Implementation of an IT Charter in a company makes it possible to set rules for the use of IT equipment by employees, but also provides for penalties in case of violation of these rules. Its implementation has also been recommended by the National Commission for Computing and Liberties (CNIL).
Usually integrated into the company’s internal rules (or added as an annex to these rules), the IT charter can also be integrated into the employment contract (although the first solution is preferred).
In this article, let’s find out why to create an IT charter, as well as 10 essential points when writing this document.
Submit your project on Codeur.com for free, get 15 quotes and choose the ideal service provider.
find a provider
Why Create an IT Charter?
Before giving you the essential points that should appear in your charter, take a look at the importance of the latter to your business!
The IT Charter serves as a reference document for your teams
The IT Charter is the first defense in protecting your data. Employees, contractors, partners and supervisors may refer to this document to limit threats, breaches and data loss.
It defines the framework for using the IT tools provided to employees and freelancers. You will find, in particular, the operating modes of CRM, ERP, messaging applications and other internal software.
The IT Charter also defines the measures to be taken for the management and processing of data.
For the employee, this is a useful resource! He does not need to constantly refer to the CIO (Director of IT and/or Information Systems) to solve certain problems. This can improve its productivity as well as the productivity of your IT managers.
IT Charter defines the barriers between personal and professional life
This document sets out the conditions for access to computer terminals, as well as limits on use for personal purposes. Similarly, this Charter describes the terms of use of social networks (and the Internet in general) in a professional context.
Its purpose is to prevent personal and business data from being confused, or that employees reveal sensitive information on social networks.
The IT charter should also include sanctions in case of non-compliance with established rules. For this purpose, it has legal significance.
IT Charter inspires better use of IT tools
Depending on your business, IT infrastructure can focus most of your business budget. With a clearly defined charter, you can optimize the use of your equipment.
Employees know how to use your software effectively to maximize value. Thus, you are saved from unexpected maintenance or repair expenses.
IT charter strengthens cyber security
Strengthening cyber security is a core asset of the IT Charter! Data leaks and hacking can be very costly for a business. And contrary to popular belief, it’s not just big corporations that attract hackers!
43% of cyber attacks affect SMEs and 60% of affected small businesses file for bankruptcy within 6 months. Human error is the cause of data leaks in 95% of cases.
It is therefore important to make your employees aware of good cyber security practices. It starts with the IT Charter. Clear and well-written policies can go a long way in mitigating these risks.
For example, you can set limits on the use of personal computing tools or define a password policy within your company. Don’t forget to remember the basic rules in terms of malware protection: avoid opening attachments from strangers, call your manager when in doubt, don’t write your credentials on a sticky note, use strong pass words, etc.
10 points to integrate into your IT charter
Now that you know the value of an IT charter, it’s time to start building it. Here are 10 elements to integrate:
1. Use of Personal Equipment
The use of personal devices (computer, telephone, etc.) by the employee within the framework of his work is a delicate point.
In fact, such practices are dangerous to the security of company data, but also to the dignity of employee personal information.
While it is better to ban the use of personal devices altogether, another solution is to set up an “airtight” space on the employee’s equipment, in which data and applications for business use will be stored.
This allows the company to take control of the worker’s activities without having access to all of their data.
2. Means of Monitoring
Monitoring of employees’ activities by the employer is subject to certain limitations that must be known.
First, if it is possible to access the employee’s connections, files, and personal email, this can only be done in his presence.
The use of an e-mail control device or even Internet activities is permitted provided:
- To consult with employees’ representatives;
- notifying employees in advance;
- To make an announcement to CNIL.
3. Use of Electronic Mail
The use of email within the company should also be regulated within the framework of the IT Charter.
In particular, this may include respecting privacy measures (for example, never mentioning certain sensitive information by email).
This may also be to limit the size of attachments that can be received or sent by email.
With regard to the use of professional e-mail for personal purposes, it is not prohibited.
However, the employee must clearly identify the personal emails (otherwise, they will be considered professional and the employer will have the right to consult them). To do this, for example, he can create a dedicated directory in his mailbox.
4. Internet access for personal use
In principle, access to the Internet for personal purposes in a professional context is tolerated within reasonable limits.
However, the IT Charter may provide a list of sites (or categories of sites) that employees are not entitled to visit.
It may also prohibit the downloading of certain files.
5. Possible Sanctions
The IT Charter may provide for applicable penalties for non-compliance with the prescribed rules. However, these should not be contrary to the law (particularly the Labor Code) and should not be excessive.
Dismissal is a potential sanction, disregard and non-compliance with the IT Charter may constitute serious misconduct.
6. Rules for creating and managing passwords
Very important point! The IT charter should integrate training and awareness on the importance of choosing a strong password. Consider including rules for creating and changing passwords.
This document should also include specific requirements for password complexity and length. It should educate employees about the risks of using a simple word or personal information.
7. Remote Access
In the context of popularization of telecommunications, the IT Charter should define a framework. It helps to reduce the risk of hacking or spying.
Therefore the IT Charter should include provisions relating to the sending or receiving of email and the use of intranet resources. The company may require the traveling employee to have VPN access, the installation of anti-malware software, and the use of a recent operating system.
For example, employees should not:
- engage in illegal activities on their remote access
- Let unauthorized users access your work equipment
- Connect personal tools to business tools
The IT charter should prohibit connecting to other networks when disconnecting and connecting to internal networks when leaving your device alone.
This document may also include Wi-Fi connection rules, especially for employees who travel regularly. The latter, who have to connect to public Wi-Fi, should be made aware of good practices to secure their connections.
8. A Crisis Management Policy
Crisis management policy should be part of the IT charter. It describes the company’s response to a cyber security incident.
It should detail the role of each team member, the means and resources used to identify and recover tampered data. The steps in incident response are as follows:
- preparation
- Recognizance
- prevention
- Destruction
- health benefit
- post event
Purpose of this policy? Encourage employee feedback by educating them on procedures to follow in the event of a data breach or security breach risk.
9. Maintenance of Computer Systems
Like all equipment, computer systems require regular maintenance. To reduce downtime and costs associated with hardware and software failure, include regular maintenance schedules and procedures in your charter.
- When and how will IT maintenance happen?
- How will employees be notified?
- What types of service interruptions can be avoided?
Thus, your employees will be able to estimate these periods.
10. Signatures of the employees of the company
An IT charter is not complete until employees decide to sign it. This shows that they have read the written information, that they agree to it and that they will abide by the rules. Their vigil has been increased.
This signature also gives legal importance to the document. Once approved, they will have no choice but to implement the rules set out in the charter.
Conclusion
Keep these things in mind while writing this important document. To help you out, you can also download this Model IT Charter offered by CNIL.
Need help managing your business IT systems? Find a Freelance IT Service Provider at Codeur.com.