From: Systems Control & Documentation Unit (Inspection Department)

To: All Users

Subject: User’s Responsibilities

1. Each User is responsible for any data entry emanating from his User Id.
2. Access Bank’s security policy requires only authorized users to make use of the
Bank’s Hardware, Software, and other accessories.
3. No user may use any other User’s account with or without that User’s permission.
4. Any process done on the system carries the user-id of the person that logged into
the system with it. Hence any problem will be traced to the particular user.
5. Do not leave your workstation unattended. The user must always logout of the
system before leaving the workstation.
6. Each User should change his/her password every thirty days or earlier if you
consider it compromised and notify the Inspection department. Passwords are
expected to be changed every 30 days .If passwords are not changed, access may
be denied and the User will be required to contact the Inspection department to
obtain a new password.
7. If you forget your password then, you must forward an authorization letter endorsed
by your department head, to Inspection department to reset the password.
8. After three (3) unsuccessful login attempts, the system will automatically disable the
user ID concerned and the workstation on which it is attempted. A log of all login
failures is being generated for security review.
9. Each time you login to the system, always review the last login date & time (and if
any, invalid login). Report promptly to the Inspection department if it does not
correspond with the last time you logged on.
10. When going on leave, notify the department so that your user ID is deactivated.
11. On return from leave, notify the department through your group Head to activate
your user ID.
12. You cannot use ten previous passwords.
13. After twenty cumulative unsuccessful attempts your User Id would be disabled.
14. After one hundred and twenty seconds of inactivity, the system will log you out.

www.accessbankplc.com
15. A password should have minimum of six characters and maximum of eleven
characters
16. You cannot use the following types of passwords (i.e. restrictive passwords)
Bank level: Applicable to all the users of the system e.g. name of bank, city, Country
etc.
User role level: Applicable for all the users doing a similar kind of role. For example
names, or terms that are commonly used in the department.
User Level: A list of prohibited passwords shall be maintained for each user. These
passwords are generally names, words that can easily be associated with the user.
For example, the name of the user’s spouse, car number, telephone number, date
of birth etc.

1.0 Appropriate Use of Resources

Access Bank’s software, data, network, and computing resources are intended for
business purposes only. Use of the bank’s resources for non-business activity or in
excess of required need is strictly prohibited. Activities, components, or applications
that are not directly specified as part of the bank’s software and resource standards are
also prohibited.
Login IDs and Passwords
A User will not receive a login ID or password for any Access Bank IT assets or
resources until an Individual Security Policy Disclosure (Attachment A) has been
signed. During the first login to the network or other asset or resource, the User must
change the provided temporary password. If the User does not change the password,
access may be denied and the User will be required to contact the Systems Control &
Documentation Unit to obtain a new password. A user will request for access using the
Request for Access (Attachment B) form.
1.1 Appropriate Use of Resources (Cont’d)

Software
 Users shall use only legal versions of copyrighted software in compliance with
vendor license requirements

www.accessbankplc.com
 Users shall not copy any of the bank’s application for use on another computing
resource without written consent of the Systems Control & Documentation Unit.
 Users shall not copy any of the bank’s application or data for use on a non-
computing resource without the written consent of the Systems Control &
Documentation Unit
 Users shall not copy any non-owned application or software to any of the bank’s
computing resource without written consent of the Systems Control &
Documentation Unit.

Network and Computing Resources

 Users shall not add any type of communication device (modem etc.) to computing
resource that connects to, or has the ability to connect to, the bank’s network.
 Users shall not connect to the network through any means other than those defined
and administered by the bank.
 Users shall not connect any new device or computing resource to any network
without written consent of the Systems Control & Documentation Unit.
 Users shall not probe or monitor files within the network without written consent of
the Systems Control & Documentation Unit.
 Users shall not attempt to obtain rights or access other than those specifically
defined by the Systems Control & Documentation Unit.
 Users shall not view or attempt to view customer records or files without the
necessary authorisation.
 Users shall not possess, attempt to develop, or execute programs that could harass
other Users or infiltrate the network.
 Users shall not possess, attempt to develop, or execute programs that may damage
or alter the software or hardware components of the network or computing
resources. All programs introduced to the network or computing resource must
have undergone a series of testing and certification by authorised personnel.
 Users shall not bring or cause to bring any material e.g. food, explosives,
combustible materials that can cause physical damage near any of the bank’s
network or computing resource.

www.accessbankplc.com
 Users shall be responsible for appropriate disposal of unwanted output materials
from any computing resource. Management shall ensure that facilities are made
available to appropriately dispose off unwanted materials produced from a
computing resource e.g. Shredder.

E-mail
 Access Bank’s E-mail system shall not be used to send fraudulent, subversive,
harassing, obscene, threatening, or other unlawful messages.
 Users shall not create, send, or forward multilevel marketing or prank letters (chain
letters, pyramid selling schemes, etc.).
 E-mail shall be used for the bank’s official business related communications only.

1.2 Appropriate Use of Resources

Internet Connectivity
 This involves linking Access Bank’s computing resources to other public / private
networks that may provide the bank with access to relevant and useful global
information.
 Users shall not use Access Bank’s name, symbol, logo, or confusingly similar
graphic on any Internet presence (E-mail, Web Page, etc.) without prior written
consent of Access Bank’s management.
 Users shall not search or view sites that do not directly support the bank’s business
objective.
 Users shall not search or view sites that are not directly associated with defined
work objectives.
 Users shall not download any software, applications, or scripts without the written
consent of the IT department.
 Users shall not transmit or make available to the Internet any customer information
without prior written consent of Access Bank’s management.
 Users shall not misrepresent or conceal their identity or affiliation for any reason.
 Examples of prohibited activities include:
1. Downloading or viewing pornography or sexually explicit material of any sort.

www.accessbankplc.com
 2. Downloading any games or non-business applications.
3. Participating in any Internet non-business activities, newsgroups, or games.

1.3 Compliance
Management will communicate all specific standards, procedures, and guidelines
supporting this policy to all employees. Management will also use them as a basis for
compliance monitoring, reporting and review. Failure to comply with security policies,
procedures, guidelines, and standards constitutes improper conduct and will be
handled in accordance with personnel policies concerning disciplinary action at the
sole discretion of Access Bank’s management.

1.4 Monitoring
Access Bank’s Management, Information Technology and Inspection department have
the right to monitor all activities associated with the use of the bank’s IT assets and
resources. Anyone using the bank’s IT assets and resources consents to such
monitoring and is advised that if such monitoring reveals possible evidence of criminal
activity, Inspection personnel may provide the evidence of such monitoring to law
enforcement officials. Management, as a basis for disciplinary actions, may also use
the evidence of such monitoring.
Access Bank reserves the right to monitor and inspect all applications and data located
on the bank’s computing resources. This includes, but is not limited to e-mails, text
documents, graphics, and applications. All applications and data located on the bank’s
computing resources shall be considered the property of Access Bank or that of a
contracted Third Party Vendor. As such, management and Information Technology and
Inspection department may monitor, inspect, copy, and delete any application or data
located on such computing resources. Contracted Third Party Vendor applications will
be handled in compliance with established vendor licensing requirements.

1.5 Disciplinary Action

Any violation of policies outlined within this document may lead to disciplinary action at
the sole discretion of Access Bank’s management. Disciplinary action will be based on

www.accessbankplc.com
the severity and context of the incident and will follow the disciplinary procedures of the
bank. The Inspection department may deny or revoke computing privileges at any time.
Security privileges may be restored only after consultation between the Inspection and
Access Bank’s senior management personnel.

1.6 State and National Laws

Conduct in violation of the principles set forth above, with respect to the use of the
bank’s IT assets and resources may be subject to criminal or civil legal action in
addition to Access Bank’s disciplinary action.

1.7 Security Policy Updates

Due to changing technology and security threats, Access Bank reserves the rights to
modify this policy as required and release updated versions. All changes to this policy
will be made available via a defined communication channel. The primary
representative of each Third Party Vendor will also be provided with updates when
there is an ongoing relationship with the vendor. It is the responsibility of each user to
be familiar with, and abide by, the most current version of Access Bank’s Information
System Security Policy. Use of the bank’s IT assets and resources implies consent to
the updated policy. Any questions regarding changes to the security policy should be
directed to the Systems Control and Documentation Unit (Inspection department).

www.accessbankplc.com
 Individual Security Policy Disclosure

ATTACHMENT A

I hereby verify that I have read, understood, and will follow all security policies outlined
in the - Information System Security Policy document. I understand that any
violation of such policies may result in legal and/or disciplinary action.

____________________________ ______________________
Requester Name Requester Signature & Date

__________________________________________
Company Name (If not direct employee)

www.accessbankplc.com
PASSWORD SECRECY UNDERTAKING

Having been assigned an ID to operate the bank’s computer system, I undertake that:

A I will keep my password to myself and would not share it with another employee of
the bank and/or an outsider.

B In case I become aware of someone else’s password by mistake, I undertake not to

use it under any circumstances. I further undertake to advise the individual
concerned to change his or her password to ensure its secrecy.

C In case where I have been/will be provided with more than one ID, I would not use
one to check/approve my own work. I fully understand that this is in violation of the
bank’s basic policy that “no one rank, title or function will process a specified
transaction from initiation to final authorisation”.

D I fully understand that because of any failure on my part to fulfil the above, any
disciplinary action can be taken against me including the termination of my services
from the bank notwithstanding the terms and condition laid down in my employment
contract.

NAME: ----------------------------------------------------

SIGNATURE: -------------------------------------------

DATE: ----------------------------------------------------

www.accessbankplc.com