The implementation of a computer charter In a company makes it possible to fix the rules for using IT tools by employees, but also to provide sanctions in the event of violation of these rules. Its implementation is also recommended by the National Commission for Data Protection (CNIL).
Generally integrated into the company's internal regulations (or added in the appendix to these regulations), the IT charter can also be integrated into the employment contract (the first solution is however preferred).
In this article, let's discover Why create a computer charteras well as 10 essential points when writing this document.
Why write a computer charter?
Before delivering the essential points that must appear in your charter, return to the importance of the latter for your business!
The IT charter serves as a reference document for your teams
The IT charter is the first bulwark in the protection of your data. Employees, providers, partners and hierarchicals may refer to this document to limit threats, faults and loss of data.
It defines the framework for using IT tools made available to employees and freelancers. In particular, you find the operating mode of CRMERP, messaging applications and other internal software.
The IT charter also defines the measures to be taken for management and Data processing.
For the employee, it's a useful resource! He does not need to constantly refer to the CIO (Director of IT and/or Information Systems) to solve certain problems. This can improve its productivity, as well as that of your IT managers.
The IT charter defines the barriers between private and professional life
This document also determines the conditions of access to computer terminals, as well as the limits of use for personal purposes. Likewise, this charter describes the Terms of use of social networks (and internet in general) in the professional context.
The objective is to prevent personal and professional data from being merge, or that employees reveal sensitive information on social networks.
The IT charter must also include sanctions in the event of non-compliance with the established rules. To this end, it has a legal value.
The IT charter induces better use of IT tools
Depending on your activity, the IT infrastructure can concentrate most of your business budget. With a clearly defined charter, you can Optimize the use of your tools.
Employees know how to use your software effectively to maximize their value. Thus, you are spared unexpected maintenance or repair expenses.
The IT charter strengthens cybersecurity
Strengthen cybersecuritythis is the main asset of a computer charter! Data leakage and computer hacking can be very expensive for a business. And unlike some popular ideas, it's not just the big groups that attract hackers!
43% Cyberattacks affect SMEs and 60% of small impacted companies file for bankruptcy in 6 months. In 95% Cases, human error constitutes the cause of data leakage.
It is therefore important to Awareness your staff of good cybersecurity practices. It starts with the computer charter. Of the clear and well written policies can greatly contribute to minimizing these risks.
You can, for example, put limits to the use of personal IT tools or define a password policy within your business. Without forgetting to recall the basic rules in terms of Protection against malware : avoid opening attachments from unknown, calling your manager in case of doubt, not writing your identifiers on a post-it, using strong passwords, etc.
10 points to integrate into your computer charter
Now that you know the interest of a computer charter, it's time to go to its creation. Here are the 10 elements to integrate.
1. The use of personal equipment
The use by the employee of personal tools (computer, telephone, etc.) as part of his work is a delicate point. Indeed, such a practice is both perilous for the Company data securitybut also threatens the Respect for the employee's personal information.
If it is preferable to simply prohibit the use of personal equipment, another solution is to set up an “hermetic” space on the employee's device, in which data and applications for professional use will be stored.
This allows the company to exercise control over worker's activities without accessing all of its data.
2. Surveillance means
Monitoring employee activities by the employer is subject to certain limitations that must be known.
First, if it is possible to access the employee's connections, files and personal emails, this can only be done in its presence.
The use of an electronic mail control system or even internet activities is permitted provided:
- To have consulted staff representatives;
- To have previously informed employees;
- To have made a statement to the CNIL.
3. Using electronic messaging
The use of emails within the company must also be regulated within the framework of the IT charter. It can in particular be confidentiality To be respected (for example, never mention certain sensitive information by email).
There can also be a question of Limit the size of attachments that can be received or sent by email.
Regarding the use of professional electronic messaging for private purposes, it is not prohibited. However, the employee must clearly identify personal emails (otherwise they would be considered professional and the employer would then have the right to consult them). To do this, he can for example create a dedicated repertoire in his mailbox.
4. Internet access for personal purposes
In principle, internet access for personal purposes in the professional context is tolerated within the limits of reasonable.
The IT charter can however provide a list of sites (or categories of sites) that employees are not allowed to visit. It can also prohibit the download of certain files.
5. Possible sanctions
The IT charter may provide for the applicable sanctions in the event of non-compliance with the rules set out. However, these must not be contrary to the law (in particular the Labor Code) or be too excessive.
The dismissal is a possible sanction, ignorance and non-compliance with the computer charter that can constitute a serious fault.
6. Rules of creation and management of passwords
Very important point! The IT charter must integrate training and awareness of the importance of choosing a loud password. Remember to include rules to create and modify passwords.
This document must also include specific requirements in terms of complexity and length of passwords. He must educate employees about the risk of using an easy word or include personal information.
7. Remote access
In a context of popularization of teleworkthe computer charter must define a framework. This makes it possible to minimize the risk of hacking or espionage.
The IT charter must therefore include provisions concerning the sending or reception of emails and the use of intranet resources. The company may require, on the part of the employee on the move, access VPNthe installation of anti-malware and the use of recent operating systems.
For example, employees should not:
- Engage in illegal activities on their remote access;
- Allow unauthorized users to use their work device;
- Connect personal devices to professional tools.
The IT charter must also impose disconnection when they leave their device alone, and the prohibition to connect to other networks when they are connected to the internal network.
This document may also include rules of connection to WiFi, in particular for regularly on the move. The latter, led to connect to public wifi, must be made aware of good practices to secure their connections.
8. A crisis management policy
There Crisis management policy must be part of the IT charter. She describes the company's response to a cybersecurity incident.
It must detail the role of each member of the team, the means and resources to be used to identify and recover compromise data. The phases of the response to incidents are as follows:
- Preparation;
- Identification;
- Confinement;
- Eradication;
- Recovery;
- Post-incident.
The objective of this policy? Encourage the responsiveness of employees by informing them about the procedure to follow in the event of data violation or exposure to a security flaw.
9. IT systems maintenance
Like all tools, IT systems need a maintenance regular. To minimize the interruptions and costs related to the failure of hardware and software, it is necessary to include, in your charter, calendars and regular maintenance processes.
- When and how will IT maintenance take place?
- How will the staff informed?
- What types of service interruption can be avoided?
Thus, your employees will be able to anticipate these periods.
10. The signing of the employees of the company
A computer charter is only complete when employees decide to sign it. This shows that they have read the information written, that they agree with and that they will respect the rules. Their vigilance is reinforced.
This signature also gives legal value to the document. Once approved, they will have no choice but to apply the rules laid down by the Charter.
CNIL computer charter model
The CNIL offers on its website a Computer charter model. Do not hesitate to adapt it according to the typology and specific needs of your business.
It is also recommended to sign a specific charter for network administrators, who are at the heart of the company's computer system and therefore particularly exposed to risks.
Our advice to write a computer charter
The IT charter has legal scope. It is important to correct it properly, without forgetting to mention the possible sanctions in the event of non -compliance with the Charter.
You can have your IT charter written by an editor or by a lawyer. Do not hesitate to find a web or legal editor on our freelance To help you in this approach.
To go further in the management of your business computer systems and to secure your data, find a Freelance cybersecurity provider on Coder.com.