operating system access, web applications, voice enquiries, email, fax, and remote access.
• Network device access must be via an encrypted protocol, except for local console access.
• Access control configurations include unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access.