PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum  

Go Back   PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum > Payment Card Industry Data Security Standard Frequently Asked Questions (PCI DSS FAQ) > Implement Strong Access Control Measures > [PCI-DSS] Requirement 8: Assign a unique ID to each person with computer access
Reload this Page 8.5.8 Do not use group, shared, or generic accounts and passwords
Register FAQ Calendar Search Today's Posts Mark Forums Read

[PCI-DSS] Requirement 8: Assign a unique ID to each person with computer access Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 03-18-2007, 03:15 AM
admin's Avatar
admin admin is offline
Administrator
  
Join Date: Jul 2002
Posts: 229
Default 8.5.8 Do not use group, shared, or generic accounts and passwords
8.5.8.a For a sample of system components, critical servers, and wireless access points, examine user ID lists to verify the following
* Generic User IDs and accounts are disabled or removed
* Shared User IDs for system administration activities and other critical functions do not exist
* Shared and generic User IDs are not used to administer wireless LANs and devices
8.5.8.b Examine password policies/procedures to verify that group and shared passwords are explicitly prohibited
8.5.8.c Interview system administrators to verify that group and shared passwords are not distributed, even if requested
Reply With Quote
  #2  
Old 02-12-2008, 10:50 AM
dwfox64 dwfox64 is offline
Junior Member
  
Join Date: Feb 2008
Location: Overland Park, KS
Posts: 1
Default
Has anyone had issues with this policy in the mid-range server space? Our company has had some resistance to needing some shared ids in the Oracle admin or software install areas. In these cases, the users sign on with their personal id and sudo over to the admin id. Is this allowed under this policy? Are the sudo logs sufficient compensating contol?
Reply With Quote
Reply

Bookmarks
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers admin [PCI-DSS] Requirement 6: Develop and maintain secure systems and applications 0 03-18-2007 03:04 AM
[PCI-DSS] 2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. admin [PCI-DSS] Requirement 2: Do not use vendor-supplied defaults for system passwords and other security 0 03-18-2007 02:48 AM


All times are GMT -4. The time now is 07:49 AM.

Contact Us - PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum - Archive - Top

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest ©1997 - 2010 by PCIDSSFAQ.ORG, except where noted otherwise.
Powered by vBulletin, Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
PCI-DSS Forum  |  PA-DSS Forum