Establishing a security charter is an essential step for any organisation wishing to enforce best security practices. It takes the form of a short document of just a few pages, which outlines the company’s strategy from the perspective of information security and the basic rules to be applied by any employee.
Below you will find examples of sections that can be included in a security charter.
The 3 general principles
Security is everybody’s business.
Everyone is responsible at their level for the information security of the entire organisation.
Everyone must alert the security officer when a security problem is detected.
The 3 security objectives
Confidentiality refers to ownership of the information that is only to be made available or disclosed to authorised individuals, organisations or processes. Access to information, to an extent, is reserved for those who require it on a clearly identified need-to-know basis.
Information integrity relates to the accuracy and completeness of information resources. This means it involves protecting the accuracy and consistency of the information, as well as the methods used to process this information.
This is the property (for an information system) of being accessible and of fulfilling the functions envisaged at the time of the application to an authorised entity, under the expected conditions of time-scales and performance. This means protecting the capacity of an information system to perform a function under defined schedule, time-scale and performance conditions.
This involves the assurance of being able to justify all information.
It rests on the principles of authentication, non-repudiation and accountability.
Proof is sometimes considered to be the fourth pillar of information security.
The 11 commandments
Follow the information security rules and procedures
Regularly consult the rules and procedures. Stay informed about changes in security policy to help you to be better protected.
Protect your passwords
Never disclose your passwords.If someone asks you for them, refuse. Our security means never giving out passwords.
Know how to keep a secret
Never disclose confidential data in any circumstances.
Do not publicly discuss matters that should be kept secret.
Block access to your computer
If you leave your office, block access to your computer.
Back up your data correctly
Never store data in your personal space. Use a file server instead – this must be part of a backup strategy. Applying these guidelines will enable you to recover your data if it has been lost and to access it at any time.
Resist “social engineering” methods
During an email or telephone conversation, make sure that you know the identity of the person you are communicating with. Be careful whenever you are asked for personal or confidential information or information that is important to the company. Social engineering exploits human vulnerabilities to gain access to confidential information.
Keep a close watch on your emails
Emails can be a threat to your computer and for the whole IT network. Never reply to emails asking for personal and/or confidential information. Check the provenance, safety and integrity of all attachments.
Use the internet intelligently
Internet use is limited for security reasons. Access is restricted (web filter), but sufficient for your professional use. Only download the files you need for your work, never for leisure, and be attentive to the files obtained.
Use an antivirus program
An antivirus program is essential in the current professional environment. It is automatically activated and enables you to scan all your files even before you open them. Updates are automatic so that any new threats can be better resisted. If you think you have a virus, notify your IT department immediately.
Take care of your hardware and software
Never install pirate or unauthorised software. Only use programs made available to you by your organisation. If you need software that is not installed on your computer, file an installation request.
Take care of hardware: laptops are more fragile and very tempting for thieves.
Removable media: the use of external hard disks and CDs should be limited. Scan all removable media for viruses. Use these media only when you know their source and content.
All incidents must be reported as soon as possible. This can prevent other similar incidents. We are responsible for the security of our environment.
Failure to respect security or the violation of the established rules may result in disciplinary action.
The right reflexes
Once you start to use a computer tool, please respect the following “golden rules”:
The password: lock the safe
The password is the access key to your information and your online accounts. The challenge is to choose one that is easy to memorise, while being difficult for someone else to guess. Avoid using your children’s names or other personal information, because these are easy for others to guess. Change your password regularly, do not share it with anyone, and use different passwords for different applications.
Antivirus: vaccinate your computer
Just like you, your computer needs to be vaccinated to stay healthy and protected from viruses and worms. Install an antivirus and keep it up-to-date – this is an indispensable reflex for computer security.
The firewall: protection against attacks
Install a firewall and configure it correctly. This will not only enable you to block suspicious attacks or logins which may be viruses, worms or Trojans, but also to prevent the leak of your personal and confidential information.
Antispyware: thwart organised spying
Secure your e-banking/e-commerce transactions by installing antispyware that regularly scans the computer to detect malware that may be there.
Security patches: closing gaps
To counter hackers who are constantly looking for and finding flaws in operating systems, keep your browser constantly updated. Also apply the right patches. In fact, like your antivirus, your system needs maintenance. Applying the necessary updates will help you counter threats such as worms, viruses and Trojans.
Failure to comply with legislation (legal aspects) in the field of information technology can put the organisation in a difficult situation vis-à-vis the law, its customers (brand image) and also in terms of financial consequences (fines) or criminal consequences (personal liability).
Accordingly, the law recognises and punishes:
- the liability of the perpetrator of the attack;
- the liability of the intermediary of the attack;
- the liability of the victim of the attack. The legal consequence of a breach of the security obligation in relation to personal data processing is punishable by 8 days to 1 year in prison and by a fine from 251 to 125,000 euros.
In fact, all organisations must implement a security level based on:
- the risk of invasion of privacy;
- the state of the art (which implies an obligation to keep itself updated and informed);
- costs relating to implementation.