global is/it charter information system security

PUBLIC INTERNAL RESTRICTED SECRET

X

ÉTAT : VALIDATED

VERSION : 1.1

GLOBAL IS/IT CHARTER INFORMATION SYSTEM SECURITY

2


Public Internal Restricted Secret

X

Approvers

Name Position

Julien ANICOTTE Group Chief Information Security Officer

Chrystelle SABOURAUD Senior Manager, IP/IT

Legal, Risk & Compliance Department

Revision history

Version Author Description Date

1.0

Angela VASTANO

Alexis TUTINO

Chrystelle SABOURAUD

Creation of the document 23/10/2017

1.1 Grégoire Barral Responsibility flags 30/07/2018

Reference documents

Document title Document Name

Classification

Level Confidentiality

C2 Internal

3



X

SUMMARY

GLOSSARY 6

1. PRESENTATION 7

1.1. PURPOSE 7

1.2. SCOPE 7

1.2.1. Users 7

1.2.2. Information system 7

1.2.3. Use 8

1.3. RESPONSIBILITIES 8

1.4. IMPLEMENTATION 8

2. PROTECTION OF CREDENTIALS 9

2.1. INDIVIDUAL USERS ACCOUNTS 9

2.2. PASSWORDS 9

3. USE OF EMAIL 11

3.1. CORRECT USAGE OF EMAIL SERVICES 11

3.2. EMAIL ATTACHMENTS 12

3.3. ACCESS TO EMAIL CALENDARS 12

3.4. CRITICAL MESSAGES FROM THE IS/IT SUPPORT 12

3.5. OUT OF OFFICE MESSAGES 13

3.6. EXTERNAL USERS’ EMAILS SENT FROM BUREAU VERITAS 13

3.7. PERSONAL EMAIL USE 13

3.8. CONTROL OF USE OF MAILBOX 13

4. USE OF THE INTERNET 15

4.1. CORRECT USE OF INTERNET ACCESS 15

4.2. PERSONAL INTERNET USE 15

4.3. INTERNET USE MONITORING 16

5. PROTECTION FROM VIRUSES 17

4



X

5.1. ANTI-VIRUS MAINTENANCE 17

5.2. VIRUS DETECTION 17

5.3. VIRUS DETECTION IN EMAILS 18

5.4. VIRUS DETECTION IN FILE DOWNLOADS FROM THE INTERNET 18

6. USE OF SOFTWARE 19

6.1. APPROVED SOFTWARE 19

6.2. USE OF INSTANT MESSAGING 19

6.3. MACROS 20

6.4. DATABASES 20

7. USE OF HARDWARE 21

7.1. APPROVED HARDWARE 21

7.2. USE OF HARDWARE 21

7.3. USE OF PHONE DEVICES 22

7.4. HARDWARE RETURNS 22

7.4.1. Hardware returns by Users leaving Bureau Veritas 22

7.4.2. Hardware returns for repair or replacement 23

7.5. DECLARATION OF STOLEN OR LOST HARDWARE 23

7.6. HEALTH AND SAFETY 23

7.7. CONTROL OF HARDWARE 23

8. PROTECTION OF PERSONAL DATA 25

8.1. USERS’ DUTIES 25

8.2. USERS’ RIGHTS 25

9. CONFIDENTIALITY REQUIREMENTS 27

9.1. CONFIDENTIALITY LEVELS 27

9.2. SECURITY BASED ON CONFIDENTIALITY 27

9.3. CONFIDENTIALITY IN DOCUMENTS 28

9.4. CONFIDENTIALITY IN EMAILS 28

10. DECLARATION OF SECURITY BREACHES 29

5



X

11. MOBILE WORKING 30

12. CLEAR DESK AND CLEAR SCREEN 31

13. BACKUP OF USERS’ DATA 32

14. COPYRIGHT AND TRADEMARKS 33

15. FAILURE TO COMPLY WITH THIS CHARTER – SANCTIONS 34

APPENDIX 35

IS/IT SUPPORT CONTACT 35

6



X

GLOSSARY

CISO means Chief Information Security Officer.

Global ISSP means Global Information System Security Policy, which is the document describing the

organization of the Information Security Management System.

Hardware includes, but is not limited to, desktop, laptop, handled devices such as mobiles phones,

smartphones, and media storage like USB sticks, printers.

Information System means integrated set of components (including IT equipment) for collecting, storing,

and processing data and for providing information.

ISS Policies mean Information System Security Policies which include the Global ISSP and the Operational

Policies. Set of documents defining the framework of Information System Security (ISS) through governance

principles and pragmatic rules, which shall be implemented across the Bureau Veritas Group.

IS/IT support means local helpdesk or local IT of Bureau Veritas.

Line Managers mean immediate superior of the concerned Internal User or Bureau Veritas coordinator of

the concerned External User.

Malware means (short for malicious software) any software used to disrupt computer or mobile operations,

gather critical information, gain access to private Information System, or display unwanted advertising. The

term refers to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan

horses, ransomware, spyware, adware, scareware, and other malicious programs.

Mobile Device Management (MDM) means a solution for managing a fleet of mobile devices, whether

tablets or smartphones. This solution also allows remotely erasing all or part of business data or applications

in case of loss or theft of the device.

Operational Policies mean documents describing the essential requirements and recommendations, each

one covering a major theme, resulting in a set of pragmatic rules to be applied at the operational level.

Personal Data means any information relating to an identified or identifiable living person (‘data subject’);

an identifiable living person is one who can be identified, directly or indirectly, in particular by reference to

an identifier such as a name, an identification number, location data, an online identifier or to one or more

factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that

natural person.

7



X

1. PRESENTATION

1.1. PURPOSE

Bureau Veritas provides all its employees and certain of its service providers with data resources and

equipment for collecting, storing, and processing data (together “Information System”) for Bureau Veritas

business purposes.

The purpose of this Global IS/IT Charter (the “Charter”) aims at detailing the rules governing the use

of the Bureau Veritas Information System.

1.2. SCOPE

1.2.1. USERS

This Charter applies to all individuals who are authorized by Bureau Veritas to access to, or to use, the

Bureau Veritas Information System. These individuals include, without this list being exhaustive:

“Internal Users”: means Bureau Veritas’ employees, including trainees and temporary staff;

“External Users”: means personnel of suppliers, sub-contractors or other business partners of

the Bureau Veritas Group;

“Users”: means collectively Internal Users and External Users.

Sections with following flags will highlight the responsibilities of following individuals:

IS/IT:

Provide and operate solution

Assist user and provide specific needs

Bear responsibility

Line Manager:

Define measures and applicable rules

Allocate resources

Bear responsibility

1.2.2. INFORMATION SYSTEM

The Information System owned or made available by Bureau Veritas includes, but is not limited to the

following:

Mobile / smartphone devices;

Email;

8



X

Instant messaging;

Internet/Intranet;

Databases;

Software/Applications;

Hardware; or

Any new equipment or technology.

1.2.3. USE

This Charter covers the use of Bureau Veritas Information System:

On site, in any Bureau Veritas location worldwide;

With mobile use regardless of location; and

Through remote access.

This Charter applies regardless of the frequency and periodicity of the use of the Bureau Veritas Information

System by Users.

1.3. RESPONSIBILITIES

Users must act in accordance with the rules described herein.

Line Managers are expected to implement and manage the deployment of the Charter by ensuring that

Users comply with such Charter.

Human Resources Departments are expected to ensure that this Charter is applied in accordance with

local employment law practices and in compliance with applicable Workers’ Council requirements. In

this regard, a local IT/IS charter may be implemented. In case of contradiction between a local IS/IT

charter and this Global IT/IS Charter, the local IS/IT charter shall prevail. In the countries where no local

IS/IT charter exists, this Global IT/IS Charter applies to Users by default.

1.4. IMPLEMENTATION

This Charter is communicated to:

All Users on the date of its first publication;

Each new Internal User when joining Bureau Veritas;

Each External User working for or with Bureau Veritas, at the latest upon their first connection

to the Information System of Bureau Veritas.

9



X

2. PROTECTION OF CREDENTIALS

2.1. INDIVIDUAL USERS ACCOUNTS

In order to ensure traceability and accountability of the use of Bureau Veritas Information System, Users

are assigned one unique User ID. Users must not share their accounts unless for specific needs,

properly authorized.

Subject to applicable law, access to another User’s account will only be granted in exceptional

circumstances where there is an urgent business need and the person is not contactable, in agreement

with the Line Manager and Human Resources Department.

The only exception to this is where access has been granted by the owner to the mailbox or calendar

through email delegation facility (e.g. for the purposes of arranging meetings or checking schedules).

Users must:

Lock down their Hardware when leaving it for any period of time;

Disconnect from applications and services when they don’t need them;

Ensure that they do not access the network using the log in credentials of another individual who

is currently working for or who has left the organization;

Ensure that they do not access another User’s mailbox using their log in credentials.

2.2. PASSWORDS

Users have a unique login and password that is confidential and strictly personal. Users will be held

accountable for any system usage made with their credentials.

Users must:

Keep their passwords confidential, not share them and not write them down in a format

accessible to anyone else;

Enter their passwords out of other persons’ sight;

Abide by systems requirements and ensure that minimum password length is 8 characters,

contain capital letters, lowercase letters, digits, special characters (when allowed by the system);

Change passwords every 90 days or upon request;

Ensure that the same password is not re-used for 5 changes;

Ensure that passwords are not obvious to others in order to ensure maximum security;

Never share their password with anyone (even with Line Manager, helpdesk or local IT);

Set up a different password on each service they use – both internal or external to Bureau

Veritas so that a breach on one service does not compromise all;

Immediately change their password if they know or suspect that it has been compromised (e.g.

divulged to others).

10



X

If granted with an administrator account, Users must ensure that their administrator account’s password is

different than the one they used for their regular account.

Under exceptional circumstances, where there is a legitimate business need, the IS/IT support can

reset Users’ password without their consent, but only with the consent of their Line Manager and Human

Resources Department.

11



X

3. USE OF EMAIL

3.1. CORRECT USAGE OF EMAIL SERVICES

The commercial and legal effects of sending and receiving an email are the same as those of any other

form of written communication, as if the content of the email was written on Bureau Veritas letter headed

paper.

Users must not use their own personal email accounts (e.g. Yahoo, Hotmail, Gmail) to send Bureau

Veritas information or official documents (e.g. inspection or audit reports, contracts) either in the content of

the email or by file attachment. This includes the sending of information to themselves or to a third party.

Users must not use email to:

Set up or run personal businesses;

Forward company confidential messages to external locations, except if it is authorized in the

framework of their mission or by their Line Manager;

Distribute, disseminate or store images, text or materials that might be or are considered:

o indecent, pornographic, obscene, illegal or offensive;

o discriminatory, offensive or abusive, a personal attack, sexist or racist, or might be

considered as harassment;

Promote terrorism or any unlawful activity;

Create or transmit defamatory emails;

Change the content of an email received from a third party before forwarding it without a

professional reason or without indicating the changes;

Break into the company’s or another organization’s system or carry out other unauthorized use

of a password/mailbox;

Broadcast unsolicited personal views on social, political, religious or other non-business related

matters;

Send unsolicited commercial or advertising materials;

Use their Bureau Veritas email address to register on non-business related websites;

Send an email on behalf of another person, unless the sender confirms in the email that he/she

is duly authorized to send the email on behalf of such another person. Any emails that are

forwarded must not be altered in any way;

Introduce any form of virus into the corporate network;

Join any mailing lists with any external entities in order to limit the junk mail coming into Bureau

Veritas and reduce the threat of Malware.

12



X

Best practices

Do not open attachments or click on links in unexpected or suspicious emails. In case of any

doubt, please contact the IS/IT support.

Use your judgment when putting together mailing lists. For instance:

“to”: to be sent to recipient for action (the number of recipients must be limited);

“cc”: to be limited to persons who must be truly informed;

“bcc”: to be avoided wherever possible.

Do not send long e-mail chains – reading these is not a good use of the recipient’s time.

Include greetings and your business signature in each email you send.

Draft short and clear messages with a clear description of the object.

Assume that every email may be disclosed in judicial proceedings.

3.2. EMAIL ATTACHMENTS

The size of email attachments is by default restricted to 10 MB. Transmission of files larger than this

should utilize the approved Bureau Veritas file transfer tool which may be accessed via the Orion

website.

Furthermore, Users must not open any email attachment that is not identified or which content is

obviously not professional (any unknown or unusual document is a potential source of virus).

3.3. ACCESS TO EMAIL CALENDARS

Access to Users’ own calendar is configured by default.

Access may be delegated to other Users to allow them to view and manage their calendar by granting

additional privilege rights located in their email option to a particular person. This activity needs to be

carried out on an individual basis and is the responsibility of the User granting the access.

3.4. CRITICAL MESSAGES FROM THE IS/IT SUPPORT

High level critical IS/IT information will periodically be sent to all Users by the IS/IT support - for example

with regards to viruses or system issues.

Users must read and act upon these messages in order to preserve and maintain the integrity and

security of Bureau Veritas Information System and business data.

13



X

3.5. OUT OF OFFICE MESSAGES

Users must put an “out of office” message on their email account giving an alternative contact name if

they are unable to respond to emails for a period of time so as to ensure that expectations of Bureau

Veritas customers and other contacts are managed appropriately.

In the event of an unexpected prolonged absence, Line Managers can request the configuration of an

out of office message on the Users email account.

3.6. EXTERNAL USERS’ EMAILS SENT FROM BUREAU VERITAS

Any emails that are sent by External Users, on behalf of Bureau Veritas and from a Bureau Veritas

mailbox, must be readily distinguished from those sent by Bureau Veritas Internal Users, specifically:

Line managers must ensure External Users are declared as third parties during the check in

process so that their email address is set up as follows:

email address: <first name>.<last name>.ext@<domain>

External Users must ensure that the third party corporate name to which they belong appears in

their External Users’ email business signature block.

3.7. PERSONAL EMAIL USE

Users must ensure the following when using Bureau Veritas Information System for personal use:

Personal email use is minimal and takes place substantially out of normal working hours;

Personal emails must be labeled "Personal" or “Private” in the subject header or stored in a

folder labeled “Personal” or “Private”;

Personal email use must not interfere with business or office commitments;

Personal email use must not be such that it is likely that Bureau Veritas could be brought into

disrepute;

Third party commercial information about Bureau Veritas or personal details or information

regarding other Users must not be emailed to Users’ home email address;

Compliance with local Bureau Veritas policies, anti-harassment, disciplinary procedures, the

Bureau Veritas Code of Ethics and the Manual of Internal Policies and Procedures.

3.8. CONTROL OF USE OF MAILBOX

Any professional emails sent by Users may be intercepted and monitored by Bureau Veritas for the

following reasons:

If there is a reasonable suspicion that (i) this Charter, the ISS Policies or any other Bureau

Veritas policy have been breached, or (ii) if a threat to Bureau Veritas’ Information System

has been identified;

14



X

In the event of disclosure requirements under judicial decisions or in the event of any need

to defend Bureau Veritas in pre-litigation or litigation case.

Details of transmitted emails, including date and time of dispatch, sender and recipient are logged.

Emails may be backed-up and retained during a certain period (according to the country and local laws).

Emails may be consulted by Users and by the IS/IT support.

15



X

4. USE OF THE INTERNET

4.1. CORRECT USE OF INTERNET ACCESS

Access to the Internet is provided to Users as a business tool to assist in the performance of business

related functions and operations.

Users are expected to use the Internet as an effective mean of addressing business related issues in a

manner that (i) serves the interests of the Bureau Veritas Group, (ii) is consistent with other

organizational policies and (iii) is compliant with applicable laws and regulations and the Bureau Veritas

Code of Ethics.

Users must not use the Internet access granted in the framework of their mission within Bureau Veritas

to:

Refer to Bureau Veritas or any of our other businesses or brands published on the Internet

(social networks, blogs, forums etc.) without authorization;

Visit Internet sites that contain obscene, hateful, pornographic or other illegal materials, or

promote terrorism or any unlawful activity;

Perpetrate any form of fraud, or software, film or music piracy;

Send discriminatory, offensive or abusive, a personal attack, sexist or racist, or might be

considered as harassment;

Download any software or any copyright materials belonging to third parties, unless such

download has been duly authorized under a commercial agreement or a license; such

authorization must be checked with the ISM Global Purchasing department if the license is

global, or with the local IT/IS or Purchasing department if the license is local;

Create or transmit defamatory materials;

Undertake deliberate activities that waste staff effort or networked resources;

Introduce any form of Malware into the corporate network;

"Snoop" or "hack", either inside or outside the Bureau Veritas Information System or for

deliberately spreading viruses or malicious programs;

Download, store or forward video clips, audio clips, pictures or digital images that are not directly

business related;

Download, email or play "games".

4.2. PERSONAL INTERNET USE

Bureau Veritas authorizes the incidental use of the Internet by Users to browse and access web sites,

for personal purposes, subject to the conditions below:

Use must be restricted to the minimum and mainly take place out of normal working hours;

Use must not interfere with business or office commitments;

16



X

Use must not cause a damage to Bureau Veritas’ reputation;

Use must not generate additional costs for Bureau Veritas;

Compliance with local Bureau Veritas policies, anti-harassment, disciplinary procedures and the

Bureau Veritas Code of Ethics;

No Bureau Veritas information should be entered (e.g. passwords) into any external site if it is

accessed in HTTP and not in HTTPS as such websites are not encrypted.

In the case of entering unacceptable Internet sites by accident, if Users have any concerns about the

content, they should report the matter to their Line Manager.

4.3. INTERNET USE MONITORING

For statistics, quality of service and security reasons, Bureau Veritas logs, supervises (globally and

anonymously) and audits the use of Internet made by Users (most visited sites, connection time, etc.).

Bureau Veritas may inspect specific Internet transactions either through usage reporting or line

management request:

If there is a reasonable suspicion that this Charter, the ISS Policies or any other Bureau

Veritas policy have been breached or if a threat to Bureau Veritas’ Information System has

been identified;

In the event of disclosure requirements under judicial decisions or in the event of any need

to defend Bureau Veritas in pre-litigation or litigation case.

17



X

5. PROTECTION FROM VIRUSES

The deliberate introduction of a virus to a computer network is a criminal offence. Viruses can be

introduced into Bureau Veritas network or transmitted to third party’s Information Systems by email,

infected disks, USB removable media, unauthorized software or through the Internet. Every effort must

be taken to ensure that no viruses are transmitted or in any way affect Bureau Veritas Information

System.

5.1. ANTI-VIRUS MAINTENANCE

In order to protect Bureau Veritas from the threat of new viruses and to safeguard the security and

integrity of Bureau Veritas Information System, all Bureau Veritas Hardware are equipped with

corporate anti-virus solutions that will receive mandatory updates.

Users must never deactivate the anti-virus solutions on Bureau Veritas’ Hardware, except if expressly

authorized by the IS/IT to do so.

Users must:

Ensure that the available anti-virus updates are regularly and properly installed onto their

Hardware;

For nomadic workers, regularly connect their Hardware to the corporate network from a Bureau

Veritas location in order to receive the updates.

If a problem occurs, Users must report it to the identified point of contact (as per Appendix attached

hereto).

5.2. VIRUS DETECTION

If Users discover a virus on their professional Hardware, they must:

Immediately contact the identified point of contact within their scope (e.g. local IT, helpdesk)

thanks to the reporting means at their disposal, and inform their Line Manager;

Immediately disconnect the infected Hardware from the Bureau Veritas network;

Keep their Hardware connected to the network in order to facilitate any anti-virus action if

requested by IS/IT support to do so;

Stop using the infected Hardware.

18



X

5.3. VIRUS DETECTION IN EMAILS

The mail servers will automatically check the existence of virus in messages and attachments of

incoming and outgoing external emails. All emails found to be containing a virus will be stopped from

entering Bureau Veritas mail network and deleted by anti-virus solutions.

Note that despite all incoming emails being checked for viruses at its point of entry into the Bureau

Veritas’ Information System, some may contain viruses which are not identified by the mail servers. If

Users receive an email from an unexpected or unknown source which contains an attachment and

which displays an abnormal or warning message when they attempts to open it, they must stop

immediately and contact the identified point of contact (as per Appendix attached hereto).

5.4. VIRUS DETECTION IN FILE DOWNLOADS FROM THE

INTERNET

Information downloaded from the Internet will be automatically checked for viruses. All Bureau Veritas

Hardware have the corporate anti-virus solutions loaded and running as part of the standard baseline.

19



X

6. USE OF SOFTWARE

6.1. APPROVED SOFTWARE

Only licensed and approved software by the ISM department or the local IS/IT department must be used

on equipment made available by Bureau Veritas.

Users have access to all software necessary to perform their mission.

Free software does not mean they can be downloaded without agreeing to any terms of use though a

license. Such software often requires the acceptance of terms of use when downloading or installing

them. The terms of use include obligations that Bureau Veritas as a company must comply with. Such

terms of use must be submitted to the ISM Global Purchasing department if the license is global, or with the

local IT/IS or Purchasing department if the license is local and will then be reviewed by the HO Legal or local

Legal department.

In addition, Users are required to:

Request new software to their Line Manager when needed;

Comply with the install procedure regarding new and/or additional software that they requested

(including browser downloads);

Not install or download software from bulletin boards, shareware or from home computers or

computer shops or any other sources without authorization;

Not copy licensed software for personal use or for third parties;

Not download any Bureau Veritas licensed software onto personally used personal equipment;

Not make any copy of software or applications, or tempt to install software without the

authorization of the HO Legal or local Legal department;

Not uninstall the MDM tool or related applications on Hardware.

6.2. USE OF INSTANT MESSAGING

The provision of instant messaging shall be for business use only. It shall serve to enhance the

productivity and communication possibilities available to Users. Only messaging tools approved by

Bureau Veritas are authorized for use within Bureau Veritas.

Conversations are automatically recorded by default.

20



X

6.3. MACROS

A macro is typically written in an Excel spreadsheet or Word document to automate repetitive, frequent

and complex processes.

All macros created by Users should be owned, supported and maintained by them. Line Managers

should ensure that if macros’ owners move/leave, the appropriate skills and ownership of macros are

retained.

Macros must not be automatically executed. Macros in unknown or dubious documents must not be

executed as they may contain viruses.

6.4. DATABASES

All databases created by Users should be owned, supported and maintained by them. Line Managers

should ensure that databases’ owners are clearly identified as well as contributors to databases which

will support any development of it. If databases’ owners move/leave, the appropriate skills and

ownership of databases are retained in the department/function.

21



X

7. USE OF HARDWARE

7.1. APPROVED HARDWARE

Only authorized Hardware which has been sourced by the IS/IT support is to be used for professional

activities related to Bureau Veritas. To ensure optimum service, all Hardware changes must be

managed by the IS/IT support so as to allow monitoring and expenditure control of Bureau Veritas’ IT

Hardware.

Users are equipped with all Hardware necessary to perform their mission, approved by their Line

Manager.

7.2. USE OF HARDWARE

In order to ensure the security of Hardware provided to them, Users must:

Obtain all Hardware for their mission exclusively via the IS/IT support;

Request new Hardware to their Line Manager, with appropriate justification;

Ensure asset tags and labels remain on Hardware; any loss of labels should be notified to the

IS/IT support;

Not transfer Hardware to new locations or to other Users without the IS/IT support being the

actioner of the change;

Minimize any risk of theft;

Place Hardware in a secured space, at the end of each working day (locked space);

Ensure that Hardware is not left unattended in a vehicle or in a public space;

Pay special attention when Hardware is used in a public place and use a physical protection

mean (e.g. use the safety cable, store it in a locked cabinet);

Ensure that all Hardware are switched off when they leave the office;

Ensure that due care is taken when using Hardware;

Not deactivate the automatic locking of the device (after a few minutes) to prevent unauthorized

accesses;

Not insert the SIM card of a professional device into a personal device.

In particular, concerning USB keys and external hard drive disks, Users must:

Store on USB media storage with corporate encryption solutions all Bureau Veritas data that

should not be disclosed publicly;

Never connect USB media storage to professional Hardware in case they don’t know their origin

(e.g. USB key found in the street). In this case, Users can ask to the IS/IT support to analyze

and secure the USB media storage;

Not use USB media storage if local Bureau Veritas rules prohibit their use.

22



X

7.3. USE OF PHONE DEVICES

Bureau Veritas may provide Users with a desk phone, a mobile phone or a smartphone where

necessary to perform their professional activity. This may vary based upon local country policy, so

Users must seek guidance from their Line Manager.

In order to ensure the security of devices provided to them, in particular smartphones, Users must:

Keep their devices with them when they are in a public place;

Keep their devices out of sight and, when possible, locked away when they are away from their

devices;

Not connect their devices to unknown computers in order to avoid risks of data copying and

infection from virus;

Not use personal file sharing, mail or unauthorized applications onto Bureau Veritas devices;

Not modify or remove the MDM tool and related settings on their device;

Never deactivate the screen-unlock feature (e.g. PIN code, screen-unlock pattern);

Use mobile data connections (2G/3G/4G) for business purposes only (mail, calendar, specific

apps);

Respect mobile data subscriptions (varies per country). In particular do not exceed the usage

limits of mobile data subscriptions depending on the geographical coverage (roaming) except if

authorized by the Line Manager.

Only connect their device to Bureau Veritas corporate or protected WIFI networks and never

connect to public or not encrypted WIFI networks due to data risks exposures;

Only activate Bluetooth and WIFI when needed and such facilities should be deactivated the

rest of the time;

Not configure call forwarding of their office number to a personal device;

Never lend their device to third parties.

7.4. HARDWARE RETURNS

All Hardware must be returned by Users to the IS/IT support, for repair, replacement or when Users

leave the company.

7.4.1. HARDWARE RETURNS BY USERS LEAVING BUREAU VERITAS

Users must:

Return Hardware granted to them to the IS/IT support before leaving the company;

When returning Hardware, ensure that the packaging will protect it during transit. Any issues

with the Hardware caused by poor packaging and attributable to Users will result with escalation

to line management.

Line Managers must, where possible, ensure that any professional data necessary for continuing business

is transferred over to a common file share prior to Users’ leave date.

23



X

7.4.2. HARDWARE RETURNS FOR REPAIR OR REPLACEMENT

Users must:

Make a formal request to the IS/IT support in case of Hardware failure for its replacement

or repair;

Return Hardware to the IS/IT support for repair or replacement;

When returning Hardware, ensure that the packaging will protect it during transit. Any issues

with the Hardware caused by poor packaging and attributable to Users will result with escalation

to line management.

7.5. DECLARATION OF STOLEN OR LOST HARDWARE

In case of loss or theft of Hardware, Bureau Veritas data may be fraudulently retrieved by a third-party.

In this case, Users must promptly react and immediately inform their Line Manager in order to allow the

triggering of dedicated procedures by Bureau Veritas.

The measures taken may imply the remote wiping of the entire data on the Hardware or the deactivation of

the device.

7.6. HEALTH AND SAFETY

Where Users and their Line Manager identify a Health & Safety issue relating to Hardware, this will be

investigated and reasonable adjustment considered which may include issuing an external screen and

keyboard for use with a laptop.

Appropriate adjustments where reasonably practicable will be made in order to facilitate the use of

Hardware by Users.

For further clarity regarding Bureau Veritas approach to Display Screen Equipment (DSE)

assessments, please refer to the Health and Safety, Forms and Procedures available on the Orion

portal.

7.7. CONTROL OF HARDWARE

Users are informed and accept that:

Bureau Veritas may conduct checks upon Hardware, the use and consumption made with

it (e.g. date, time, duration, cost);

The use of Hardware may be monitored in order to detect any non-compliant use, to

optimize the use of Hardware or to conduct statistical analyses.

24



X

Bureau Veritas is the sole owner of Hardware made available to Users and reserves the right, at any

time, to request the return of Hardware, without notice or compensation.

25



X

8. PROTECTION OF PERSONAL DATA

8.1. USERS’ DUTIES

In order to be compliant with the data protection legislations and regulations in place in various countries,

Users are required to ensure that they are familiar with local requirements and to comply with local rules

regarding the collection, use, storage of and destruction of another person’s personal information.

Line managers should ensure that necessary means are available to Users to comply with their duties.

As a general rule, Users must respect the following measures:

Only collect/keep Personal Data necessary for the performance of their missions and for a

specific and legitimate purpose;

Ensure adequacy, relevance and accuracy of the data in relation to defined purposes;

Obtain individual consent to collect and process Personal Data when such consent is required;

Take appropriate measures to ensure the security and confidentiality of Personal Data in

consideration of the risks related to the processing (both at technical and organizational levels);

Consider where Personal Data is best kept – with Users, in a clearly identified and password

protected file or with the Human Resources Department;

Manage request from data subject related to the rights of the data subject to access, rectification,

erasure, oppose the processing of their Personal Data or any other rights granted to data

subjects by local data protection legislation;

Never pass on personal details to third parties, unless Users have taken legal advice or spoken

to Human Resources Department first; the dissemination of Personal Data outside Bureau

Veritas’ organization must be strictly authorized in writing;

Make sure that any emails containing Personal Data are clearly marked as “confidential” and, if

possible, encrypted;

Not to process or consult or modify Personal Data that is not necessary for the performance of

their mission, even though accessing these data is technically possible;

Delete Personal Data that is no longer needed for a specified purpose.

8.2. USERS’ RIGHTS

Users’ Personal Data will be collected and processed fairly and lawfully, in accordance with the applicable

laws or regulations on protection of Personal Data.

Data processings made under this Charter are in particular intended for:

Monitoring and maintenance of Information System (telecom system and computer park

including hardware and software);

Management of IT equipment;

Management of credentials;

26



X

Management of directories to define access permissions to applications and networks;

Management of telephony;

Management of the use of intranet and internet networks;

Implementation of devices and firewall to ensure the safety and smooth operation of computer

resources and electronic communication, including the conservation of connection logs and data

of any kind;

Management of emails and instant messaging;

Compliance with this Charter and the Bureau Veritas Global Personal Data Protection Policy.

Users are informed that they have a right of access, rectification, erasure and opposition for legitimate

reasons, on all Personal Data concerning them and stored in the Bureau Veritas Information System. These

rights may be exercised upon request to Bureau Veritas.

27



X

9. CONFIDENTIALITY REQUIREMENTS

9.1. CONFIDENTIALITY LEVELS

The Confidentiality of data is defined in ISS Policies and composed of four levels:

Public: Information created in order to be published externally;

Internal: Information that can be accessed by all employees or a large majority of them. It is not

meant to be published publicly;

Restricted: Information for a specific audience;

Secret: Strictly limited access information, for specific employees identified by their names

within Bureau Veritas.

9.2. SECURITY BASED ON CONFIDENTIALITY

Users shall observe confidentiality rules described in Chapter 360 of the Manual of Internal Policies and

Procedures of the Bureau Veritas Code of Ethics.

Safeguarding interests of Bureau Veritas requires strict compliance with a general and continuing

obligation of confidentiality, discretion and business secrecy with respect to all information, data and

documents of which Users may have knowledge in the performance of their duties, including legal,

financial, commercial, scientific, technical, economic or industrial information, regarding the use of the

Bureau Veritas Information System.

Any and all information, in any medium or format (files, emails, paper documents, any data collected…),

communicated to or accessed by Users during the performance of their mission within Bureau Veritas is

confidential and remains the property of Bureau Veritas.

Except for Bureau Veritas information meant to be public, Users must:

Not disclose Bureau Veritas data outside the organization, except if it is properly protected (e.g.

encrypted);

Not disclose documents or information regarding their mission or Bureau Veritas for professional

purposes to other persons (unauthorized third parties), whether private or public, natural or legal

persons;

Not disclose information concerning Bureau Veritas Information System, including their

weaknesses and vulnerabilities, the findings of their mission, and any information retrieved by

any means;

Ensure that Personal Data is not disclosed outside Bureau Veritas unless the data subject (the

individual who is the subject matter of the Personal Data) has consented or guidance has been

sought from the local Human Resources Department (no extraction is allowed without respecting

those conditions);

28



X

Take all measures to avoid the theft, misuse or fraudulent use of information (including

confidential information) during the performance of their mission;

Take appropriate security measures to ensure the preservation and integrity of documents and

information processed;

Only use the encryption solutions expressly authorized by Bureau Veritas and never use

personal encryption solutions;

Not alter or destroy traces or proofs, relating to actions or events on the Bureau Veritas

Information System, except if authorized to do so;

Be careful in public places when accessing confidential data- other people may be able to see

your laptop or listen to your conversations.

Line managers should ensure that necessary means are available to Users to comply with confidentiality

requirements.

9.3. CONFIDENTIALITY IN DOCUMENTS

Users must categorize documents they create per level of confidentiality. They must also properly

manage documents based on the confidentiality level marked on it.

9.4. CONFIDENTIALITY IN EMAILS

Users must:

Ensure that due care and attention is taken before sending any confidential documents

externally by email (e.g. documents that contain medical information or confidential employees

or customer details);

Not send restricted or secret information via standard email. Ensure this information is protected

with corporate and legal approved protection solutions before sending (encryption solutions);

Ensure that all emails transmitting confidential information contain “confidential” in the subject

field;

Include a confidentiality statement in the footer of emails.

29



X

10. DECLARATION OF SECURITY BREACHES

Proved or suspected security breaches can have an important impact on the Bureau Veritas Information

System.

In order to avoid as much as possible adverse consequences, Users must:

Promptly declare any breach or suspected breach in the Information System to the IS/IT support

thanks to the implemented reporting solutions (e.g. reporting tool, phone number, dedicated

email address);

Not exploit an identified breach and not try to prove a suspected breach even if the breach is

made by a competitor;

Not disclose information about breaches to third-parties without Bureau Veritas’ prior consent.

30



X

11. MOBILE WORKING

Tools such as Mobile Broadband Devices (USB dongles, built in 3G/4G card) and/or Hotspot

functionality on Smartphones are provided to allow approved Users to connect remotely to Bureau

Veritas Information system when they are away from company locations.

Remote access to Bureau Veritas Information system is facilitated via BV Connect / BV Pulse (VPN)

software.

Email and Internet usage when accessing Bureau Veritas Information System remotely must comply

with the rules that are enforced on the office network and should only be used for business – related

communications.

In addition to the above, Users should be vigilant about their communications and handling of Bureau

Veritas information, specifically Users must:

Be vigilant during communications (by phone or oral) in public to avoid any disclosure of Bureau

Veritas information;

Avoid working on Bureau Veritas documents in public places. If necessary, use a privacy filter;

Avoid carrying Bureau Veritas information in public if not necessary;

Destroy, where needed, the Bureau Veritas information, in Bureau Veritas offices and off site,

using confidential waste containers or shredders where appropriate;

Not print Bureau Veritas information from public printer/fax.

31



X

12. CLEAR DESK AND CLEAR SCREEN

In order to reduce the risk of unauthorized access or loss of information, Bureau Veritas mandates a clear

desk and screen policy as follows:

Clear screen:

o Personal or confidential business information is protected using security features (e.g.

encryption);

o Computers are logged off or protected with a screen locking mechanism controlled by a

password when unattended;

Clear Desk:

o Confidential material is not left unattended on printers or photocopiers;

o Confidential material is stored away when not in use;

o All business-related printed matter must be disposed of using confidential waste bins or

shredders;

o A clear desk is maintained with all documentation stored away at the end of the working

day.

32



X

13. BACKUP OF USERS’ DATA

Users must follow good housekeeping practice to allow the availability and efficiency of Bureau Veritas

Information System.

Users must:

Retain responsibility for the performance of regular backups of data stored on their Hardware

(e.g. workstation, laptop) not backed up by servers to ensure data is not lost;

If disk space is allowed to Users on corporate servers, retain responsibility for housekeeping

their personal folder on files servers;

Never backup the above-mentioned data on personal storage devices, not approved by Bureau

Veritas and protected by corporate solutions;

Never use personal cloud services (e.g. Google Drive, Dropbox, OneDrive) to backup Bureau

Veritas data.

33



X

14. COPYRIGHT AND TRADEMARKS

Use of Information System implies compliance with Policy 363 of the Manual of Internal Policies and

Procedures of the Code of Ethics related to the protection of Bureau Veritas intellectual property rights

and intellectual property rights belonging to third parties.

Consequently, Users must not:

Access information that is protected by copyright in a way that violates such copyright;

Make any illegal copy of software or applications, or tempt to install software without the

authorization as set forth under Article 6.1 “Approved software”;

Reproduce or use databases, web pages or creations of Bureau Veritas or of third parties

protected by an intellectual property right without the prior consent of the owner;

Download or use software, photos, texts, images, documents, and generally any content

downloaded from the Internet without the prior consent of the owner;

Use on any support of communication (PowerPoint, internet, emails, etc.) the trademark of any

clients or third-parties without their prior written consent;

Use the Bureau Veritas trademarks in a manner which will or may jeopardize their significance,

distinctiveness or validity;

Breach the Group Bureau Veritas trademarks Policy and the graphic guidelines;

Copy and provide third parties with content belonging to a third party or to Bureau Veritas without

the prior consent of the owner.

34



X

15. FAILURE TO COMPLY WITH THIS CHARTER – SANCTIONS

Bureau Veritas is rightly proud if its reputation and that of its employees. In order to protect both and

that of its clients Bureau Veritas, needs to take steps to ensure that its Information System is being

used for the purpose for which it was created and with respect to the rights of the Users, to those

companies and individuals of whose data it contains and to Bureau Veritas itself. To this end it may, on

occasion be necessary to invoke sanctions for non-compliance.

In case of non-compliance with the terms of this Charter, Bureau Veritas will:

Investigate the reason for such failure to comply; and may

Take action to revoke accesses and authorizations to its Information System.

Any non-compliance with the terms of this Charter by Internal Users may lead to disciplinary action, in

accordance with the applicable local disciplinary policy or local laws. Any non-compliance with the terms of

this Charter by External Users may lead to termination of the contractual relationship with Bureau Veritas.

Bureau Veritas may, if it suspects use of its Information System for any illegal or unethical purpose

report such use to the Police or other enforcement agency. Bureau Veritas will have no obligation to

inform the User in such cases.

35



X

APPENDIX

IS/IT SUPPORT CONTACT

Contact numbers and email addresses are available on Connection in the “ISM Information Systems

Management” community in the “ServiceDesk Contact Details” document.

END OF DOCUMENT

https://iww.connections.bureauveritas.com/communities/service/html/communitystart?communityUuid=7f8f8209-cf36-4103-9997-2dd08db332d0#fullpageWidgetId=W8712d1e92b76_4194_b80e_1b17b8bf2091&file=%257B147BB78F-8F1E-410D-B1F3-54B01F0FE8E8%257D

global is/it charter information system security

Documents