Public documents
Charter for the use of new Information and Communication Technologies
Preamble
This charter concerns the IT resources, internet, messaging and telephone services of the WAARP company, as well as any other means of remote connection allowing access, via the computer network, to the services
internal or external electronic communication or processing. These mainly include the following tools:
Laptops and desktop computers,
Touchscreen tablets,
Mobile and landline phones,
Printers,
Software.
This charter applies to all company staff as well as interns and employees of external companies carrying out work within the company. The regulatory framework for information security is complex. Each member of staff must respect the applicable legal rules, in particular with regard to:
Respect for ethical and professional rules,
Compliance with work procedures,
Respect for the organization and the rules of delegation,
Communication of information,
Use of the IT resources made available to him within the framework of his function.
The use of computers is governed by very strict legislation aimed at protecting, on the one hand, attacks on personal rights resulting from the use of files or computer processing, and on the other hand attacks on computer systems.
automated data processing. Furthermore, the Intellectual Property Code protects the right to property.
attached to software and data (texts, images and sounds). Concerning the internet, all existing legal rules are intended to apply during its use. It results, from the application of these provisions
legal, internal rules that everyone is asked to respect…
Confidentiality of information and obligation of discretion
Staff are subject to professional and/or medical confidentiality. The user must ensure the confidentiality of the data he holds. The creation and use of files containing personal information must be the subject of a prior request to the Commission Nationale Informatique et Liberté (CNIL). Exemplary behavior is required in all oral or written, telephone or electronic communication, whether during professional exchanges or during
discussions in the private sphere. Access by users to information and documents stored on the systems
Information technology should be limited to those that are unique to them, as well as those that are public or shared. It is therefore prohibited to read information held by other users, even if they have not explicitly protected it. This
This rule applies in particular to data covered by professional secrecy, as well as to private conversations such as electronic mail of which the user is neither the direct recipient nor a copy. The user must ensure the confidentiality of the data he holds. In particular, it must not disseminate to third parties, by means of unsecured messaging,
nominative and/or confidential information covered by professional secrecy.
Information Protection
The office documents produced must be stored on file servers. These spaces are for professional use only. A unique identification (login + password) is given to each user. The latter is personally responsible for the use that may be made of it, and must under no circumstances communicate it. Each password must be changed at the following frequency:
Three months.
To be effective, a password must contain 8 alphanumeric characters including at least two special characters. It must not be, in particular, identical to the login, even by reversing the characters, include the name and/or first name of the user or members of their family, the telephone number, the make of the car or any reference to any thing belonging to the user, being a word or a list of words from the dictionary or a proper name, name of place, being written on a document and being communicated to a third party. Storing private data on network drives is prohibited. Removable storage media (USB keys, CDs, hard drives, etc.) present very serious security risks: significant risks of contamination by malicious programs or risk of data loss. Their use must therefore be done with great vigilance. The company reserves the right to limit or even prevent the use of these media by blocking the connection ports of IT tools. Sending documents by email or secure platform is preferred.
Use of IT resources
Only people authorized by Management have the right to install new software, connect new PCs to the company network and more generally install new computer equipment. Computer hardware and software are reserved for exclusively professional use and must not be used for personal purposes without prior authorization from Management. In accordance with legal and regulatory provisions, any employee is also prohibited from copying computer software, from using “pirate” software, and more generally, from introducing software into the company that has not been the subject of a license agreement. The company reserves the right to destroy software used in violation of these provisions. With the exception of laptop computers made available to employees, no computer hardware or software belonging to the company may be taken out of the company without prior authorization from Management. When leaving the company for good, everyone is required to return the hardware, software and computer documentation entrusted to them for the performance of their work, in good condition. Each user undertakes to:
Do not modify the configuration of the resources (equipment, networks, etc.) made available to you, without having received prior agreement and assistance from authorized people in the company,
Do not make copies of commercial software acquired by the company,
Do not install, download or use on the hardware software or software packages for which the license fees have not been paid, or which do not come from reputable sites, and without authorization from authorized persons in the company,
Do not intentionally disrupt the proper functioning of computer resources and networks, whether through abnormal manipulation of hardware or the introduction of parasitic software (viruses, Trojan horses, etc.),
Do not directly connect equipment other than that entrusted or authorized to local networks,
Immediately inform Management of any loss, anomaly or attempted violation of their personal access codes,
Make rational and fair use of the services and in particular the network, messaging, computer resources, in order to avoid saturation or abuse of their use for personal purposes,
Recover sensitive documents sent, received, printed or photocopied from printing equipment (printers, fax machines),
Do not leave your workstation leaving a current session accessible and do not connect to several workstations at the same time.
Respect of the computer network
Use of the intranet must be done with respect for other users. Everyone is asked not to carry out operations which could result in:
To interrupt or disrupt the operation of the network or a system connected to the network,
To access private information of other network users,
To modify or destroy information on any of the systems connected to the network.
Access to the intranet network is subject to prior identification of the user who then has a “personal access account” to multimedia resources and services. The latter consists of a strictly personal and confidential username and password. Their use cannot under any circumstances be disclosed, transmitted or granted to another person. The user is responsible for his account and password, and the use he makes of them. He must not hide his identity on the local network or usurp the identity of others by appropriating another's password. A backup of the data storage space must be carried out every week.
Uses of communication tools
The company tolerates exceptional use, for purposes other than professional purposes, of computers and information and communications technologies, in particular the Internet and e-mails, which does not jeopardize working time and does not affect good work. functioning and not detrimental to the collective interest of the company. This use, for personal purposes, from the workplace, is tolerated during break times or for urgent needs of the private life of the employee.
employee. It must be occasional and reasonable (both in frequency and duration), in compliance with current legislation and not undermine the security and integrity of the information system as well as the brand image. of the company.
With the exception of mobile phones and tablets made available to employees, no communication equipment belonging to the company may be taken out of the company without prior authorization from Management. Upon his final departure from
the company, everyone is required to return the telephones, tablets and other communication tools, which have been entrusted to them for the execution of their work, and this, in good condition.
The company reserves the right:
To control the content of any web page hosted on its servers in order to ensure compliance with the conditions of use of the services set out in this Charter,
To suspend the use of the web page hosting service by a user in the event of non-compliance with the Charter and in particular in the event that the user has published manifestly illicit content on its web pages.
The user undertakes to respect the following rules:
Prohibition to consult or download content from pornographic, pedophile websites or any other illicit or immoral site,
Prohibition on downloading music or video files,
To participate in forums, the user must have internal authorizations to express themselves on behalf of the company,
Downloads of illicit content are prohibited (brand counterfeiting, copying of commercial software, etc.).
Consulting websites privately is tolerated on an exceptional basis and provided that navigation does not hinder professional access and that it takes place outside of the user's working time. Management reserves the right to carry out checks on connection times and sites visited.
Using Email
Electronic messaging facilitates exchanges between employees internally. It is reserved for professional use. A message sent over the Internet can potentially be intercepted, even illegally, and read by anyone.
Consequently, no strategic information should circulate in this way, unless it is encrypted. It is prohibited to use electronic messaging for correspondence without a direct link to the employee's professional activity in the company. The receipt of extra-professional correspondence will not be considered as wrongful, to the extent that the employee concerned, once he becomes aware of it, will immediately destroy it. However, voluntary registration for a mailing list unrelated to professional activity is prohibited. In order not to overload the messaging servers, each user is expected to manage messages (deletion, archiving, periodic deletion) and the size of attachments sent. Any observation of theft of equipment or data, identity theft, misappropriation of resources, receipt of prohibited messages, abnormal operation or more generally any suspicion of a security or
Substantial breach of this charter must be reported to their line manager. When an employee leaves, the person responsible for administering the system must be informed what will be done with the user's files and emails.
Email messages are kept on the email server for a period of 5 days and there are backup copies for a period of 20 days. These backup copies preserve all messages as they pass through the mail server, even if they are later deleted by the recipient.
Right to disconnect
The right to disconnect is understood as the right of each employee not to respond to emails and other messages outside working hours, in order to guarantee balance between professional and private life, rest and relaxation times.
recovery, regulate mental load and reduce the risk of burn-out. The right to disconnect in the company is the subject of a charter subject to employee consultation. The implementation of the right to disconnect in the company involves in particular:
Putting computer servers on standby outside of working hours,
Programming awareness pop-ups when sending a message during rest times,
An email signature or an absence message mentioning this right,
A managerial framework of employees not respecting it,
Raising awareness and training in reasonable use of digital tools.
Use of digital tools to promote the right of expression
The right of direct and collective expression of employees aims to define the actions to be implemented to improve the organization and working conditions, as well as the quality of the work carried out within the team, the site or the business. The digital tools available in the company can be used to promote this right of expression. This is particularly so:
Tools such as company social networks or forums,
For live exchanges: videoconferencing or instant messaging tools with video,
Other methods of collecting expression such as social barometers.
Computing and Freedom
An increasing reliance on the use of information technologies requires that everyone respect the principles of the right to the protection of personal data in these two aspects: individual rights and obligations. Any creation or modification of a file containing nominative or indirectly nominative data must, prior to its implementation, be declared
with the manager, who then studies the relevance of the data collected, the purpose of the file, the planned retention periods, the recipients of the data, the means of informing the people recorded and the security measures to be deployed to
protect data. The CIL (IT and freedoms correspondent) then carries out declaration and regulatory information operations. The CIL guarantees the company's compliance with the Data Protection Act. This control of legal risks is all the more important as most breaches of the law of January 6, 1978 are punishable under criminal law. In the event of non-compliance with the obligations relating to the Data Protection Act, the CIL will be informed and may take all necessary measures to put an end to the illegal processing as well as inform the hierarchical manager of the user at the origin of the illegal processing. .
IT system monitoring
Control
For maintenance and management purposes, the use of hardware or software resources, exchanges via the network, as well as telecommunications reports can be analyzed and controlled in compliance with applicable legislation, and in particular the Data Protection Act. Freedoms. The user is informed that to carry out corrective, curative or
scalable, IT department personnel have the possibility of carrying out interventions (if necessary remotely) on the resources made available to them, and that remote maintenance is preceded by information from the user.
Intranet network
The company can subsequently verify the identity of the user who accessed or attempted to access an application using the account used for this access or attempted access.
Internet
The company has the following technical means to carry out checks on the use of its services:
Proxy server access limits,
Firewall,
The company guarantees the user that only these means of control are implemented.
These technical checks can be carried out:
Either for the protection of minors (depending on the company's activity),
Either for the sake of network security and/or IT resources.
For maintenance and technical management purposes, the use of services and in particular hardware and software resources, as well as exchanges via the network can be analyzed and controlled in compliance with applicable legislation.
and in particular in compliance with the rules relating to the protection of privacy and respect for private communications.
In this context, the company reserves the right to collect and retain the information necessary for the proper functioning of the system. It reserves the right to carry out checks on the sites visited in order to prevent them from accessing illicit sites or sites requiring the age of majority.
Traceability
The company ensures traceability on all access to the applications and IT resources that it makes available for reasons of regulatory requirements for traceability, prevention against attacks and control of good
use of applications and resources. Therefore, enterprise applications, as well as networks, messaging and
Internet access incorporates traceability devices allowing control if necessary:
The identifier of the user who triggered the operation,
Connection time,
The software or program used.
The manager of the company respects the confidentiality of the data and traces to which he is required to access in the exercise of his functions, but may be required to use them to highlight certain offenses committed by the
users.
Alerts
Any report of theft of equipment or data, identity theft, misappropriation of resources, receipt of prohibited messages, abnormal operation or more generally any suspicion of a security breach or substantial breach of this charter must be reported to their line manager.
Responsibilities
The attention of staff is drawn to the fact that in the event of a breach of one of these principles protected by law, the criminal and civil liability of the person, as well as that of the company, may be sought. The user who does not respect the applicable legal rules, in particular those recalled above, will see his personal legal liability incurred not only by any person who has suffered damage due to non-compliance with these rules, but also by the company. in his capacity as employer. The company cannot be held responsible for damage to information or offenses committed by a user who has not complied with the rules of access and use of computer resources and internet services described in the Charter.
Coming into force
This charter has been in force since January 15, 2019. The rules defined in this Charter have been set by the company's management in compliance with applicable legislative and regulatory provisions. This charter is brought, by any means, to the attention of people having access to the workplaces and premises where hiring takes place. She is
also sent in two copies to the labor inspectorate and to the secretariat of the industrial tribunal of Nanterre.