PUBLIC INTERNAL RESTRICTED SECRET
X
ÉTAT : VALIDATED
VERSION : 1.1
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
2
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Approvers
Name Position
Julien ANICOTTE Group Chief Information Security Officer
Chrystelle SABOURAUD Senior Manager, IP/IT
Legal, Risk & Compliance Department
Revision history
Version Author Description Date
1.0
Angela VASTANO
Alexis TUTINO
Chrystelle SABOURAUD
Creation of the document 23/10/2017
1.1 Grégoire Barral Responsibility flags 30/07/2018
Reference documents
Document title Document Name
Classification
Level Confidentiality
C2 Internal
3
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
SUMMARY
GLOSSARY 6
1. PRESENTATION 7
1.1. PURPOSE 7
1.2. SCOPE 7
1.2.1. Users 7
1.2.2. Information system 7
1.2.3. Use 8
1.3. RESPONSIBILITIES 8
1.4. IMPLEMENTATION 8
2. PROTECTION OF CREDENTIALS 9
2.1. INDIVIDUAL USERS ACCOUNTS 9
2.2. PASSWORDS 9
3. USE OF EMAIL 11
3.1. CORRECT USAGE OF EMAIL SERVICES 11
3.2. EMAIL ATTACHMENTS 12
3.3. ACCESS TO EMAIL CALENDARS 12
3.4. CRITICAL MESSAGES FROM THE IS/IT SUPPORT 12
3.5. OUT OF OFFICE MESSAGES 13
3.6. EXTERNAL USERS’ EMAILS SENT FROM BUREAU VERITAS 13
3.7. PERSONAL EMAIL USE 13
3.8. CONTROL OF USE OF MAILBOX 13
4. USE OF THE INTERNET 15
4.1. CORRECT USE OF INTERNET ACCESS 15
4.2. PERSONAL INTERNET USE 15
4.3. INTERNET USE MONITORING 16
5. PROTECTION FROM VIRUSES 17
4
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
5.1. ANTI-VIRUS MAINTENANCE 17
5.2. VIRUS DETECTION 17
5.3. VIRUS DETECTION IN EMAILS 18
5.4. VIRUS DETECTION IN FILE DOWNLOADS FROM THE INTERNET 18
6. USE OF SOFTWARE 19
6.1. APPROVED SOFTWARE 19
6.2. USE OF INSTANT MESSAGING 19
6.3. MACROS 20
6.4. DATABASES 20
7. USE OF HARDWARE 21
7.1. APPROVED HARDWARE 21
7.2. USE OF HARDWARE 21
7.3. USE OF PHONE DEVICES 22
7.4. HARDWARE RETURNS 22
7.4.1. Hardware returns by Users leaving Bureau Veritas 22
7.4.2. Hardware returns for repair or replacement 23
7.5. DECLARATION OF STOLEN OR LOST HARDWARE 23
7.6. HEALTH AND SAFETY 23
7.7. CONTROL OF HARDWARE 23
8. PROTECTION OF PERSONAL DATA 25
8.1. USERS’ DUTIES 25
8.2. USERS’ RIGHTS 25
9. CONFIDENTIALITY REQUIREMENTS 27
9.1. CONFIDENTIALITY LEVELS 27
9.2. SECURITY BASED ON CONFIDENTIALITY 27
9.3. CONFIDENTIALITY IN DOCUMENTS 28
9.4. CONFIDENTIALITY IN EMAILS 28
10. DECLARATION OF SECURITY BREACHES 29
5
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
11. MOBILE WORKING 30
12. CLEAR DESK AND CLEAR SCREEN 31
13. BACKUP OF USERS’ DATA 32
14. COPYRIGHT AND TRADEMARKS 33
15. FAILURE TO COMPLY WITH THIS CHARTER – SANCTIONS 34
APPENDIX 35
IS/IT SUPPORT CONTACT 35
6
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
GLOSSARY
CISO means Chief Information Security Officer.
Global ISSP means Global Information System Security Policy, which is the document describing the
organization of the Information Security Management System.
Hardware includes, but is not limited to, desktop, laptop, handled devices such as mobiles phones,
smartphones, and media storage like USB sticks, printers.
Information System means integrated set of components (including IT equipment) for collecting, storing,
and processing data and for providing information.
ISS Policies mean Information System Security Policies which include the Global ISSP and the Operational
Policies. Set of documents defining the framework of Information System Security (ISS) through governance
principles and pragmatic rules, which shall be implemented across the Bureau Veritas Group.
IS/IT support means local helpdesk or local IT of Bureau Veritas.
Line Managers mean immediate superior of the concerned Internal User or Bureau Veritas coordinator of
the concerned External User.
Malware means (short for malicious software) any software used to disrupt computer or mobile operations,
gather critical information, gain access to private Information System, or display unwanted advertising. The
term refers to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan
horses, ransomware, spyware, adware, scareware, and other malicious programs.
Mobile Device Management (MDM) means a solution for managing a fleet of mobile devices, whether
tablets or smartphones. This solution also allows remotely erasing all or part of business data or applications
in case of loss or theft of the device.
Operational Policies mean documents describing the essential requirements and recommendations, each
one covering a major theme, resulting in a set of pragmatic rules to be applied at the operational level.
Personal Data means any information relating to an identified or identifiable living person (‘data subject’);
an identifiable living person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.
7
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
1. PRESENTATION
1.1. PURPOSE
Bureau Veritas provides all its employees and certain of its service providers with data resources and
equipment for collecting, storing, and processing data (together “Information System”) for Bureau Veritas
business purposes.
The purpose of this Global IS/IT Charter (the “Charter”) aims at detailing the rules governing the use
of the Bureau Veritas Information System.
1.2. SCOPE
1.2.1. USERS
This Charter applies to all individuals who are authorized by Bureau Veritas to access to, or to use, the
Bureau Veritas Information System. These individuals include, without this list being exhaustive:
“Internal Users”: means Bureau Veritas’ employees, including trainees and temporary staff;
“External Users”: means personnel of suppliers, sub-contractors or other business partners of
the Bureau Veritas Group;
“Users”: means collectively Internal Users and External Users.
Sections with following flags will highlight the responsibilities of following individuals:
IS/IT:
Provide and operate solution
Assist user and provide specific needs
Bear responsibility
Line Manager:
Define measures and applicable rules
Allocate resources
Bear responsibility
1.2.2. INFORMATION SYSTEM
The Information System owned or made available by Bureau Veritas includes, but is not limited to the
following:
Mobile / smartphone devices;
Email;
8
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Instant messaging;
Internet/Intranet;
Databases;
Software/Applications;
Hardware; or
Any new equipment or technology.
1.2.3. USE
This Charter covers the use of Bureau Veritas Information System:
On site, in any Bureau Veritas location worldwide;
With mobile use regardless of location; and
Through remote access.
This Charter applies regardless of the frequency and periodicity of the use of the Bureau Veritas Information
System by Users.
1.3. RESPONSIBILITIES
Users must act in accordance with the rules described herein.
Line Managers are expected to implement and manage the deployment of the Charter by ensuring that
Users comply with such Charter.
Human Resources Departments are expected to ensure that this Charter is applied in accordance with
local employment law practices and in compliance with applicable Workers’ Council requirements. In
this regard, a local IT/IS charter may be implemented. In case of contradiction between a local IS/IT
charter and this Global IT/IS Charter, the local IS/IT charter shall prevail. In the countries where no local
IS/IT charter exists, this Global IT/IS Charter applies to Users by default.
1.4. IMPLEMENTATION
This Charter is communicated to:
All Users on the date of its first publication;
Each new Internal User when joining Bureau Veritas;
Each External User working for or with Bureau Veritas, at the latest upon their first connection
to the Information System of Bureau Veritas.
9
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
2. PROTECTION OF CREDENTIALS
2.1. INDIVIDUAL USERS ACCOUNTS
In order to ensure traceability and accountability of the use of Bureau Veritas Information System, Users
are assigned one unique User ID. Users must not share their accounts unless for specific needs,
properly authorized.
Subject to applicable law, access to another User’s account will only be granted in exceptional
circumstances where there is an urgent business need and the person is not contactable, in agreement
with the Line Manager and Human Resources Department.
The only exception to this is where access has been granted by the owner to the mailbox or calendar
through email delegation facility (e.g. for the purposes of arranging meetings or checking schedules).
Users must:
Lock down their Hardware when leaving it for any period of time;
Disconnect from applications and services when they don’t need them;
Ensure that they do not access the network using the log in credentials of another individual who
is currently working for or who has left the organization;
Ensure that they do not access another User’s mailbox using their log in credentials.
2.2. PASSWORDS
Users have a unique login and password that is confidential and strictly personal. Users will be held
accountable for any system usage made with their credentials.
Users must:
Keep their passwords confidential, not share them and not write them down in a format
accessible to anyone else;
Enter their passwords out of other persons’ sight;
Abide by systems requirements and ensure that minimum password length is 8 characters,
contain capital letters, lowercase letters, digits, special characters (when allowed by the system);
Change passwords every 90 days or upon request;
Ensure that the same password is not re-used for 5 changes;
Ensure that passwords are not obvious to others in order to ensure maximum security;
Never share their password with anyone (even with Line Manager, helpdesk or local IT);
Set up a different password on each service they use – both internal or external to Bureau
Veritas so that a breach on one service does not compromise all;
Immediately change their password if they know or suspect that it has been compromised (e.g.
divulged to others).
10
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
If granted with an administrator account, Users must ensure that their administrator account’s password is
different than the one they used for their regular account.
Under exceptional circumstances, where there is a legitimate business need, the IS/IT support can
reset Users’ password without their consent, but only with the consent of their Line Manager and Human
Resources Department.
11
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
3. USE OF EMAIL
3.1. CORRECT USAGE OF EMAIL SERVICES
The commercial and legal effects of sending and receiving an email are the same as those of any other
form of written communication, as if the content of the email was written on Bureau Veritas letter headed
paper.
Users must not use their own personal email accounts (e.g. Yahoo, Hotmail, Gmail) to send Bureau
Veritas information or official documents (e.g. inspection or audit reports, contracts) either in the content of
the email or by file attachment. This includes the sending of information to themselves or to a third party.
Users must not use email to:
Set up or run personal businesses;
Forward company confidential messages to external locations, except if it is authorized in the
framework of their mission or by their Line Manager;
Distribute, disseminate or store images, text or materials that might be or are considered:
o indecent, pornographic, obscene, illegal or offensive;
o discriminatory, offensive or abusive, a personal attack, sexist or racist, or might be
considered as harassment;
Promote terrorism or any unlawful activity;
Create or transmit defamatory emails;
Change the content of an email received from a third party before forwarding it without a
professional reason or without indicating the changes;
Break into the company’s or another organization’s system or carry out other unauthorized use
of a password/mailbox;
Broadcast unsolicited personal views on social, political, religious or other non-business related
matters;
Send unsolicited commercial or advertising materials;
Use their Bureau Veritas email address to register on non-business related websites;
Send an email on behalf of another person, unless the sender confirms in the email that he/she
is duly authorized to send the email on behalf of such another person. Any emails that are
forwarded must not be altered in any way;
Introduce any form of virus into the corporate network;
Join any mailing lists with any external entities in order to limit the junk mail coming into Bureau
Veritas and reduce the threat of Malware.
12
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Best practices
Do not open attachments or click on links in unexpected or suspicious emails. In case of any
doubt, please contact the IS/IT support.
Use your judgment when putting together mailing lists. For instance:
“to”: to be sent to recipient for action (the number of recipients must be limited);
“cc”: to be limited to persons who must be truly informed;
“bcc”: to be avoided wherever possible.
Do not send long e-mail chains – reading these is not a good use of the recipient’s time.
Include greetings and your business signature in each email you send.
Draft short and clear messages with a clear description of the object.
Assume that every email may be disclosed in judicial proceedings.
3.2. EMAIL ATTACHMENTS
The size of email attachments is by default restricted to 10 MB. Transmission of files larger than this
should utilize the approved Bureau Veritas file transfer tool which may be accessed via the Orion
website.
Furthermore, Users must not open any email attachment that is not identified or which content is
obviously not professional (any unknown or unusual document is a potential source of virus).
3.3. ACCESS TO EMAIL CALENDARS
Access to Users’ own calendar is configured by default.
Access may be delegated to other Users to allow them to view and manage their calendar by granting
additional privilege rights located in their email option to a particular person. This activity needs to be
carried out on an individual basis and is the responsibility of the User granting the access.
3.4. CRITICAL MESSAGES FROM THE IS/IT SUPPORT
High level critical IS/IT information will periodically be sent to all Users by the IS/IT support - for example
with regards to viruses or system issues.
Users must read and act upon these messages in order to preserve and maintain the integrity and
security of Bureau Veritas Information System and business data.
13
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
3.5. OUT OF OFFICE MESSAGES
Users must put an “out of office” message on their email account giving an alternative contact name if
they are unable to respond to emails for a period of time so as to ensure that expectations of Bureau
Veritas customers and other contacts are managed appropriately.
In the event of an unexpected prolonged absence, Line Managers can request the configuration of an
out of office message on the Users email account.
3.6. EXTERNAL USERS’ EMAILS SENT FROM BUREAU VERITAS
Any emails that are sent by External Users, on behalf of Bureau Veritas and from a Bureau Veritas
mailbox, must be readily distinguished from those sent by Bureau Veritas Internal Users, specifically:
Line managers must ensure External Users are declared as third parties during the check in
process so that their email address is set up as follows:
email address: <first name>.<last name>.ext@<domain>
External Users must ensure that the third party corporate name to which they belong appears in
their External Users’ email business signature block.
3.7. PERSONAL EMAIL USE
Users must ensure the following when using Bureau Veritas Information System for personal use:
Personal email use is minimal and takes place substantially out of normal working hours;
Personal emails must be labeled "Personal" or “Private” in the subject header or stored in a
folder labeled “Personal” or “Private”;
Personal email use must not interfere with business or office commitments;
Personal email use must not be such that it is likely that Bureau Veritas could be brought into
disrepute;
Third party commercial information about Bureau Veritas or personal details or information
regarding other Users must not be emailed to Users’ home email address;
Compliance with local Bureau Veritas policies, anti-harassment, disciplinary procedures, the
Bureau Veritas Code of Ethics and the Manual of Internal Policies and Procedures.
3.8. CONTROL OF USE OF MAILBOX
Any professional emails sent by Users may be intercepted and monitored by Bureau Veritas for the
following reasons:
If there is a reasonable suspicion that (i) this Charter, the ISS Policies or any other Bureau
Veritas policy have been breached, or (ii) if a threat to Bureau Veritas’ Information System
has been identified;
14
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
In the event of disclosure requirements under judicial decisions or in the event of any need
to defend Bureau Veritas in pre-litigation or litigation case.
Details of transmitted emails, including date and time of dispatch, sender and recipient are logged.
Emails may be backed-up and retained during a certain period (according to the country and local laws).
Emails may be consulted by Users and by the IS/IT support.
15
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
4. USE OF THE INTERNET
4.1. CORRECT USE OF INTERNET ACCESS
Access to the Internet is provided to Users as a business tool to assist in the performance of business
related functions and operations.
Users are expected to use the Internet as an effective mean of addressing business related issues in a
manner that (i) serves the interests of the Bureau Veritas Group, (ii) is consistent with other
organizational policies and (iii) is compliant with applicable laws and regulations and the Bureau Veritas
Code of Ethics.
Users must not use the Internet access granted in the framework of their mission within Bureau Veritas
to:
Refer to Bureau Veritas or any of our other businesses or brands published on the Internet
(social networks, blogs, forums etc.) without authorization;
Visit Internet sites that contain obscene, hateful, pornographic or other illegal materials, or
promote terrorism or any unlawful activity;
Perpetrate any form of fraud, or software, film or music piracy;
Send discriminatory, offensive or abusive, a personal attack, sexist or racist, or might be
considered as harassment;
Download any software or any copyright materials belonging to third parties, unless such
download has been duly authorized under a commercial agreement or a license; such
authorization must be checked with the ISM Global Purchasing department if the license is
global, or with the local IT/IS or Purchasing department if the license is local;
Create or transmit defamatory materials;
Undertake deliberate activities that waste staff effort or networked resources;
Introduce any form of Malware into the corporate network;
"Snoop" or "hack", either inside or outside the Bureau Veritas Information System or for
deliberately spreading viruses or malicious programs;
Download, store or forward video clips, audio clips, pictures or digital images that are not directly
business related;
Download, email or play "games".
4.2. PERSONAL INTERNET USE
Bureau Veritas authorizes the incidental use of the Internet by Users to browse and access web sites,
for personal purposes, subject to the conditions below:
Use must be restricted to the minimum and mainly take place out of normal working hours;
Use must not interfere with business or office commitments;
16
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Use must not cause a damage to Bureau Veritas’ reputation;
Use must not generate additional costs for Bureau Veritas;
Compliance with local Bureau Veritas policies, anti-harassment, disciplinary procedures and the
Bureau Veritas Code of Ethics;
No Bureau Veritas information should be entered (e.g. passwords) into any external site if it is
accessed in HTTP and not in HTTPS as such websites are not encrypted.
In the case of entering unacceptable Internet sites by accident, if Users have any concerns about the
content, they should report the matter to their Line Manager.
4.3. INTERNET USE MONITORING
For statistics, quality of service and security reasons, Bureau Veritas logs, supervises (globally and
anonymously) and audits the use of Internet made by Users (most visited sites, connection time, etc.).
Bureau Veritas may inspect specific Internet transactions either through usage reporting or line
management request:
If there is a reasonable suspicion that this Charter, the ISS Policies or any other Bureau
Veritas policy have been breached or if a threat to Bureau Veritas’ Information System has
been identified;
In the event of disclosure requirements under judicial decisions or in the event of any need
to defend Bureau Veritas in pre-litigation or litigation case.
17
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
5. PROTECTION FROM VIRUSES
The deliberate introduction of a virus to a computer network is a criminal offence. Viruses can be
introduced into Bureau Veritas network or transmitted to third party’s Information Systems by email,
infected disks, USB removable media, unauthorized software or through the Internet. Every effort must
be taken to ensure that no viruses are transmitted or in any way affect Bureau Veritas Information
System.
5.1. ANTI-VIRUS MAINTENANCE
In order to protect Bureau Veritas from the threat of new viruses and to safeguard the security and
integrity of Bureau Veritas Information System, all Bureau Veritas Hardware are equipped with
corporate anti-virus solutions that will receive mandatory updates.
Users must never deactivate the anti-virus solutions on Bureau Veritas’ Hardware, except if expressly
authorized by the IS/IT to do so.
Users must:
Ensure that the available anti-virus updates are regularly and properly installed onto their
Hardware;
For nomadic workers, regularly connect their Hardware to the corporate network from a Bureau
Veritas location in order to receive the updates.
If a problem occurs, Users must report it to the identified point of contact (as per Appendix attached
hereto).
5.2. VIRUS DETECTION
If Users discover a virus on their professional Hardware, they must:
Immediately contact the identified point of contact within their scope (e.g. local IT, helpdesk)
thanks to the reporting means at their disposal, and inform their Line Manager;
Immediately disconnect the infected Hardware from the Bureau Veritas network;
Keep their Hardware connected to the network in order to facilitate any anti-virus action if
requested by IS/IT support to do so;
Stop using the infected Hardware.
18
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
5.3. VIRUS DETECTION IN EMAILS
The mail servers will automatically check the existence of virus in messages and attachments of
incoming and outgoing external emails. All emails found to be containing a virus will be stopped from
entering Bureau Veritas mail network and deleted by anti-virus solutions.
Note that despite all incoming emails being checked for viruses at its point of entry into the Bureau
Veritas’ Information System, some may contain viruses which are not identified by the mail servers. If
Users receive an email from an unexpected or unknown source which contains an attachment and
which displays an abnormal or warning message when they attempts to open it, they must stop
immediately and contact the identified point of contact (as per Appendix attached hereto).
5.4. VIRUS DETECTION IN FILE DOWNLOADS FROM THE
INTERNET
Information downloaded from the Internet will be automatically checked for viruses. All Bureau Veritas
Hardware have the corporate anti-virus solutions loaded and running as part of the standard baseline.
19
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
6. USE OF SOFTWARE
6.1. APPROVED SOFTWARE
Only licensed and approved software by the ISM department or the local IS/IT department must be used
on equipment made available by Bureau Veritas.
Users have access to all software necessary to perform their mission.
Free software does not mean they can be downloaded without agreeing to any terms of use though a
license. Such software often requires the acceptance of terms of use when downloading or installing
them. The terms of use include obligations that Bureau Veritas as a company must comply with. Such
terms of use must be submitted to the ISM Global Purchasing department if the license is global, or with the
local IT/IS or Purchasing department if the license is local and will then be reviewed by the HO Legal or local
Legal department.
In addition, Users are required to:
Request new software to their Line Manager when needed;
Comply with the install procedure regarding new and/or additional software that they requested
(including browser downloads);
Not install or download software from bulletin boards, shareware or from home computers or
computer shops or any other sources without authorization;
Not copy licensed software for personal use or for third parties;
Not download any Bureau Veritas licensed software onto personally used personal equipment;
Not make any copy of software or applications, or tempt to install software without the
authorization of the HO Legal or local Legal department;
Not uninstall the MDM tool or related applications on Hardware.
6.2. USE OF INSTANT MESSAGING
The provision of instant messaging shall be for business use only. It shall serve to enhance the
productivity and communication possibilities available to Users. Only messaging tools approved by
Bureau Veritas are authorized for use within Bureau Veritas.
Conversations are automatically recorded by default.
20
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
6.3. MACROS
A macro is typically written in an Excel spreadsheet or Word document to automate repetitive, frequent
and complex processes.
All macros created by Users should be owned, supported and maintained by them. Line Managers
should ensure that if macros’ owners move/leave, the appropriate skills and ownership of macros are
retained.
Macros must not be automatically executed. Macros in unknown or dubious documents must not be
executed as they may contain viruses.
6.4. DATABASES
All databases created by Users should be owned, supported and maintained by them. Line Managers
should ensure that databases’ owners are clearly identified as well as contributors to databases which
will support any development of it. If databases’ owners move/leave, the appropriate skills and
ownership of databases are retained in the department/function.
21
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
7. USE OF HARDWARE
7.1. APPROVED HARDWARE
Only authorized Hardware which has been sourced by the IS/IT support is to be used for professional
activities related to Bureau Veritas. To ensure optimum service, all Hardware changes must be
managed by the IS/IT support so as to allow monitoring and expenditure control of Bureau Veritas’ IT
Hardware.
Users are equipped with all Hardware necessary to perform their mission, approved by their Line
Manager.
7.2. USE OF HARDWARE
In order to ensure the security of Hardware provided to them, Users must:
Obtain all Hardware for their mission exclusively via the IS/IT support;
Request new Hardware to their Line Manager, with appropriate justification;
Ensure asset tags and labels remain on Hardware; any loss of labels should be notified to the
IS/IT support;
Not transfer Hardware to new locations or to other Users without the IS/IT support being the
actioner of the change;
Minimize any risk of theft;
Place Hardware in a secured space, at the end of each working day (locked space);
Ensure that Hardware is not left unattended in a vehicle or in a public space;
Pay special attention when Hardware is used in a public place and use a physical protection
mean (e.g. use the safety cable, store it in a locked cabinet);
Ensure that all Hardware are switched off when they leave the office;
Ensure that due care is taken when using Hardware;
Not deactivate the automatic locking of the device (after a few minutes) to prevent unauthorized
accesses;
Not insert the SIM card of a professional device into a personal device.
In particular, concerning USB keys and external hard drive disks, Users must:
Store on USB media storage with corporate encryption solutions all Bureau Veritas data that
should not be disclosed publicly;
Never connect USB media storage to professional Hardware in case they don’t know their origin
(e.g. USB key found in the street). In this case, Users can ask to the IS/IT support to analyze
and secure the USB media storage;
Not use USB media storage if local Bureau Veritas rules prohibit their use.
22
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
7.3. USE OF PHONE DEVICES
Bureau Veritas may provide Users with a desk phone, a mobile phone or a smartphone where
necessary to perform their professional activity. This may vary based upon local country policy, so
Users must seek guidance from their Line Manager.
In order to ensure the security of devices provided to them, in particular smartphones, Users must:
Keep their devices with them when they are in a public place;
Keep their devices out of sight and, when possible, locked away when they are away from their
devices;
Not connect their devices to unknown computers in order to avoid risks of data copying and
infection from virus;
Not use personal file sharing, mail or unauthorized applications onto Bureau Veritas devices;
Not modify or remove the MDM tool and related settings on their device;
Never deactivate the screen-unlock feature (e.g. PIN code, screen-unlock pattern);
Use mobile data connections (2G/3G/4G) for business purposes only (mail, calendar, specific
apps);
Respect mobile data subscriptions (varies per country). In particular do not exceed the usage
limits of mobile data subscriptions depending on the geographical coverage (roaming) except if
authorized by the Line Manager.
Only connect their device to Bureau Veritas corporate or protected WIFI networks and never
connect to public or not encrypted WIFI networks due to data risks exposures;
Only activate Bluetooth and WIFI when needed and such facilities should be deactivated the
rest of the time;
Not configure call forwarding of their office number to a personal device;
Never lend their device to third parties.
7.4. HARDWARE RETURNS
All Hardware must be returned by Users to the IS/IT support, for repair, replacement or when Users
leave the company.
7.4.1. HARDWARE RETURNS BY USERS LEAVING BUREAU VERITAS
Users must:
Return Hardware granted to them to the IS/IT support before leaving the company;
When returning Hardware, ensure that the packaging will protect it during transit. Any issues
with the Hardware caused by poor packaging and attributable to Users will result with escalation
to line management.
Line Managers must, where possible, ensure that any professional data necessary for continuing business
is transferred over to a common file share prior to Users’ leave date.
23
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
7.4.2. HARDWARE RETURNS FOR REPAIR OR REPLACEMENT
Users must:
Make a formal request to the IS/IT support in case of Hardware failure for its replacement
or repair;
Return Hardware to the IS/IT support for repair or replacement;
When returning Hardware, ensure that the packaging will protect it during transit. Any issues
with the Hardware caused by poor packaging and attributable to Users will result with escalation
to line management.
7.5. DECLARATION OF STOLEN OR LOST HARDWARE
In case of loss or theft of Hardware, Bureau Veritas data may be fraudulently retrieved by a third-party.
In this case, Users must promptly react and immediately inform their Line Manager in order to allow the
triggering of dedicated procedures by Bureau Veritas.
The measures taken may imply the remote wiping of the entire data on the Hardware or the deactivation of
the device.
7.6. HEALTH AND SAFETY
Where Users and their Line Manager identify a Health & Safety issue relating to Hardware, this will be
investigated and reasonable adjustment considered which may include issuing an external screen and
keyboard for use with a laptop.
Appropriate adjustments where reasonably practicable will be made in order to facilitate the use of
Hardware by Users.
For further clarity regarding Bureau Veritas approach to Display Screen Equipment (DSE)
assessments, please refer to the Health and Safety, Forms and Procedures available on the Orion
portal.
7.7. CONTROL OF HARDWARE
Users are informed and accept that:
Bureau Veritas may conduct checks upon Hardware, the use and consumption made with
it (e.g. date, time, duration, cost);
The use of Hardware may be monitored in order to detect any non-compliant use, to
optimize the use of Hardware or to conduct statistical analyses.
24
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Bureau Veritas is the sole owner of Hardware made available to Users and reserves the right, at any
time, to request the return of Hardware, without notice or compensation.
25
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
8. PROTECTION OF PERSONAL DATA
8.1. USERS’ DUTIES
In order to be compliant with the data protection legislations and regulations in place in various countries,
Users are required to ensure that they are familiar with local requirements and to comply with local rules
regarding the collection, use, storage of and destruction of another person’s personal information.
Line managers should ensure that necessary means are available to Users to comply with their duties.
As a general rule, Users must respect the following measures:
Only collect/keep Personal Data necessary for the performance of their missions and for a
specific and legitimate purpose;
Ensure adequacy, relevance and accuracy of the data in relation to defined purposes;
Obtain individual consent to collect and process Personal Data when such consent is required;
Take appropriate measures to ensure the security and confidentiality of Personal Data in
consideration of the risks related to the processing (both at technical and organizational levels);
Consider where Personal Data is best kept – with Users, in a clearly identified and password
protected file or with the Human Resources Department;
Manage request from data subject related to the rights of the data subject to access, rectification,
erasure, oppose the processing of their Personal Data or any other rights granted to data
subjects by local data protection legislation;
Never pass on personal details to third parties, unless Users have taken legal advice or spoken
to Human Resources Department first; the dissemination of Personal Data outside Bureau
Veritas’ organization must be strictly authorized in writing;
Make sure that any emails containing Personal Data are clearly marked as “confidential” and, if
possible, encrypted;
Not to process or consult or modify Personal Data that is not necessary for the performance of
their mission, even though accessing these data is technically possible;
Delete Personal Data that is no longer needed for a specified purpose.
8.2. USERS’ RIGHTS
Users’ Personal Data will be collected and processed fairly and lawfully, in accordance with the applicable
laws or regulations on protection of Personal Data.
Data processings made under this Charter are in particular intended for:
Monitoring and maintenance of Information System (telecom system and computer park
including hardware and software);
Management of IT equipment;
Management of credentials;
26
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Management of directories to define access permissions to applications and networks;
Management of telephony;
Management of the use of intranet and internet networks;
Implementation of devices and firewall to ensure the safety and smooth operation of computer
resources and electronic communication, including the conservation of connection logs and data
of any kind;
Management of emails and instant messaging;
Compliance with this Charter and the Bureau Veritas Global Personal Data Protection Policy.
Users are informed that they have a right of access, rectification, erasure and opposition for legitimate
reasons, on all Personal Data concerning them and stored in the Bureau Veritas Information System. These
rights may be exercised upon request to Bureau Veritas.
27
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
9. CONFIDENTIALITY REQUIREMENTS
9.1. CONFIDENTIALITY LEVELS
The Confidentiality of data is defined in ISS Policies and composed of four levels:
Public: Information created in order to be published externally;
Internal: Information that can be accessed by all employees or a large majority of them. It is not
meant to be published publicly;
Restricted: Information for a specific audience;
Secret: Strictly limited access information, for specific employees identified by their names
within Bureau Veritas.
9.2. SECURITY BASED ON CONFIDENTIALITY
Users shall observe confidentiality rules described in Chapter 360 of the Manual of Internal Policies and
Procedures of the Bureau Veritas Code of Ethics.
Safeguarding interests of Bureau Veritas requires strict compliance with a general and continuing
obligation of confidentiality, discretion and business secrecy with respect to all information, data and
documents of which Users may have knowledge in the performance of their duties, including legal,
financial, commercial, scientific, technical, economic or industrial information, regarding the use of the
Bureau Veritas Information System.
Any and all information, in any medium or format (files, emails, paper documents, any data collected…),
communicated to or accessed by Users during the performance of their mission within Bureau Veritas is
confidential and remains the property of Bureau Veritas.
Except for Bureau Veritas information meant to be public, Users must:
Not disclose Bureau Veritas data outside the organization, except if it is properly protected (e.g.
encrypted);
Not disclose documents or information regarding their mission or Bureau Veritas for professional
purposes to other persons (unauthorized third parties), whether private or public, natural or legal
persons;
Not disclose information concerning Bureau Veritas Information System, including their
weaknesses and vulnerabilities, the findings of their mission, and any information retrieved by
any means;
Ensure that Personal Data is not disclosed outside Bureau Veritas unless the data subject (the
individual who is the subject matter of the Personal Data) has consented or guidance has been
sought from the local Human Resources Department (no extraction is allowed without respecting
those conditions);
28
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
Take all measures to avoid the theft, misuse or fraudulent use of information (including
confidential information) during the performance of their mission;
Take appropriate security measures to ensure the preservation and integrity of documents and
information processed;
Only use the encryption solutions expressly authorized by Bureau Veritas and never use
personal encryption solutions;
Not alter or destroy traces or proofs, relating to actions or events on the Bureau Veritas
Information System, except if authorized to do so;
Be careful in public places when accessing confidential data- other people may be able to see
your laptop or listen to your conversations.
Line managers should ensure that necessary means are available to Users to comply with confidentiality
requirements.
9.3. CONFIDENTIALITY IN DOCUMENTS
Users must categorize documents they create per level of confidentiality. They must also properly
manage documents based on the confidentiality level marked on it.
9.4. CONFIDENTIALITY IN EMAILS
Users must:
Ensure that due care and attention is taken before sending any confidential documents
externally by email (e.g. documents that contain medical information or confidential employees
or customer details);
Not send restricted or secret information via standard email. Ensure this information is protected
with corporate and legal approved protection solutions before sending (encryption solutions);
Ensure that all emails transmitting confidential information contain “confidential” in the subject
field;
Include a confidentiality statement in the footer of emails.
29
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
10. DECLARATION OF SECURITY BREACHES
Proved or suspected security breaches can have an important impact on the Bureau Veritas Information
System.
In order to avoid as much as possible adverse consequences, Users must:
Promptly declare any breach or suspected breach in the Information System to the IS/IT support
thanks to the implemented reporting solutions (e.g. reporting tool, phone number, dedicated
email address);
Not exploit an identified breach and not try to prove a suspected breach even if the breach is
made by a competitor;
Not disclose information about breaches to third-parties without Bureau Veritas’ prior consent.
30
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
11. MOBILE WORKING
Tools such as Mobile Broadband Devices (USB dongles, built in 3G/4G card) and/or Hotspot
functionality on Smartphones are provided to allow approved Users to connect remotely to Bureau
Veritas Information system when they are away from company locations.
Remote access to Bureau Veritas Information system is facilitated via BV Connect / BV Pulse (VPN)
software.
Email and Internet usage when accessing Bureau Veritas Information System remotely must comply
with the rules that are enforced on the office network and should only be used for business – related
communications.
In addition to the above, Users should be vigilant about their communications and handling of Bureau
Veritas information, specifically Users must:
Be vigilant during communications (by phone or oral) in public to avoid any disclosure of Bureau
Veritas information;
Avoid working on Bureau Veritas documents in public places. If necessary, use a privacy filter;
Avoid carrying Bureau Veritas information in public if not necessary;
Destroy, where needed, the Bureau Veritas information, in Bureau Veritas offices and off site,
using confidential waste containers or shredders where appropriate;
Not print Bureau Veritas information from public printer/fax.
31
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
12. CLEAR DESK AND CLEAR SCREEN
In order to reduce the risk of unauthorized access or loss of information, Bureau Veritas mandates a clear
desk and screen policy as follows:
Clear screen:
o Personal or confidential business information is protected using security features (e.g.
encryption);
o Computers are logged off or protected with a screen locking mechanism controlled by a
password when unattended;
Clear Desk:
o Confidential material is not left unattended on printers or photocopiers;
o Confidential material is stored away when not in use;
o All business-related printed matter must be disposed of using confidential waste bins or
shredders;
o A clear desk is maintained with all documentation stored away at the end of the working
day.
32
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
13. BACKUP OF USERS’ DATA
Users must follow good housekeeping practice to allow the availability and efficiency of Bureau Veritas
Information System.
Users must:
Retain responsibility for the performance of regular backups of data stored on their Hardware
(e.g. workstation, laptop) not backed up by servers to ensure data is not lost;
If disk space is allowed to Users on corporate servers, retain responsibility for housekeeping
their personal folder on files servers;
Never backup the above-mentioned data on personal storage devices, not approved by Bureau
Veritas and protected by corporate solutions;
Never use personal cloud services (e.g. Google Drive, Dropbox, OneDrive) to backup Bureau
Veritas data.
33
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
14. COPYRIGHT AND TRADEMARKS
Use of Information System implies compliance with Policy 363 of the Manual of Internal Policies and
Procedures of the Code of Ethics related to the protection of Bureau Veritas intellectual property rights
and intellectual property rights belonging to third parties.
Consequently, Users must not:
Access information that is protected by copyright in a way that violates such copyright;
Make any illegal copy of software or applications, or tempt to install software without the
authorization as set forth under Article 6.1 “Approved software”;
Reproduce or use databases, web pages or creations of Bureau Veritas or of third parties
protected by an intellectual property right without the prior consent of the owner;
Download or use software, photos, texts, images, documents, and generally any content
downloaded from the Internet without the prior consent of the owner;
Use on any support of communication (PowerPoint, internet, emails, etc.) the trademark of any
clients or third-parties without their prior written consent;
Use the Bureau Veritas trademarks in a manner which will or may jeopardize their significance,
distinctiveness or validity;
Breach the Group Bureau Veritas trademarks Policy and the graphic guidelines;
Copy and provide third parties with content belonging to a third party or to Bureau Veritas without
the prior consent of the owner.
34
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
15. FAILURE TO COMPLY WITH THIS CHARTER – SANCTIONS
Bureau Veritas is rightly proud if its reputation and that of its employees. In order to protect both and
that of its clients Bureau Veritas, needs to take steps to ensure that its Information System is being
used for the purpose for which it was created and with respect to the rights of the Users, to those
companies and individuals of whose data it contains and to Bureau Veritas itself. To this end it may, on
occasion be necessary to invoke sanctions for non-compliance.
In case of non-compliance with the terms of this Charter, Bureau Veritas will:
Investigate the reason for such failure to comply; and may
Take action to revoke accesses and authorizations to its Information System.
Any non-compliance with the terms of this Charter by Internal Users may lead to disciplinary action, in
accordance with the applicable local disciplinary policy or local laws. Any non-compliance with the terms of
this Charter by External Users may lead to termination of the contractual relationship with Bureau Veritas.
Bureau Veritas may, if it suspects use of its Information System for any illegal or unethical purpose
report such use to the Police or other enforcement agency. Bureau Veritas will have no obligation to
inform the User in such cases.
35
GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY
Public Internal Restricted Secret
X
APPENDIX
IS/IT SUPPORT CONTACT
Contact numbers and email addresses are available on Connection in the “ISM Information Systems
Management” community in the “ServiceDesk Contact Details” document.
END OF DOCUMENT