Password and Access Control Policy

Password and Access Control Policy

• The Password and Access Control Policy is a document that outlines specific responsibilities, conditions, and practices to minimize risks and protect physical assets and sensitive information.
• The policy is designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
• The policy applies to all systems and assets owned, managed, or operated by the organization.
• The roles and responsibilities include HR informing IT of new employees and changes to access rights, the Information Security Manager approving access requests, and Systems Administrators adhering to the policy when making changes to access privileges.
• User authentication is based on business needs and follows the principle of least privilege.
• Non-authenticated or shared user IDs are prohibited, and every user must have a unique user ID and personal secret password.
• Authentication mechanisms must be suited for the delivery channel and implemented with appropriate strength to manage information security risks.
• Operating system access authentication requires a secure mechanism for remote or console access, with role-based access control and password authentication.
• Web authentication for applications must implement a secure mechanism and role-based access control with password authentication.
• Voice authentication requires verification of caller identity to prevent "social engineering" attacks.
• Email authentication involves scanning attachments for viruses, confirming sender identity, and handling requests with care.
• Network device authentication requires encrypted protocols for access, with exceptions for local console access.