--- title: "Aboutgoods Company IT policy" tags: aboutgoods, internal, policy description: 'IT Charte in English' --- Aboutgoods company information technologies policy === ## 1. πŸ“ Preface The company implements an information and communication system necessary for its activity, including a computer and telephone network, as well as mobile tools. Employees, in the performance of their duties, are led to use the computer and telephone tools available to them and to access the company's communication services. The use of the information and communication system **must be exclusively for professional purposes, unless it falls in the actions of the policy**. With the objective to provide users with transparency, fair promotions, and a responsibe use of information and communication systems to be secured, this policy sets the rules of engagement for ethical use of our resources. It also defines the measures for control and monitoring of this use set up, not only for the proper performance of the employment contract of employees, but also in the context of the criminal and civil liability of the employer. *It has legl binding rules of engagement which are attached within the internal rules of the company. In any case it does not replace the laws in force that everyone is supposed to already know.* **Users must respect and impose the laws and rules of engagement, specifically those related to publications which could be offensive, racist, pornographic, defamatory, on sexual harassment or unmoral.** ## 2. 🧐 Scope ### 2.1 Users concerned Unless otherwise stated, this policy applies to **all users of the company's information and communication system, regardless of their status**, including corporate officers, employees, temporary employees, trainees , employees of external service companies, visitors. It will be attached to the Services Agreement. > ⭐️ Employees ensure that the rules set out in this policy are accepted by anyone to whom they give access to the internal information and communication system. ### 2.2 Information and communication system The company's information and communication system consists of the following elements : - Computers (desktops or laptops) - Peripheral devices including USK keys - Personal Assistants - Computer network (servers, routers and connectors) - Photocopier - Telephones - Smartphones - Tablets and 3G Keys - Software - Data files and databases - Messaging systems - Internet connections - Subscriptions to interactive services. For network security purposes, which are also considered as part of the information and communication system **employees personal material connected to the companies network, or containing information of a professional nature concerning the company.** ### 2.3 Other agreements on the use of the information system This policy does not presuppose specific agreements that may relate to the use of the information and communication system by representative institutions, the organization of elections by electronic means or the implementation of teleworking from employees. ## 3 πŸ”’ Confidentiality ### 3.1 πŸ”‘ Access settings Access to certain elements of the information system : - πŸ“ž Such as e-mail or telephone - πŸ–₯ Workstation sessions - πŸ“‘ The network - βš’ Certain applications - πŸ”‘ Interactive services are protected by login settings (username, password) These settings are personal **to the user and must be kept confidential.** This allows to control user activity ### ❗️ It should not be communicated to anyone, nor direct superior, nor IT. - **These parameters must be stored by the user and not be retained in any form.** In any case, they must not be transmitted to third parties or easily accessible. - They must be entered by the user at each access and not stored in the information system. - When chosen by the user, the parameters must respect a certain degree of complexity and be modified regularly. - Safety instructions are defined by management or the IT department to recommend best practices in this area. - No user shall access the company's information system from another account than the one assigned to him or her. - Nor must they delegate to a third party the rights of use assigned to him or her. ### 3.2 πŸ’Ύ Data Every user **is accountable for the organizational secrecy** and the confidentiality of the information that he is led to hold, consult or use. - The rules of confidentiality or authorization to prior external distribution or publication are defined by management and applicable regardless of the means of communication used. - **The user must be particularly vigilant about the risk of disclosure of this information** in the context of using IT tools, personal or company-owned, in places other than those of the company (hotels , public places…). ## 4 πŸš“ SΓ©curity ### 4.1 Company role - The company implements the correct human and technical resources to ensure the hardware and software security of the information and communication system. As such, **it is his or her responsibility to limit access to sensitive resources** and acquire intellectual property rights or to obtain the necessary authorizations to use the resources made available to users. - The IT department is responsible for implementing and monitoring the proper functioning of the information and communication system. It must provide a plan for security and continuity of service, especially in the event of a material irregularity. It ensures the application of the rules of this policy. It is subject to an obligation of confidentiality on the information it is brought to know. ### 4.2 User Responsability - The user **is responsible for the resources entrusted to him or her** whilst carrying out his functions. - It must contribute to the protection of these resources, by exercising caution and vigilance. In particular, **he or she must report to the IT department any violation or attempted violation of the integrity of these resources**, and, in general, any malfunction, incident or anomaly. - Unless expressly authorized by the management, access to the information system with non-business equipment (personal assistants, removable media, etc.) is prohibited. - In the event this has been authorized, it is the user's responsibility to ensure the safety of the equipment used and its safety. Similarly, the release of equipment belonging to the company must be justified by professional obligations and requires the express agreement of the management. - **In case of absence, even temporary**, it is imperative that the user lock access to the material entrusted to him or her to their own material, as long as it contains information of a professional nature. ### ⚠️ ⚠️ **The user must make regular backups of files he has on the equipment made available to him according to the procedures defined by the IT department.** ⚠️ ⚠️ - He or she must regularly **delete the data which has become useless on the common spaces of the network** - Old data that is wished to be kept must be archived with the help of the IT department. > The user undertakes under all circumstances to comply with the legislation, which protects specifically the intellectual property rights, the secrecy of correspondence, personal data, automated data processing systems, the right to image of people, the exposure of minors to harmful content. Under no circumstances may he or she engage in any activity that is concurrent with the company's business or that may cause him harm by using the information and communication system. ## 5 🌍 Internet ### 5.1 Access tu sites As part of their business, users can access the Internet. For security or ethical reasons, access to certain sites may be limited or prohibited by the IT department, which is authorized to impose browser configurations and install filtering mechanisms that limit access to certain sites. It is **forbidden to connect to websites whose content is contrary to public order, morality or corporate image, as well as those that may involve a risk for the security of the company's information system** or financially binding it. ### 5.2 πŸ”€ Other uses **It is reminded that users must not by no means engage in illegal activiies in the internet which may affect** the interests of the company. **Users are informed that the IT department records their activity on the Internet and that these traces may be leveraged** for statistical reasons, control and verification purposes within the limits provided by law, in particular **in the event of significant loss of bandwidth on the corporate network.** ## 6 βœ‰οΈ Email Each employee has, for the exercise of his professional activity, a standardized e-mail address assigned by the IT department. E-mail messages received on business email are subject to antivirus and spam filtering. **Employees are invited to inform the IT department of any malfunctions noticed in the filtering device.** ### 6.1 General Advice - Users' attention is drawn to the fact that an e-mail message has the same scope as a postal mail: it therefore abides by the same rules, especially with regard to hierarchy od the organization. In case of doubt about the senders competence to send the message, it should be referred to his superior. - An electronic message can be communicated very quickly to third parties and care should be taken to respect a certain number of principles, in order to avoid malfunctions in the information system, in order to limit the sending of unsolicited messages and to not engage in any civil or criminal liability for the company and the user. - Before sending an e-mail, it is imperative to check the identity of the recipients of the message and their suitability to receive the information delivered. In the presence of confidential information, these checks must be reinforced; if necessary, encryption of messages may also be requested by the IT department. - In case of sending to several recipients, the user must comply with the provisions relating to the fight against the mass sending of unsolicited mail. It must also consider the opportunity to hide some recipients, by putting them in hidden copy, not to communicate their email address to all recipients. - In the case of sending electronic messages to a mailing list, it is important to check the terms and conditions of the subscription, check the list of subscribers and provide accessibility to the archives. The risk of delays, non-delivery and automatic deletion of e-mail messages must be taken into consideration when sending important correspondence. - Important messages must be sent with receipt acknowledgement and signed electronically. - They must, if necessary, also be sent simultaneously by regular postal service - Electronic correspondence **must not contain unlawful elements, such as defamatory, abusive, counterfeit or potentially unfair or parasitic acts.** The format of the business messages must respect the rules defined by management, as regards to formatting and especially the signature of the messages. > 🌟 In case of absence exceeding 3 days, the employee must set up an autoresponder or make a request to the IT department to do so on his or her behalf. ### 6.2 Technical limits For technical reasons, the delivery of electronic messages is possible, directly, only to a limited number of recipients, set by the management of electronic messages. Likewise, the email management provider can limit the size, number, and type of attachments to avoid clogging the mail system. ### 6.3 Personal use of messaging **Personal messages are tolerated**, provided you comply with the legislation in established, not to disturb and respect the principles set out in this policy. > The messages sent must be marked **"Private" or "Personal" in their subject** and be classified as soon as they are sent in a file that is named in the same way. Received messages must also be classified, upon receipt, in a folder called "Private" or "Personal".**In case of breach of these rules, the messages will be presumed to be of a professional nature.** However, users are encouraged, whenever possible, to use their personal email via an online client for sending personal messages rather than corporate email. ### 6.4 Use of messaging by staff delegation In order to avoid the interception of any message intended to a representative staff institution, messages of such a nature must be marked and classified in the same way as personal messages, but using the word **"Delegate" in their subject at issue and referred to in the file where they are to be filed. ** ### 6.5 πŸ– Departure In case of departure from the company, the e-mail remains available to the employee for **30 days at the termination of the contract.** > The user has this period to retrieve and delete his personal correspondence, and notify his correspondents of the change of e-mail address. *It is the responsibility of the IT department to put an autoresponder upon the user's departure and to redirect messages from this day onwards and for a period of six months from the date of the employees departure.* ## 7 πŸ“ž Telephone For their professional activity, users can have a fixed station and a mobile terminal, smartphone, tablet or laptop. With respect to the use of mobile devices connected for access to Internet sites or electronic mail, the rules enacted above apply in the same way. ### 7.1 Personal usage of telephones The personal use of the telephone, fixed or mobile, is tolerated, provided that it remains within reasonable limits in terms of both time spent and number of calls. The additional costs for the company generated by the use of telephony for personal purposes must be reimbursed by the users concerned. > This refers especially to premium call rate numbers and overseas calls, in the sense of telephone billing. ## 8 πŸ§’ Personal data Law No. 78-17 of January 6th 1978 relating to computers, files and freedoms, defines the conditions under which personal data processing can be operated. Its conducted for the benefit of the persons concerned by the processing of rights that the present invites to respect, with regard to the users as well as the thirds. Automated and manual data processing is performed as part of the control systems provided within this policy. They are, as necessary, declared in accordance with the law of January 6, 1978. Any user may have access to data concerning him or her and this data will be kept for a maximum period of 1 year. Users are reminded that processing of personal data must be declared to the National Commission for Informatics and Liberties, pursuant to Law 78-17 of January 6th 1978. Users wishing professional treatment under the stated law are invited to contact the IT department before proceeding. ## 9 ⚑️ Control of activities ### 9.1 Automatic controls The information and communication system relies on log files, created mostly automatically by the computer and telecommunications equipment. These files are stored on computers and on the network. They help to ensure the proper functioning of the system, protecting the security of corporate information, detecting hardware or software errors and controlling the access and activity of users and third parties accessing the information system. Users are informed that multiple treatments are being performed to monitor system activity information and communication. In particular, the following data are monitored and stored: - the use of application software to control access, changes and deletions of files; - Incoming and outgoing connections to the internal network, e-mail, and the Internet, to detect mail usage anomalies and to monitor intrusion attempts and activities, such as visiting sites or downloading files ; - telephone calls made or received from fixed or mobile telephones to monitor the volume of activities and detect malfunctions. **The users attention is drawn to the fact that it is possible to control their activity and their exchanges.** Automatic and generalized controls are likely to be carried out to limit the malfunctions, in the respect of the rules in force. **It is specified that each user will have access to the information recorded during these routine controls, follwoing previous request to management.** In addition, the log files listed above are automatically destroyed within a maximum period of 8 months after their registration. ### 9.2 Manual control procedure *In the event of a malfunction identified by the IT department, a manual check and verification from any operation performed by one or more users can be carried out.* - A user's control may include files on the computer's hard drive, on a backup media made available to him, on the corporate network, or on his mail. - Therefore, except for a risk or specific event, the management can not open the files or messages identified by the user as personal or related to the subject personal. In accordance with the present policy, only in the presence of the user and if this one is duly called and/or under the circumstance of being represented by a staff representative. ## 10 β˜€οΈ Information and sanctions *This policy is publicly posted as an appendix to the rules of engagement. It is communicated individually to each employee electronically.* - The IT department is fully available for employees, to provide them with any information concerning the use of the information system, in particular on backup and filtering procedures. It regularly informs them of the evolution of the technical limits of the information and communication system as well as the threats that may affect its security. - Each user must comply with the procedures and rules of security issued by the IT department under this policy. - If necessary, employees can be trained by the IT department to apply the rules for the use of the planned information and communication system. ### ⛔️ Sanctions Failure to comply with the rules and security measures described in this policy is likely to inccur warnings, limitations or suspensions to use all or part of the information system and communication, or even disciplinary sanctions, proportionate to the seriousness of the facts concerned to the user. In the latter case, the procedures provided for in the rules of procedure and in the Labor Code will be applied. The personal use of certain paid services for personal reasons through the company's communication system, will also be reimbursed by the user involved. The Company Representative or his legal representative, also reserves the right to initiate or have criminal proceedings imposed regardless of the disciplinary sanctions implemented, especially in the case of computer fraud, copyright infringement or violation of the secrecy of correspondence. ## 11 Coming into force This policy is applicable from July 15, 2019.