Now that you know the value of an IT charter, it’s time to start building it. Here are 10 elements to integrate:
1. Use of Personal Equipment
The use of personal devices (computer, telephone, etc.) by the employee within the framework of his work is a delicate point.
In fact, such practices are dangerous to the security of company data, but also to the dignity of employee personal information.
While it is better to ban the use of personal devices altogether, another solution is to set up an “airtight” space on the employee’s equipment, in which data and applications for business use will be stored.
This allows the company to take control of the worker’s activities without having access to all of their data.
2. Means of Monitoring
Monitoring of employees’ activities by the employer is subject to certain limitations that must be known.
First, if it is possible to access the employee’s connections, files, and personal email, this can only be done in his presence.
The use of an e-mail control device or even Internet activities is permitted provided:
- To consult with employees’ representatives
- Notifying employees in advance
- To make an announcement to CNIL
3. Use of Electronic Mail
The use of email within the company should also be regulated within the framework of the IT Charter. In particular, this may include respecting privacy measures (for example, never mentioning certain sensitive information by email). This may also be to limit the size of attachments that can be received or sent by email. With regard to the use of professional e-mail for personal purposes, it is not prohibited. However, the employee must clearly identify the personal emails (otherwise, they will be considered professional and the employer will have the right to consult them). To do this, for example, he can create a dedicated directory in his mailbox.
4. Internet access for personal use
In principle, access to the Internet for personal purposes in a professional context is tolerated within reasonable limits. However, the IT Charter may provide a list of sites (or categories of sites) that employees are not entitled to visit. It may also prohibit the downloading of certain files.
5. Possible Sanctions
The IT Charter may provide for applicable penalties for non-compliance with the prescribed rules. However, these should not be contrary to the law (particularly the Labor Code) and should not be excessive. Dismissal is a potential sanction, disregard and non-compliance with the IT Charter may constitute serious misconduct.
6. Rules for creating and managing passwords
Very important point! The IT charter should integrate training and awareness on the importance of choosing a strong password. Consider including rules for creating and changing passwords. This document should also include specific requirements for password complexity and length. It should educate employees about the risks of using a simple word or personal information.
7. Remote Access
In the context of popularization of telecommunications, the IT Charter should define a framework. It helps to reduce the risk of hacking or spying. Therefore the IT Charter should include provisions relating to the sending or receiving of email and the use of intranet resources. The company may require the traveling employee to have VPN access, the installation of anti-malware software, and the use of a recent operating system. For example, employees should not engage:
- In illegal activities on their remote access
- Let unauthorized users access your work equipment
- Connect personal tools to business tools
The IT charter should prohibit connecting to other networks when disconnecting and connecting to internal networks when leaving your device alone. This document may also include Wi-Fi connection rules, especially for employees who travel regularly. The latter, who have to connect to public Wi-Fi, should be made aware of good practices to secure their connections.
8. A Crisis Management Policy
Crisis management policy should be part of the IT charter. It describes the company’s response to a cyber security incident. It should detail the role of each team member, the means and resources used to identify and recover tampered data. The steps in incident response are as follows:
- Preparation
- Recognizance
- Prevention
- Destruction
- Health benefit
- Post event
Purpose of this policy? Encourage employee feedback by educating them on procedures to follow in the event of a data breach or security breach risk.
9. Maintenance of Computer Systems
Like all equipment, computer systems require regular maintenance. To reduce downtime and costs associated with hardware and software failure, include regular maintenance schedules and procedures in your charter.
- When and how will IT maintenance happen?
- How will employees be notified?
- What types of service interruptions can be avoided?
Thus, your employees will be able to estimate these periods.
10. Signatures of the employees of the company
An IT charter is not complete until employees decide to sign it. This shows that they have read the written information, that they agree to it and that they will abide by the rules. Their vigil has been increased. This signature also gives legal importance to the document. Once approved, they will have no choice but to implement the rules set out in the charter.