Blog

How to create a company IT charter?

on

Implementing an IT policy in a company sets the rules for employees' use of IT tools and also provides for sanctions in case of rule violations. Its implementation is also recommended by the National Commission on Information Technology and Civil Liberties (CNIL).

Usually included in the company's internal rules (or added as an appendix to those rules), the IT policy can also be incorporated into the employment contract (though the first option is preferred).

In this article, let's explore why to create an IT policy and the 10 essential points to include when drafting this document.

 

Why create an IT charter?

Before listing the essential points that should appear in your policy, a reminder of its importance for your company!

 

The IT charter serves as a reference document for your teams

The IT policy is the first line of defense in protecting your data. Employees, contractors, partners and managers can refer to this document to limit threats, vulnerabilities and data loss.

It defines the framework for using the IT tools provided to employees and freelancers. You will find here, in particular, the operating procedures for CRMintranets, ERPs, messaging applications and other internal software.

The IT policy also defines the measures to be taken for the management and processing of data.

For the employee, it is a useful resource! They do not need to constantly consult the IT Director (Director of Information and/or Information Systems) to resolve certain issues. This can improve their productivity as well as that of your IT managers.

 

The IT charter defines the boundaries between private and professional life

This document also determines the conditions of access to IT devices, as well as the limits on personal use. Likewise, the policy describes the rules for using social networks (and the internet in general) in a professional context.

The goal is to prevent personal and professional data from being mixed up, or employees from revealing sensitive information on social networks.

The IT policy must also include sanctions for non-compliance with the established rules. In that respect, it has legal value.

 

The IT charter promotes better use of IT tools

Depending on your activity, IT infrastructure can account for the majority of your company's budget. With a clearly defined policy, you can optimize the use of your tools.

Employees know how to use your software effectively to maximize its value. This spares you unexpected maintenance or repair expenses.

 

The IT charter strengthens cybersecurity

Strengthen the cybersecurity, that's the main asset of an IT policy! Data breaches and hacking can be very costly for a company. And contrary to some common beliefs, it's not only large groups that attract hackers!

43% cyberattacks affect SMEs and 60% of affected small businesses go bankrupt within 6 months. In 95% some cases, human error is the cause of the data breach.

It is therefore important to raise your staff's awareness of cybersecurity best practices. It starts with the IT policy. Clear, well-written policies can greatly help minimize these risks.

You can, for example, set limits on the use of personal IT tools or define a password policy within your company. Don't forget to remind the basic rules regarding protection against malware : avoid opening attachments from unknown senders, call your manager if in doubt, don't write your credentials on a post-it, use strong passwords, etc.

 

10 points to include in your IT charter

Now that you understand the importance of an IT policy, it's time to create one. Here are the 10 elements to include:

 

1. Use of personal equipment

An employee's use of personal devices (computer, phone, etc.) for work is a sensitive issue.

Indeed, such a practice is both risky for the company's data security and threatens the protection of the employee's personal information.

While it may be preferable to simply ban the use of personal equipment, another option is to create a "sealed" workspace on the employee's device where business data and applications are stored.

This allows the company to exercise control over the worker's activities without accessing all of their personal data.

 

2. Monitoring methods

Monitoring employees' activities by the employer is subject to certain limits that must be understood.

First, while it is possible to access an employee's connections, files and personal emails, this can only be done in their presence.

The use of a system to monitor email or internet activity is permitted provided that:

  • Having consulted staff representatives;
  • Having previously informed employees;
  • Having filed a declaration with the CNIL.

 

3. Use of email

The use of email within the company must also be regulated within the IT policy.

This may include confidentiality measures to be observed (for example, never mentioning certain sensitive information by email).

It may also involve limiting the size of attachments that can be received or sent by email.

Concerning the use of professional email for private purposes, it is not prohibited.

However, the employee must clearly identify personal emails (otherwise they would be considered professional and the employer would then have the right to consult them). To do this, for example, they can create a dedicated folder in their mailbox.

 

4. Internet access for personal purposes

In principle, access to the internet for personal purposes during work is tolerated within reasonable limits.

The IT policy may, however, set out a list of sites (or categories of sites) that employees are not allowed to visit.

It may also prohibit downloading certain files.

 

5. Possible sanctions

The IT policy can specify the sanctions applicable in case of non-compliance with the stated rules. However, these must not conflict with the law (in particular the Labor Code) nor be excessive.

Dismissal is a possible sanction; ignorance of or failure to comply with the IT policy can constitute serious misconduct.

 

6. Rules for creating and managing passwords

Very important point! The IT policy must include training and awareness about the importance of choosing a strong passwordRemember to include rules for creating and changing passwords.

This document should also include specific requirements regarding password complexity and length. It should raise employee awareness about the risk of using an easy password or including personal information in it.

 

7. Remote access

In a context of growing popularity of remote workthe IT policy must define a framework. This helps minimize the risks of hacking or espionage.

The IT policy should therefore include provisions concerning the sending or receiving of emails and the use of intranet resources. The company may require, from a traveling employee, access VPN, the installation of anti-malware software and the use of up-to-date operating systems.

For example, employees must not:

  • Engaging in illegal activities using their remote access
  • Allowing unauthorized users to use their work device
  • Connecting personal devices to professional tools

The IT policy must also require logging off when employees leave their device unattended, and forbid connecting to other networks while connected to the internal network.

This document can also include rules for Wi‑Fi connections, especially for staff who travel regularly. Those who connect to public Wi‑Fi should be made aware of best practices to secure their connections.

 

8. A crisis management policy

The crisis management policy should be part of the IT charter. It describes the company’s response to a cybersecurity incident.

It must detail the role of each team member, the means and resources to use to identify and recover compromised data. The incident response phases are as follows:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Post-incident

The purpose of this policy? To encourage employee responsiveness by informing them of the procedure to follow in the event of a data breach or exposure to a security flaw.

 

9. IT systems maintenance

Like all tools, IT systems need maintenance regular maintenance. To minimize interruptions and the costs related to hardware and software failures, you should include schedules and processes for regular maintenance in your charter.

  • When and how will IT maintenance take place?
  • How will staff be informed?
  • What types of service interruptions can be avoided?

This way, your colleagues can anticipate those periods.

 

10. Employee signatures

An IT charter is only complete when employees decide to sign it. This shows they have read the information, agree with it, and will comply with the rules. Their vigilance is strengthened.

This signature also gives the document legal value. Once approved, they will have no choice but to apply the rules set out by the charter.

 

Conclusion

Be careful not to omit these elements when drafting this important document. To help you, you can also download this IT charter template provided by the CNIL.

Need help managing your company’s IT systems? Find a freelance IT provider on Codeur.com.

You might also like...

Top 10 free and paid VPNs

Goossips: Core Web Vitals, EMD and New Queries

Customizable CRM: adapt your tool to your business

Optimizing an Angular application for SEO: the guide