Password and Access Control Policy Summary

Password and Access Control Policy Summary

• The Password and Access Control Policy sets out responsibilities, conditions, and practices to protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager approves access requests and audits user and access lists.
• Systems administrators must adhere to the policy when making changes to access privileges.
• User authentication is based on business needs and access is granted on a need-to-know basis.
• Access control systems must have a default "deny-all" setting and non-authenticated user IDs are prohibited.
• Every user must have a unique user ID and password for system access.
• Different authentication mechanisms are required for operating systems, web applications, voice calls, email, fax, and remote access.
• Two-factor authentication is required for remote access to the Cardholder Data Environment.
• Passwords must be unique, at least 8 characters long, and include a combination of upper and lower case letters, numbers, and special characters.
• Violation of the policy may result in disciplinary action, and deviations are only allowed with a valid business case approved by the Security Management Team or Legal Counsel.