Password and Access Control Policy Summary

Questions and Answers

What is the document titled 'Password and Access Control Policy' primarily aiming to satisfy?

HIPAA compliance standards

NIST SP 800-53 guidelines

PCI DSS requirements 7.1 & 7.2, and 8.5 (correct)

ISO 27001 requirements

Which of the following is NOT among the access control configurations detailed in the policy document?

Biometric authentication

Single-factor authentication (correct)

Two-factor authentication

Password history maintenance

Who is assigned ownership of the initial draft template of the 'Password and Access Control Policy' document?

Human Resources Manager

Chief Financial Officer

Chief Operating Officer

Information Security Manager or equivalent (correct)

Which principle guides user authentication for access privileges according to the policy document?

Access privileges based on business needs

What is mandated regarding default passwords before system operation as per the policy document?

Changing default passwords before system operation

What disciplinary actions are mentioned for policy violations in the document?

Disciplinary actions for policy violations

Which of the following is NOT detailed in the 'Password and Access Control Policy' document?

Software development guidelines

What is the specific requirement for storing passwords as per the policy document?

Storing passwords securely

Who is responsible for reviewing and approving deviations from the policy document?

Security Management Team and/or Legal Counsel

Study Notes

Password and Access Control Policy Document Summary

• The document titled "Password and Access Control Policy" is in draft status, version 0.1, and includes information on roles and responsibilities, authentication, access control configurations, and enforcement.
• It outlines specific responsibilities, conditions, and practices to minimize risks and maximize protection of physical assets and sensitive information, aiming to satisfy PCI DSS requirements 7.1 & 7.2, and 8.5.
• The policy applies to all systems and assets owned, managed, or operated by the organization.
• Roles and responsibilities outlined include those of HR Role/Line Manager, Information Security Manager, and Systems Administrators, with specific duties for each.
• User authentication principles include access privileges based on business needs, least privilege observation, and unique user IDs with personal secret passwords.
• Various authentication mechanisms and role-based access control are detailed for user, operating system, web, voice, email, fax, white mail, remote access, and network device authentication.
• Access control configurations include unique user IDs, password requirements, password history maintenance, lockout settings, two-factor authentication, and account deactivation policies.
• The policy mandates changing default passwords before system operation, storing passwords securely, and enforcing regular password changes and account deactivation.
• Enforcement measures include disciplinary actions for policy violations and permitting deviations only with a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.
• The document references the Payment Card Industry Data Security Standard (PCI DSS) as a key framework for its requirements and guidelines.
• The initial draft template assigns ownership to the Information Security Manager or equivalent, with instructions to edit job titles/descriptions accordingly.
• The document also includes a table of contents, document revision history, document distribution/stakeholders, and a section on definitions and references.

Description

Summary of a draft document titled 'Password and Access Control Policy' covering roles and responsibilities, authentication principles, access control configurations, and enforcement measures to protect physical assets and sensitive information in compliance with PCI DSS requirements.