CCASS/3 - Frequently Asked Questions 
21/01/2016 
 

Back to Questions

IV

Security Management : Delegated Management System (DMS)

 
Smartcard and Smartcard Reader
Q19 What is the security measure for Participant to log on CCASS/3?


Access to CCASS/3 will be authenticated by a smartcard as the security token using a digital certificate.

Q20 How many smartcards will be issued to each Participant?


It depends on the number of users of each Participant.  In general, one smartcard will be issued to one user.

Q21 Can a Participant use the same smartcard to access different C3T?


Yes.  Participants can use the same smartcard to access different C3T installed in their offices.

Q22 Can Participants install the smartcard reader in a slim PC or is the smartcard reader an external device?


The smartcard reader is an external device.

Q23 Is smartcard reader required for all C3Ts?


Yes.  Each C3T should be attached with a smartcard reader as the security device for Participants to access CCASS/3 using smartcard.

Segregation of Duty
Q24 Can a Participant assign a single user as a Delegated Administrator (DA) handling both the maker and checker functions?


It is strongly not recommended to do that for controlling purpose.  Under a very special circumstances (e.g. in the case of sole proprietorship), Participant can apply for such setup.

Q25 Can Participants assign operational staff as DA?


For better control purpose, it is recommended not to assign staff who are involving in CCASS operation as DA.

Q26 Can a Participant assign more than one checker or maker to handle the DA functions?


Yes.  Participants can assign more than one checker or maker as DA according to their internal control requirements.

Q27 Will separate set of smartcards be issued to DA maker and checker?


Yes, separate set of smartcards will be issued to DA makers and checkers.  DAs cannot perform security management functions with those smartcards issued to other operational staff.

Q28 Can a DA checker use relevant maker's smartcard to access CCASS/3 and vice versa?


Smartcard should be issued specific user with associated user profile which cannot be shared by others.

Q29 What is the main difference between the functions of a DA maker & a DA checker?


When maintaining (changing/deleting) user profile, a maker inputs the details of the user profile while a checker authorizes the details.  Both input and authorization are required when updating a user profile.

Q30 In what situation should a DA checker use the smartcard to logon CCASS/3?


Depending on the administration rights assigned to him, a DA checker will use the smartcard to log on CCASS/3 and enquire user profile, view listings & maintenance report, get authorization code and reset smartcard password.

Q31 Is there a transaction limit assigned to each DA?


Transaction limit is not applicable to the DA functions.

Authorization Code
Q32 If a DA checker wrongly inputs the checker ID three times, will the DA authorization code be revoked?


No.  DA authorization code is generated by CCASS/3 and will not be revoked by a DA checker.  However, if a DA checker input an incorrect authorization code and attempted to confirm the transaction for three times, relevant DA maker’s account will be disabled.  Under such situation, the Participant should apply to HKEX to re-activate the DA maker’s account.

Q33 Are DA checkers required to memorize the authorization code?


DA checkers can either memorize the authorization code for convenience purpose or obtain the code via on-line enquiry function whenever needed.

Q34 How often will the authorization code be changed?


The authorization code will be changed by CCASS/3 on the first day of each month.

DA’s Operations
Q35 Are DAs required to initialize their smartcards?


Yes, all DA smartcards should be initialized before use.

Q36 Can a DA maker's smartcard remain in the smartcard reader while relevant DA checker authorizes a transaction?


A DA maker's smartcard can be remained in the smartcard reader while the checker authorizes a transaction.

Q37 If an operation user resigns from the company and his job is taken up by another user, can the DA assign a new user name and user profile to the resigned user's smartcard?


Yes, a DA can do so if the new user will be on board soon.  In this case, the DA should disable the old user account and then make changes for the new user later on.  But if no new user is expected in the near future, the Participant is recommended to delete the old user profile and apply for a new user ID when such need arises.

Q38 Are Participants required to change the passwords of the smartcards for DA makers and checkers?


It is not mandatory for Participants to change the passwords of the smartcards for DA makers and checkers.  However, Participants are recommended to do so on a regular basis for better security.

Q39 If the DA resets the password for a user, is the user concerned required to change the password at the first log-on?


Yes, the user should change the password during the first log-on for maximum protection.

Q40 Is there any charge on the DA smartcard?


Similar to the smartcards for operational users, a fee of HKD250.00 will be levied for each new smartcard issued for a DA.

Q41 When a DA set up a user profile, is it compulsory for the DA to input the “enabled date” and “disabled date”?


No, “enable date” and “disabled date” are not compulsory input fields.  Input to such data fields is only necessary when a Participant wants to specify an effective date that a user account will be activated or deactivated.

Back to Questions