Sub-Requirement 7.1 and 7.2
- 7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access
- 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed
Illustrative Controls and the TIBCO LogLogic Solution
User access rights to systems and data should be in line with defined and documented business needs and job requirements. Accurately managing user access rights addresses the issues of unintended or malicious modifications of sensitive data (including cardholder information). Administrators must determine that the following requirements are met:
- Access rights for privileged User IDs are restricted to the least privileges necessary to perform the job.
- Assignment of privileges to individuals is based on job classification and function.
- Authorization forms signed by management and specifying required privileges are maintained for each access control modification.
- An automated access control system is being used.
- The system is configured to “deny all” by default (meaning that a default user would have no access).
To help validate these requirements, administrators must periodically review user access to files and programs to ensure the users have not accessed items outside of their role.
Copyright © Cloud Software Group, Inc. All rights reserved.