Sample Access Control Policy

The Access Control Policy establishes requirements for restricting access to cardholder data based on the principle of least privilege to ensure compliance with PCI-DSS. It applies to all personnel with access to the organization's information systems and outlines specific policy statements regarding access rights, password policies, and multi-factor authentication. Procedures for implementation and roles and responsibilities are also defined to maintain security and monitor access effectively.

Uploaded by

PRASAD PATHAK

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

13 views2 pages

Sample Access Control Policy

Uploaded by

PRASAD PATHAK

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Access Control Policy

1. Purpose
The purpose of this Access Control Policy is to establish requirements for restricting access to
cardholder data and information systems based on the principle of least privilege. This ensures
compliance with PCI-DSS requirements 7 and 8.

2. Scope
This policy applies to all employees, contractors, consultants, and third-party vendors who have
access to the organization’s information systems and cardholder data.

3. Policy Statements
• Access rights shall be role-based and reviewed quarterly.
• Unique IDs must be assigned to each user before system access is granted (PCI-DSS Req. 8.1).
• Strong password policy must be enforced: at least 12 characters, mix of uppercase, lowercase,
numbers, and symbols, changed every 90 days.
• Inactive accounts shall be disabled within 90 days.
• User accounts must be disabled within 24 hours of termination or role change.
• Multi-factor authentication (MFA) must be enforced for all remote access (PCI-DSS Req. 8.3).
• Privileged access must be logged and monitored continuously (PCI-DSS Req. 10).

4. Procedures / Implementation Guidelines

• IT Security team to maintain an access control matrix mapping roles to system privileges.
• Quarterly user access reviews will be conducted by managers and validated by the IT Security
team.
• Accounts for terminated employees will be disabled within 24 hours by HR notifying IT Security.
• Password policy will be enforced via centralized authentication systems (e.g., Active Directory).
• MFA will be implemented using approved corporate authentication solutions (e.g., Duo, RSA).

5. Roles & Responsibilities

6. References
• PCI-DSS v4.0 Requirements 7, 8, and 10
• ISO/IEC 27001:2022 Annex A.9 - Access Control

Sample - Access Control Policy v1.0
No ratings yet
Sample - Access Control Policy v1.0
8 pages
Access Control Policy 1.0
No ratings yet
Access Control Policy 1.0
9 pages
Access Control Policy
No ratings yet
Access Control Policy
8 pages
Access Control Policy
No ratings yet
Access Control Policy
2 pages
TemplatePCI DSSProcedure
No ratings yet
TemplatePCI DSSProcedure
3 pages
ISO 27001 Control Mapping
No ratings yet
ISO 27001 Control Mapping
1 page
Data Security Policy Template
100% (1)
Data Security Policy Template
12 pages
Access Control Policy Template
100% (3)
Access Control Policy Template
6 pages
Sample Security Policies
No ratings yet
Sample Security Policies
6 pages
Access Management Policy April2025
No ratings yet
Access Management Policy April2025
3 pages
User Access Management
No ratings yet
User Access Management
10 pages
Defradar Access Control Policy en
No ratings yet
Defradar Access Control Policy en
8 pages
Access Control Polic1
No ratings yet
Access Control Polic1
7 pages
Access Control Policy Guide
100% (1)
Access Control Policy Guide
8 pages
Pci Policy Template
No ratings yet
Pci Policy Template
18 pages
Access Control Policy
No ratings yet
Access Control Policy
3 pages
Access Control
No ratings yet
Access Control
11 pages
PCI DSS Compliance Guide
No ratings yet
PCI DSS Compliance Guide
9 pages
Data Protection Policy Template
No ratings yet
Data Protection Policy Template
12 pages
Access Control Policy v3
No ratings yet
Access Control Policy v3
5 pages
(PIS) Individual Assignment
No ratings yet
(PIS) Individual Assignment
5 pages
PCI Intro
No ratings yet
PCI Intro
5 pages
Information Security Policy Guide
No ratings yet
Information Security Policy Guide
7 pages
Identity & Access Management Policy
100% (3)
Identity & Access Management Policy
4 pages
Information Security Policy v3
No ratings yet
Information Security Policy v3
15 pages
North Carolina Access Control Policy
No ratings yet
North Carolina Access Control Policy
21 pages
Access Control and Physical Security Policy Template v1.0
No ratings yet
Access Control and Physical Security Policy Template v1.0
10 pages
ISO 27002 Security Controls Guide
No ratings yet
ISO 27002 Security Controls Guide
267 pages
IT Access Control Guidelines
No ratings yet
IT Access Control Guidelines
6 pages
ABC Inc. Access Control Policy
No ratings yet
ABC Inc. Access Control Policy
6 pages
Security Awareness and Training
No ratings yet
Security Awareness and Training
11 pages
2.IT Policies - Access Privilege Policy
No ratings yet
2.IT Policies - Access Privilege Policy
10 pages
PCI DSS Security Guidelines
No ratings yet
PCI DSS Security Guidelines
8 pages
Pci Dss Information Security Policy v3.2
No ratings yet
Pci Dss Information Security Policy v3.2
111 pages
Purpose
No ratings yet
Purpose
9 pages
Information Security Policy
No ratings yet
Information Security Policy
15 pages
PCI DSS Security Guide
No ratings yet
PCI DSS Security Guide
24 pages
Shelly Bray Week2PowerPoint
No ratings yet
Shelly Bray Week2PowerPoint
8 pages
Access Control Policy
No ratings yet
Access Control Policy
1 page
PCI DSS Compliance Checklist
No ratings yet
PCI DSS Compliance Checklist
4 pages
New Project
No ratings yet
New Project
86 pages
PCI DSS V4.0 Control Objectives and Requirements
No ratings yet
PCI DSS V4.0 Control Objectives and Requirements
1 page
IT Access Control Guidelines
No ratings yet
IT Access Control Guidelines
3 pages
PCI Compliance Policy Overview
No ratings yet
PCI Compliance Policy Overview
18 pages
Employee Data Security Guide
No ratings yet
Employee Data Security Guide
5 pages
Information Security Policy Guide
100% (2)
Information Security Policy Guide
17 pages
Policy On Network Security and Access V1.00
100% (2)
Policy On Network Security and Access V1.00
15 pages
IT Acceptable Usage Policy 2024
No ratings yet
IT Acceptable Usage Policy 2024
12 pages
ISO27001 Technology Risk Assessment Guide
100% (1)
ISO27001 Technology Risk Assessment Guide
12 pages
Identification and Authentication Policy
No ratings yet
Identification and Authentication Policy
5 pages
HIPAA Compliance Checklist 2022
No ratings yet
HIPAA Compliance Checklist 2022
5 pages
Pci DSS Compliance Checklist
No ratings yet
Pci DSS Compliance Checklist
9 pages
ISO 27K2 Heade Domainwise Sheets
No ratings yet
ISO 27K2 Heade Domainwise Sheets
96 pages
Access Control Policy Template
No ratings yet
Access Control Policy Template
9 pages
Access Control Policies
No ratings yet
Access Control Policies
5 pages
IT-Infra - Policies Updated ISMS - Roshan
No ratings yet
IT-Infra - Policies Updated ISMS - Roshan
57 pages
CIS Controls Version 8.1.2
No ratings yet
CIS Controls Version 8.1.2
24 pages
PCI DSS V4.0 Compliance Requirements Guide
No ratings yet
PCI DSS V4.0 Compliance Requirements Guide
1 page

Sample Access Control Policy

Uploaded by

Sample Access Control Policy

Uploaded by

Access Control Policy

4. Procedures / Implementation Guidelines

5. Roles & Responsibilities

You might also like