Change Vendor Default Password Policy
- Introduction
Payment Card Industry Data Security Standards (PCI DSS) requirements a formal policy and supporting procedures for the changing of vendor supplied default settings for all system components.
- Policy
- Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. Note: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
- All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol are to be changed before a system is installed on the card holder environment.
- Unnecessary default accounts are removed or disabled before a system is installed on the network.
- Appropriately configure, examine, and confirm system settings and all necessary configurations to ensure that encryption keys are changed from default at installation.
- Responsibility for Policy Maintenance
PCI Committee – College PCI Committee whose members include the Network and Security Services Manager, Compliance and Information Governance Manager and Head of Treasury Management. (pcidsscom@imperial.ac.uk) are responsible for maintaining the Policy,
Changelog:
22 Sep 2017 |
Anh Duong |
First draft of new policy |
||||
27 Sep 2017 |
Saadia Sajid |
Review and amendments to draft |
||||