• Computer security access control policy

    1. Access to data is controlled on several levels by the Corporate Cash Manager system:

    1.1.  The first level of access control is an Investec ID and PIN (user ID). Every user of the system will be assigned his/her own user ID

    1.2. The second level relates to the assignment of different access levels to users:
    this restricts what data users can see and transact upon

    1.3. The third level of access control has been designed for telephone banking and relates to the authentication of a user before a transaction will be effected

    2. Users are obliged to maintain strict password and access level control at all times.

    3.  All transactions on the system require authorisation by two authenticated users

    4. The user of the Corporate Cash Manager system is central to the controls and is obliged to keep the user ID secure. The user ID cannot be obtained from any part of the system or from documentation produced by the system, so the responsibility for not disclosing this information rests with the user.

    5. A full audit trail is available for all activity performed by a user of Corporate Cash Manager while logged on with his/her user ID. Users will therefore be held strictly responsible for all computer activity recorded in the audit trail under their logon.

    6. If a user is forced to disclose their user ID under duress from another employee or third party, the user must report the incident immediately to the appropriate authority within his/her company. If
    the authority is not available then they must contact Investec.

    7. There is an automatic time-out on the system.

    8. Users cannot rely on this security method and must log off if they leave their workstation. Under no circumstances can a user ID be transferred to another person should responsibilities change or the user resign. Investec must be informed of any changes so that the user ID can be de-activated. Users will be held strictly responsible for all computer activity under their logon until formally de-activated