QS0029-03: Password Control Policy

Question 1

QS0029-02: Password Control Policy

Describe the meaning of “User-level account.”

Answer 1

Accounts created for use by individuals that will be accessing assets

Question 2

QS0029-02: Password Control Policy

How is the “Service Account” defined?

Answer 2

An account that provides a security context for services, esp automated services. e.g., an account that runs a windows task, service, or cronjob, or is used to auto-pull from git or docker.

Question 3

QS0029-02: Password Control Policy

How often should passwords for sensitive systems be changed?

Answer 3

Passwords must be changed at least every three months.

Question 4

QS0029-02: Password Control Policy

What is NOT a best practice for password policy (summarize)?

Answer 4

Revealing or provide hints about your password to anyone, at any time, ever.

Using the “Remember Password” feature of applications (e.g., Chrome, Bing, Outlook).

Storing passwords outside of the password vault - this includes paper.

Question 5

QS0029-02: Password Control Policy

What should passwords not contain?

Answer 5

Personal information, names of family, and birthdate.

Question 6

QS0029-02: Password Control Policy

What action you must consider if an account or password compromise is suspected?

Answer 6

Report the incident to DevOps and change all passwords.

Question 7

QS0029-02: Password Control Policy

Where should be passwords stored?

Answer 7

In the company password vault.