Securing your organization with IT charters: Why it's more than just a formality
In the digital age, the security of information systems has become a priority issue for businesses, public institutions and even non-profit associations. Cybercrime is on the increase, and cyberattacks such as ransomware affect organizations of all sizes. Faced with this omnipresent threat, companies can no longer be satisfied with simple technical measures. They need to structure their approach to cybersecurity, and this means setting up IT charters. These documents, far from being administrative formalities, are at the heart of protection measures. Through a summary of the white paper " IT charters in business " in partnership with the law firm Racine and Eric Barbry, a lawyer specializing in Internet law, we explore why these charters have become indispensable, how they fit into a rigorous legal framework, and how they can be adapted to meet new technological challenges, particularly those posed by artificial intelligence (AI).
The IT charter: a legal and practical obligation
The legal framework of the IT charter
If some companies are still reluctant to adopt an IT charter, they are faced with an inescapable legal reality. French law requires all companies with more than 50 employees to have internal regulations, which must include rules on employee discipline and safety. This includes the use of digital tools provided by the company, such as computers, software, cell phones and so on. IT charters, although not always specifically mandatory, help to formalize these rules and guarantee maximum security of information systems.
Furthermore, case law confirms the importance of these documents. For example, in a 2006 ruling, the French Supreme Court (Cour de cassation) found that an employee who had attempted to log on using a colleague's identifiers had committed serious misconduct justifying his dismissal, due to his violation of the applicable IT charter. In other words, these charters are recognized as legal tools for controlling employee behavior in the use of IT tools, and their absence can make employers vulnerable in the event of litigation.
Adapting charters to company realities
IT charters are not a single tool that can be applied uniformly to all companies. On the contrary, they need to be adapted to the specific needs of each organization. A start-up working in a sensitive sector such as cybersecurity may have a very strict and detailed charter, while a small business in the distribution sector may adopt a lighter charter. What's important is that the content of the charter is tailored to the specific risks faced by the company.
A good charter must be flexible enough to evolve with technologies. For example, traditional IT charters often define rules for password management: minimum length, complexity, frequency of change, and so on. However, this approach has already been overtaken by the growing use of multi-factor authentication (MFA) or biometric technologies. As a result, a charter that is too rigid may quickly become obsolete. The charter writer needs to adopt a flexible approach, focusing on security principles rather than on precise technological prescriptions that may evolve.
Managing cyber attacks: awareness, training and regulation
Raising awareness: the first line of defense
It is now well documented that most cyberattacks exploit human error. Phishing, for example, remains one of the main vectors of ransomware infection. Employees, often the weakest link in the security system, are the first target of cybercriminals. That's why awareness-raising is so important. IT charters must include clear rules on the use of digital tools, but also on the behavior to adopt to avoid compromising the organization's security.
Raising awareness can be achieved in a number of ways: communication campaigns, e-learning training, MOOCs, or face-to-face workshops. The aim is to create a genuine culture of cybersecurity within the company, where every employee understands his or her role and the risks associated with his or her actions. Depending on a company's size and sector of activity, IT charters need to be adapted to different levels of risk. In a B2B environment, for example, risks may be lower than in a B2C environment, where regulations on personal data, such as the RGPD, impose very strict security standards.
Training: adapting skills to risks
Beyond raising awareness, training is essential. It's not simply a matter of informing users of best practices, but of providing them with skills tailored to their responsibilities. Network administrators, for example, will need more advanced training than end-users. IT charters should therefore include specific training for the company's various professions. HR teams, for example, should be trained in personal data protection, while technical teams should focus on securing systems and using advanced protection tools.
It's essential to take a job-by-job approach to training. A well-trained organization is one that minimizes the risk of human failures.
Regulation: control and sanctions
One of the essential roles of IT charters is to establish clear rules on how digital tools are to be used, and what controls can be exercised. In France, the "Nikon" ruling of 2001 set strict limits on employee surveillance, particularly with regard to the private use of professional tools. Reasonable private use is permitted, but it must be limited and proportionate. IT charters make it possible to clearly define the conditions under which an employer may access private files or emails if necessary, for example for security reasons.
Regulation must also include mechanisms for sanctions in the event of non-compliance with the rules. An employee who misuses the company's IT resources, or jeopardizes the security of its systems, must be aware that he or she may be subject to sanctions up to and including dismissal.
Cyber attacks: Victim or perpetrator?
Here's an essential question for companies: in the event of a cyber attack, are you the victim or the culprit? The answer depends largely on how well the organization has prepared and protected its information systems. If a company has not put in place the necessary security measures, it can be held liable for damage caused by an attack, particularly if personal or confidential data is compromised. IT charters play a crucial role here, as they formalize the security measures implemented by the company, as well as the responsibilities of each individual.
Failure to comply with these charters can result in severe penalties, not only for employees, but also for the company itself, particularly in terms of legal liability. A company that has been the victim of a cyber-attack could be accused of a lack of diligence if it has not taken appropriate measures to secure its systems.
Specific charters: administrators, teleworking and AI
Directors' Charter
The white paper highlights the need for specific charters for certain types of user, such as system or network administrators. These users have more extensive access rights than other employees and, if abused, can cause considerable damage. This is why it is essential to define strict rules concerning their rights and obligations. Administrators must adhere to strict confidentiality and security standards, and may not use their access privileges for personal or illegal purposes.
These charters must also include appropriate sanctions, as directors represent both a risk and an opportunity for the organization. In the event of serious misconduct, they may be held liable to disciplinary or legal action.
Telework Charter
Telecommuting, widely adopted since the COVID-19 pandemic, also poses new security challenges. Teleworking charters must govern the use of IT tools at home, particularly with regard to access to company information systems from personal networks that are often less secure. It is essential to adopt specific rules to guarantee the protection of data and systems, even at a distance.
AI Charter: mastering artificial intelligence
The introduction of artificial intelligence (AI) into companies has revolutionized many sectors, but it also raises complex issues of security and confidentiality. The white paper recommends the adoption of specific charters to frame the use of AI tools, such as ChatGPT or MistralAI, which are increasingly used by employees.
These charters must clarify the rules governing the use of AI, particularly with regard to the processing of personal data. Employees must be informed of the risks involved in using these tools.