Podcast
Questions and Answers
Who is responsible for informing IT of new employees, changes to access rights, and leavers?
Who is responsible for informing IT of new employees, changes to access rights, and leavers?
Who reviews and approves access requests and audits user and access lists on a quarterly basis?
Who reviews and approves access requests and audits user and access lists on a quarterly basis?
Who must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations?
Who must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations?
What is the basis for user authentication?
What is the basis for user authentication?
Signup and view all the answers
What is prohibited for user authentication?
What is prohibited for user authentication?
Signup and view all the answers
What type of access requires secure authentication mechanisms?
What type of access requires secure authentication mechanisms?
Signup and view all the answers
What type of access must be via an encrypted protocol, except for local console access?
What type of access must be via an encrypted protocol, except for local console access?
Signup and view all the answers
What are included in access control configurations?
What are included in access control configurations?
Signup and view all the answers
What does the Password and Access Control Policy set out responsibilities and practices to protect?
What does the Password and Access Control Policy set out responsibilities and practices to protect?
Signup and view all the answers
Study Notes
Password and Access Control Policy Document Control
- The Password and Access Control Policy sets out responsibilities and practices to protect physical assets and sensitive information.
- The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
- The policy applies to all systems and assets owned, managed, or operated by the company.
- HR Role/Line Manager is responsible for informing IT of new employees, changes to access rights, and leavers.
- The Information Security Manager reviews and approves access requests and audits user and access lists on a quarterly basis.
- Systems Administrators must adhere to the policy when making changes to access privileges and ensure that systems enforce the configurations.
- User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
- Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and password.
- Different authentication mechanisms are used for different delivery channels (e.g., automated access control system or manual control procedures).
- Secure authentication mechanisms are required for operating system access, web applications, voice enquiries, email, fax, and remote access.
- Network device access must be via an encrypted protocol, except for local console access.
- Access control configurations include unique IDs, unique first-time passwords, password complexity, password history, lockout settings, and two-factor authentication for remote access.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about the Password and Access Control Policy that outlines responsibilities and practices for protecting physical assets and sensitive information, meeting PCI DSS requirements, and ensuring secure access control configurations.
