IT security is not just a question of technology. The organisation of the company and the rules and legal restrictions are also very important.
1. Everything can be monitored except private life
1. Everything can be monitored except private life
The French "Informatique et Liberté" law guarantees confidentiality of any information of a personal nature:
“Le responsable du traitement doit mettre en œuvre les mesures techniques et d’organisation appropriées pour protéger les données à caractère personnel contre la destruction accidentelle ou illicite, la perte accidentelle, l’altération, la diffusion ou l’accès non autorisés, notamment lorsque le traitement comporte des transmissions de données dans un réseau, ainsi que contre toute autre forme de traitement illicite”.
2. Cybersurveillance requires prior notice
Any surveillance of an IT system involving monitoring user behaviour (e.g. URL filtering) requires prior notification to the CNIL and users must be informed, for example via a charter (although a charter has no legal value).
3. Everything entering and leaving the network must be tracked
A company must track information entering and leaving its network either to comply with legal restrictions such as financial information traceability for companies listed on the stock market (SOX - Sarbanes Oxley Act 2002) or to be able to prove that the machine that acted as intermediary for an attack had been previously pirated.
4. Computing security is the responsibility of the company managing director
In the same way as they are responsible for the security of premises and personnel, company managers are legally responsible for the IT system security and will be held accountable if any law is broken. The Board of Directors should therefore be sure of complying with the law.
