Respecting the organisation’s security policy is an essential condition for the continuity of activities. Each person must be aware of it, implement it, and understand that if they do not comply with it they will risk sanctions (potentially legal).
Each member of the ‘organisation’ must read and sign the ‘security compliance agreement for members of the organisation’ provided in the annexe. Newcomers will read it and sign it upon taking up the employment, while ‘existing employees’ sign it when the policy comes into effect, under the responsibility of the staff manager.
Everyone should be aware of both the risks and the security measures and procedures to be implemented. In this respect, all managers must ensure that the persons under their responsibility are aware of the security policy.
Additionally, any person with technological responsibilities must ensure that they are proficient in the security aspects and, if necessary, have provided training and information to their colleagues.
The security policy aims to ensure that all agents are aware of their responsibilities and they are chosen because of their suitability for the responsibilities allocated to them. This principle avoids the risk of error or incorrect use of the organisation’s property.
To this effect, the organisation must ensure that it mentions security-related responsibilities in job descriptions. The candidates, especially for sensitive posts, are chosen to consider this element. The chosen candidates are asked to sign an agreement on their security-related roles and responsibilities.
The aim of the security policy is to ensure each agent is aware of:
The security policy encourages each agent to receive the appropriate training and qualifications. In particular, users must:
The provisions of the disciplinary procedure on the general employee status are applicable in the event of a violation of the security policy rules.
It is also the purpose of the security policy to ensure that the actors who are leaving the organisation or changing post follow a formal procedure. In particular, the actors must return all of the organisation’s equipment, their access must be withdrawn and they must be made aware of their responsibilities that remain applicable after their employment contract has ended, e.g. the obligation to respect confidentiality.
Each member of the “organisation” must report the following observations to their direct manager, to the IT manager, or the management board:
Reported incidents and vulnerabilities are dealt with and resolved by the manager responsible for the element concerned. Their initiator and other members of the company are informed of the solutions implemented so that everyone remains vigilant.