Professional Documents
Culture Documents
Access Control Procedures en
Access Control Procedures en
Contents
E-Channels Terms and Conditions (E-Terms) General E-Terms......................... 4
Access Control Procedures........................................................................... 12
4 E-CHANNELS TERMS AND CONDITIONS (E-TERMS) GENERAL E-TERMS E-CHANNELS TERMS AND CONDITIONS (E-TERMS) GENERAL E-TERMS 5
on E-Channels to be in accordance install
(where relevant) any equipment, 4.3 Neither the Profile Bank 4.4 The Profile Bank may suspend the
with its own mandates and internal software, telecommunications nor any other member of the Group E-Channels for maintenance or for
controls. Neither the Profile Bank facilities, networks, connections, shall be liable for any Loss suffered any other reason where it reasonably
nor any other member of the Group patches, releases and/or updates as a result of the acts or omissions considers it necessary to do so. The
is under any obligation to review which the Profile Bank requires it to of an Infrastructure Provider, Profile Bank will provide the Profile
whether an Instruction conflicts with obtain and use, or that the Profile but will cooperate with the Profile Owner with reasonable prior notice of
any other instruction or mandate Bank provides to the Profile Owner Owner in the recovery of any the suspension where it is practical to
of the Profile Owner or Account in connection with its access to such Loss.
do so.
Holder. The Profile Bank may decline the E-Channels. The Profile Owner
or delay to act on an Instruction is responsible for obtaining and
where it doubts its legality, origination
or authorisation.
maintaining the computer software
and equipment necessary to access 5. Fees and charges
and use the E-Channels.
3.3 The Parties agree to comply with
the Security Measures. The Profile 3.5 The Profile Owner shall The Profile Owner shall pay as stipulated by or agreed with the
Owner shall establish, maintain and not alter, reverse engineer, to the Profile Bank such fees, costs, Profile Bank in accordance with the
review its own appropriate internal copy (other than to the extent charges, interest and expenses terms and conditions applicable to
security measures for its use of and necessary for the permitted use), in connection with the E-Channels the Services.
access to the E-Channels, including publish or impart to any third party
the installation and ongoing update any products or services provided
of anti-virus software. The Profile
Owner is responsible for ensuring
by the Profile Bank, including
the E-Channels or any software
6. Amendments
the appropriate application of the or materials provided as part
Security Measures when submitting of its products or services. The Profile Bank may make in exceptional circumstances, make
Instructions. amendments to the E-Terms which will amendments to the E-Terms at any
3.4 The Profile Owner shall promptly become effective on the expiry of 45 time in order to comply with any
acquire, maintain, update and days’ notice to the Profile Owner. Any law or regulation, which will become
such notice may be given to the Profile effective immediately on notice to the
Owner in writing or by publishing Profile Owner.
such amendments on www.hsbcnet.
4. Warranties, Representations com. However, the Profile Bank may,
and Undertakings
4.1 The Profile Owner undertakes to:
loss, damage or other misuse
(a) provide to the Profile Bank all in relation to the E-Channels.
documents and other information
4.2 If the Profile Owner uses
reasonably requested by it from
or accesses an E-Channels in
time to time in relation to the
relation to an account of a third party,
E-Channels; and
it represents and warrants that
(b) notify the Profile Bank as soon it has appropriate authorisation from
as possible if it becomes aware that third party to do so.
of any theft, fraud, illegal activity,
8 E-CHANNELS TERMS AND CONDITIONS (E-TERMS) GENERAL E-TERMS E-CHANNELS TERMS AND CONDITIONS (E-TERMS) GENERAL E-TERMS 9
at all times and not facilitate any User leaves the Profile Owner’s guidance. These should include, any E-Channels;
unauthorised use of these credentials. organisation. The Profile Owner but not be limited to, malware
(f) enables the mobile device’s
In particular, the Profile Owner shall shall promptly suspend the use protection, network restrictions,
automatic pass code lock feature;
not share any security credentials or of the E-Channels by any User physical access restrictions,
access of an E-Channels with any where there is any concern about remote access restrictions, (g) does not share mobile devices
third party other than to a regulated the conduct of that User or their computer security settings, monitoring being used to access E-Channels
third party service provider that the entitlements. The Profile Owner of improper usage, guidance on with others;
Profile Owner has authorised. shall ensure that security acceptable web browsers and
(h) is the only person registered
credentials or devices are only email usage including how to avoid
3. The Profile Owner is responsible for for biometrics (for example, face,
used by the specific individual acquiring malware.
the careful selection of its Users, fingerprint, voice, retina) etc.)
User that they are assigned on the device;
noting such Users are provided with 11. The Profile Owner shall have
to other than to a regulated third
access to a wide range of capabilities processes in place to prevent Users
party service provider that the (i) takes steps to de-register devices
including assigning entitlements being socially engineered or acting
Profile Owner has authorised.
that should no longer be used
to accounts or other services and on fraudulent communications.
as an authentication method
sending instructions in relation to 7. The Profile Owner shall ensure This is to prevent business email
as envisaged in clause 15; and
those accounts or services.
that its users provide correct, compromise and similar schemes
full and unabbreviated details where a fraudster sends an email (j) does not access the E-Channels
4. The Profile Owner shall notify the via a mobile device that has been
whenever they are required impersonating someone known
Profile Bank promptly if any Security jailbroken, rooted or otherwise
by the HSBC Group. The Profile Owner to the authorised User for an
Devices are lost or stolen.
compromised.
shall further ensure that their Users E-Channels and seeking to change
5. The Profile Owner shall:
regularly review such information and an address or bank account number 13. The Profile Owner acknowledges
(a) promptly take appropriate action update their details whenever there is where payments are to be sent. and agrees that in the event that its
to protect any User’s profile a change to their details and do not Such processes should include, E-Channels is suspended for any
if it has any suspicion that such maintain more than one username or for example, where communications reason, any subsequent reactivation
User’s credentials have been set of security credentials at any time. are received by Users seemingly of that E-Channels will automatically
in full or part compromised from known senders (including,
8. The Profile Owner shall inform reinstate all original entitlements,
in any way;
but not limited to, senior
the Profile Bank within seven days limits, User access and access to the
(b) review recent activity on its management, suppliers and vendors) same accounts and services as prior
of dispatch of a Security Device
accounts and User profiles if it to ensure the authenticity of those to such suspension.
by the Profile Bank that it has not
suspects any User’s credentials communications are independently
received the package sent, provided 14. The Profile Owner should
have been compromised and verified (through a means other
that the Profile Owner is made be aware that Users accessing
inform the Profile Bank promptly than email).
aware of the dispatch. an E-Channels via a mobile device
of any discrepancies; and
12. If any E-Channels is accessed
9. The Profile Owner shall return can carry out a wide range of
(c) regularly review its account by a User via a mobile device, activities using the device. This
any Security Devices to the
and Users’ profile activity the Profile Owner shall require includes utilising the mobile device
Profile Bank promptly if requested
and entitlements to ensure that the User: (for instance, in place of a Security
by the Profile Bank.
that there are no irregularities (d) does not leave the mobile Device) to authenticate activities
10. The Profile Owner shall adopt carried out on a separate E-Channels
and report any discrepancies device unattended after logging
and review its internal security session conducted via a desktop
promptly to the Profile Bank.
on to any E-Channels;
measures on a regular basis computer.
6. The Profile Owner shall promptly to ensure protection remains (e) clicks the ‘Logout’ button when
remove a User from its E-Channels up to date and in line with regulatory the User is finished accessing 15. Where Users access E-Channels
profile in the event that any such and industry best practice
12 ACCESS CONTROL PROCEDURES ACCESS CONTROL PROCEDURES 13
1. The System
HSBCnet is the Bank’s internet software and an internet connection
portal through which you access –either through a dial-up connection
your selected Services. To access or through your
HSBCnet, you will require browser local area network (LAN).
14 ACCESS CONTROL PROCEDURES ACCESS CONTROL PROCEDURES 15
a variety of forms of delivery. operating procedures established Security standards System access
You must inform the Bank for the management of any physical
promptly if, within a reasonable security tokens You must review your internal security To prevent unauthorised access to the
period of time (normally seven procedures as necessary to ensure system, you must ensure that:
• Physical security tokens must
be stored under safe conditions protection remains up to date.
days) of dispatch, you have • Users log off from the System
In particular, you must ensure that:
not received the packages sent after use and do not leave access
to ensure they remain in an terminals while logged on
• Where packages containing operational condition. Avoid: • The encryption technology used or
security materials cannot be • Users log off from the System
– Extreme temperatures required to be used by the Bank in
delivered directly to the appropriate properly using the Logout button at
relation to the System is compliant
individuals in your company, (for – Incorrect voltages the top-right corner of the screen
with the local law where the System
example where your mail room instead of closing the browser
– High humidity is being accessed
takes delivery), you are responsible window
for ensuring that the third party – Corrosive or chemical substances • You establish and maintain
• You notify the Bank immediately
passes the appropriate package system security standards for
– Direct sunlight of any unauthorised or suspected
directly to the individual the components used to access
access or use of the System
– Water, detergent, bleach, alcohol HSBCnet, in line with recognised
• When using a physical security (including Identifiers) or any
industry standards and vendor
token to access HSBCnet • You should always follow the usage unauthorised, unknown or
instructions and adopt all relevant
services once the User has been and security guidance published suspected transaction or
patches, updates and all other
authenticated using the device, on the site or in customer guides instruction
measures relating to operation or
a secure session is opened that provided by the Bank security issued or recommended by • You remove access rights and
remains open until the User logs Please note that the Bank reserves the the Bank or suppliers of hardware notify the Bank immediately of any
off. It is, therefore, vital that you log right, if it believes any physical security and software components. This actual or suspected impropriety on
off from HSBCnet when leaving token is being misused, to demand its includes the implementation the part of any User in connection
your terminal unattended even return. and appropriate maintenance with the Services or where a User
if the service that was accessed of up-to-date firewall and virus is no longer authorised to use the
using the physical Security Device protection, denial of service System due to leaving employment
Digital certificate management
is itself closed prevention measures and other or otherwise
• You should never leave physical security measures such as the
Digital certificates stored on the smart • You comply with all reasonable
security tokens unguarded or where use of intrusion detection software
card device must not be sent to any requests for assistance from the
they could be misappropriated commensurate with the size and
other party or used for any other Bank, the police or other regulatory
regardless of the fact that they complexity of your information
purpose than to access HSBCnet. authorities in identifying actual or
are PIN-protected. This includes technology operations
potential breaches of security
ensuring that devices are stored in System compatibility • The Bank will presume that you
a secure place when not in use operate information technology and
• You should never give or lend your You must ensure that you have system controls in line with relevant
physical Security Device to another compatible hardware and software in regulatory standards, for example
person order to access the System. Minimum Sarbanes Oxley, as applicable
File Upload and send it to the Bank. It is therefore Technical support User is required to be temporarily
important that measures are taken disabled from using the System,
In order to deliver the file containing to minimise the chance that the file Technical support in relation to the for example during a holiday
Customer Instructions to the Bank, you is tampered with. System or the Services is available absence. It is not intended for
must complete the information required to all Users from the Bank use in a situation where material
These include: security concerns exist about a
in the File Upload tool covering the file as follows: Online helptext
type, format, authorisation level required • The file should be kept in a secure Helptext is available on the System that User’s behaviour. In such a case,
and country (where appropriate) before location with minimal access to it can assist Users to identify and resolve the System Administrator should
selecting the file from the specified permitted common technical issues. immediately delete the User from
location. Once you have selected Go the System and revoke the User’s
• It should only be possible to create • System Administrator support smart card (if held). If suspension
and the Bank has received the file,
the file by an authorised process Most problems Users may is the only option available (for
the Bank will issue a simple on-screen
and read by the HSBCnet System experience with HSBCnet can instance, because the User needs
acknowledgement confirming that the
be resolved by their System to be disabled urgently and no other
file has been received. The Bank will • All access to the file is logged
Administrators. System System Administrator is available
then perform some initial validation in a secure manner to enable
Administrators have the ability to to approve the deletion), it should
before issuing a file acknowledgement investigations to be carried out
perform various tasks including be undertaken in conjunction with
report, which should be accessed should these be necessary
amending User’s entitlements and other protective measures, such
through the Report and File Download
In all situations but particularly where resetting their passwords. as the retrieval of the User’s smart
function.
pre-authorised files of Customer card. If in doubt, please call the
You are responsible for advising Instructions are sent to the Bank, it Technical support cont’d… Bank for assistance. Users need to
the Bank of the receipt of a file is extremely important that the above be in ‘Active’ or ‘Approved’ status
acknowledgement report for which measures are adopted. Nothing in this • Helpdesk support before they can be suspended.
no file was sent, any inaccuracy in the ACP prejudices the terms of Clause 3 Where issues cannot be resolved Once a User has been suspended,
file acknowledgement report, or failure of the HSBCnet Customer Agreement by System Administrators, it is important that no further
to receive a file acknowledgement and, in particular, your obligation to telephone support is also available maintenance is undertaken on
report within a reasonable period of ensure that Customer Instructions are during normal banking hours. At that User’s profile or access rights
time. The HSBCnet file upload tool will correctly transmitted to the Bank. the discretion of the Bank, staff prior to their eventual reactivation/
take the file of Customer Instructions Users may be required to verify deletion.
from the specified location at your site their identity.
• Banking support
In the event that the Customer is
7. Troubleshooting unable to use the System, they
should contact their helpdesk
in order to make contingency
Availability of Services with a Customer Instruction being arrangements. The Bank may in its
given. Some matters may take time discretion require the User to verify
The Services will normally be available to process and certain Customer their identity.
at all times, but we may suspend all or Instructions may only be processed
during normal banking hours even • User suspension
part of the System or Services at any
though the Services may be available The System permits System
time at our discretion.
outside such hours. Administrators to suspend other
Please note that a transaction being Users. This feature is intended
carried out is not always simultaneous for use in situations where a
22 ACCESS CONTROL PROCEDURES
Notes:
www.business.hsbc.am
+374 60 655 000