Étude et définition du plan d’action de mise place d’un une PME, la Fondation Savart service SI dans = Nghiên cứu và xây dựng một kế hoạch hành động cho việc thiết lập dịch vụ
Contexte du stage et présentation de la structure d‟accueil
The Savart Foundation, as an institution handling large volumes of sensitive and personal information, is required to implement an information system that complies with all cybersecurity standards, including GDPR regulations, ISO 27001, and the requirements set by the CNIL Consequently, this internship will focus on the establishment or maintenance of an information system, with a strong emphasis on cybersecurity.
Présentation de la structure d‟accueil
The Savart Foundation is a French medical-social institution established in 1967, dedicated to assisting individuals with disabilities and those affected by autism in the job market It operates approximately 14 facilities across various regions from northern France to the Franco-Belgian border, employing around 100 staff members and accommodating several hundred individuals The foundation collaborates with numerous partners and funding organizations, including ARS, URIOPSS, GADES, EIG, UNIFAM, and EXEM.
Elle est composée de 14 établissements, qui sont :
E.S.A.T Savart Le Nouvion-En-Thiérache - 02170 Le Nouvion En Thierache
E.S.A.T Savart Saint-Michel - 02830 Saint Michel
FH Fondation Savart Saint-Michel - 02830 St Michel
Foyer Occupationnel Savart La Capelle - 02260 La Capelle
F.V Savart La Capelle Gaulle - 02260 La Capelle
F.V Savart Saint-Michel - 02830 Saint Michel
F.A.M Savart Saint-Michel - 02830 Saint Michel
S.A.V.S Savart Saint-Michel - 02830 Saint Michel / Le siège social / L‟IME
Figure 1: Organigramme de la fondation Savart
Mission de la fondation
The Foundation is actively responsive to the ongoing and future changes in the medico-social sector, showcasing its identity as a proactive management organization It addresses the evolving needs of the individuals it supports by providing innovative solutions that draw inspiration from existing projects and experiments.
Organigramme de la fondation
Contexte actuel et problématique
Before the internship, the Savart Foundation had an existing information system developed by IT service providers some time ago However, this system no longer meets the required standards for cybersecurity and data protection and storage Consequently, the foundation is committed to addressing these issues.
The information system of the SAVART Foundation failed to meet cybersecurity standards and comply with GDPR regulations set by the CNIL, resulting in a chaotic management of data within the organization For instance, the disorganization of data significantly hindered operational efficiency.
Stockage des données sur des disques amovibles
Stockage des données sur des solutions Cloud non-sécurisées
L‟utilisation des donnộes n‟ộtait pas traỗable, on ne savait pas qui utilisait telle ou telle donné dans certain cas etc
L‟accès au SI n‟était pas contrôlé
Méconnaissances des utilisateurs sur l‟hygiène de sécurité informatique
Objectif du stage
The main objective of the internship is to establish an information system that complies with European data protection laws, specifically the GDPR and the requirements set by the CNIL This involves redefining information security processes and coordinating the efforts of the IT service providers for the SAVART Foundation.
Décrire le système d‟information existant (Postes de travail, serveurs, réseaux)
Définir une politique de sauvegarde et redéfinir la politique d‟accès au système d‟information
Identifier les utilisateurs et redéfinir la politique de sécurité du SI
Prendre en main les relations avec les fournisseurs et sous-traitant du SI
Optimiser le support aux utilisateurs, la gestion des incidents et des changements
Sensibiliser les utilisateurs aux bonnes pratique en contribuant au projet de développement des aptitudes SI des utilisateurs et de leur formation (d‟intégration continue)
Plan de travail : Diagramme de GANTT
This diagram helps us better organize the timelines and time spent on each task completed during the internship It is important to note that we segmented the tasks by month rather than by week.
Etat de l‟art des RGPD / CNIL/ normes ISO/EC 27001
Les RGPD
The GDPR, or General Data Protection Regulation, is the European regulation governing data protection Implemented in 2018, it affects all businesses that handle personal or sensitive data of European residents.
Le RGPD poursuit plusieurs objectifs ambitieux :
Uniformiser au niveau européen la réglementation sur la protection des données
Responsabiliser davantage les entreprises en développant l‟autocontrôle
Renforcer le droit des personnes (droit à l‟accès, droit à l‟oubli, droit à la portabilité, etc.).
Les types de données
Les RGPD distinguent deux types de données, les données sensibles et les données personnelles:
1 Donnée sensible, ce sont des informations qui révèlent la prétendue origine raciale ou ethnique, les opinions politiques, les convictions religieuses ou philosophiques ou l'appartenance syndicale, ainsi que le traitement des données génétiques, des données biométriques aux fins d'identifier une personne physique de manière unique
2 Donnée personnelle est toute information se rapportant à une personne physique identifiée ou identifiable tel son numéro d‟identification nationale, adresse etc.
La CNIL
The National Commission on Informatics and Liberty (CNIL) was established by the Data Protection Act of January 6, 1978 Its primary role is to ensure the protection of personal data within both public and private computer and paper files The CNIL is dedicated to ensuring that technology serves the citizen, safeguarding human identity, human rights, privacy, and individual or public freedoms.
La CNIL est une autorité administrative indépendante (AAI), c'est-à-dire un
The article discusses a public organization that operates on behalf of the state, independent of government or ministerial authority Composed of 18 elected or appointed members, it relies on various services to fulfill its functions The organization plays a crucial role in alerting, advising, and informing the public, while also holding the power to oversee and impose sanctions when necessary.
Sanction
Sanctions may be imposed by the restricted formation of the CNIL on data controllers and processors who violate the provisions of the GDPR or applicable laws following audits or complaints Compliance with these regulations is essential to avoid penalties for non-compliance.
Different types of sanctions can be imposed when violations of the GDPR or the law are identified The restricted formation of the CNIL may issue a formal warning, require compliance with data processing regulations, and impose temporary or permanent limitations on processing activities Additionally, organizations may face fines that can reach millions of euros.
Norme ISO/IEC 27001
2.1.5.1 C’est quoi la norme ISO/IEC 27001 ?
Data privacy is a critical concern for both individuals and businesses today It is increasingly essential for companies to offer assurances to their clients and users regarding data security, often through certifications that demonstrate their commitment to protecting personal information.
One such certification is ISO 27001, which is relatively uncommon in France as it is not mandated by the government However, it is increasingly being incorporated into new frameworks, such as Health Data Hosting Let us take a closer look at this international standard, titled "Information Technology – Security Techniques – Information Security Management Systems – Requirements."
ISO 27001 is unique as it focuses on risk-based security management A company certified with ISO 27001 demonstrates its awareness of the risks associated with sensitive data, actively addresses these risks, and implements measures to protect its information.
The ISO 27001 standard aims to safeguard businesses from data loss, theft, or alteration, going beyond mere physical or IT protections It emphasizes the importance of conceptual best practices that complement technical measures, ensuring comprehensive security.
The Information Security Management System (ISMS) encompasses both technical and organizational aspects, integrating information systems, processes, and personnel involved in protection measures The ISO 27001 standard offers a framework for establishing, operating, and enhancing the ISMS within an organization.
Once the Information Security Management System (ISMS) is established according to the company's needs, a risk assessment of sensitive data within this scope is conducted This involves analyzing both the macro and micro contexts and environments in which the company operates, ensuring that all relevant parameters are considered.
Once the risks are identified, we assess the ratio between the likelihood of each risk occurring and the potential impact of such an event The protective measures that can be implemented are outlined in the ISO 27002 standard While not all measures are mandatory, the guidance is framed around the terms "must," "may," and "is recommended."
A la Direction de l‟entreprise de déterminer celles qui conviennent à son SMSI, selon le traitement réservé à chacun des risques identifiés :
Réduction du risque, en réduisant son impact potentiel
Prévention du risque, en réduisant la probabilité qu‟il se produise
Partage du risque avec un prestataire
Acceptation du risque, par exemple si la mesure à mettre en place cỏte trop cher par rapport au risque
The selected measures are documented in the Statement of Applicability, an essential document that reflects the commitment of management and the organization This marks the final phase in defining the Risk Treatment Plan.
Mise en place d‟un SI
Implementing a new information system is a significant project that requires project management to engage all stakeholders, including technical and technological aspects Most importantly, it must involve the operational users of the information systems to ensure successful adoption and functionality.
The Savart Foundation's stakeholders include various users of its information system and service providers The foundation's network consists of computers, routers, printers, switches, and phones, all of which must adhere to necessary standards for optimal performance and security.
LES REALISATIONS AU SEIN DE LA FONDATION SAVART
Conception de la solution proposée
Inventaire informatique
Dans cette partie nous avons fait l‟inventaire du parc informatique de la fondation Savart,
Ce qui nous a permis de savoir le nombre de PC, Imprimantes, tel, Appareil de photo etc au sein de la fondation Savart.
Matrice d‟habilitation
La matrice d‟habilitation définit les droits d‟accès des utilisateurs pour chaque logiciel et qui sont ces utilisateurs Ci-dessous vous verrez en guise d‟exemple un modèle
Figure 5: Cartographie applicative et Réseau
Cartographie
In this chapter, we presented the mapping of the information system of the Savart Foundation, organized by establishment (the IT infrastructure) and by application (which establishment uses them) Additionally, we outlined the architecture of the computer network The following diagrams provide a clearer illustration of these concepts.
Politique de Gestion des incidents
The purpose of this policy is to outline the implementation of incident management by the Savart Foundation The primary objectives of incident management include ensuring effective response and resolution of incidents to minimize disruption and maintain operational efficiency.
Organiser la détection et le traitement des incidents ;
Apprendre des incidents de survenus, pour améliorer la réactivité ;
Identifier les incidents liés à la sécurité et mettre en œuvre les processus d‟escalade et de traitements spécifiques
Demande : Toute requête n‟ayant pas d‟impact direct sur le fonctionnement d‟un service
Ex : comment fait-on pour accéder à telle ressource ?
Changement : Demande ayant pour but une modification quelconque sans qu‟elle soit en lien avec une panne : Création / Suppression de compte, Rajout d‟équipement ou d‟utilisateur
An incident refers to any operational event that affects services, regardless of its impact on commitments It is not part of the standard operations of a system and leads to an unplanned interruption.
L‟intégrité ou la confidentialité de données qui sont sous la responsabilité de la fondation Savart et ses prestataires de services
La non disponibilité des données, services ou matériels entrainant : o Un non-respect des SLA conclus avec les prestataires, o Une incapacité à réaliser les activités métiers
Toute action malveillante délibérée visant l‟information ou les activités métiers,
Le non-respect d‟une règle de la politique de sécurité/charte informatique
La déclaration des incidents peut se faire comme suit :
Employé / RRH / DG/ DE/CDS :
Classification des incidents
The priority of an incident is determined by the urgency of the request from the user's perspective and the impact from the service providers' or HR representatives' viewpoint An analysis is conducted based on these two criteria to establish the incident's priority.
Haut : L‟incident doit être traité dans les plus brefs délais
Moyen : L‟incident doit être traité dès que possible sans notion d‟urgence
Bas : L‟incident n‟est pas très important et il peut être traité avec du délai
Mineur ou Bas : Un incident est dit ô mineur ằ lorsqu‟il n‟arrờte pas le fonctionnement normal du service mais peut nécessiter une éventuelle intervention pour retrouver la configuration optimale
An incident is classified as major when it disrupts normal service usage by producing erroneous results or degrading performance, without causing a complete service outage This type of incident requires intervention to restore optimal configuration.
An incident is classified as a "blocking incident" when it causes a complete service interruption This type of incident may result from unforeseen hardware failures, DoS or DDoS attacks, or issues with the Savart Foundation's backbone infrastructure.
La priorité qui résulte de ce croisement entre criticité et impact peut avoir 3 valeurs : 1- Haute
Tableau de définition de la priorité :
Détection des incidents de sécurité
It is the responsibility of the HR Manager and service providers to identify security incidents related to the information system These incidents are categorized based on their type, with a focus on events associated with information security The classification of incidents is outlined in the document above.
La gestion des incidents
Les incidents sont gérés par les prestataires de services directement
Les requêtes sont catégorisées à minima suivant les informations suivantes :
Nature de la requête : Demande / Incident
Modes de contacts
Les modes de contacts sont :
Horaires
Les prestataires de services proposent eux même les horaires de couverture à la fondation Savart dans les contrats de services, généralement dans des heures de travail.
Traitement
Le premier objectif de la rộponse à l‟incident est de retrouver un ô niveau de sộcuritộ normal ằ, puis d‟initier la rộcupộration nộcessaire
Traitement direct (dans la mesure du possible)
Traitement différé (si par ex : nécessite une intervention sur site, ou une planification particulière lié à l‟activité de la fondation Savart)
La mise en œuvre nécessite des habilitations particulières
La mise en œuvre nécessite des compétences particulières
La qualification nécessite des outils / tests spécifiques (logs par ex)
Escalade des incidents de sécurité
Security incidents have escalated, prompting the incident manager to categorize each event to determine if it qualifies as a security incident Every security incident undergoes analysis by the HR manager, general director, and service providers.
Cadre juridique
The procedure for reporting and handling information system security incidents within the organization is designed to fulfill the obligation of reporting serious security incidents as mandated by Article L 1111-8-2 of the Public Health Code This process ensures that all significant security breaches are promptly identified, reported, and addressed to maintain the integrity and confidentiality of sensitive information.
Article L1111-8-2
Healthcare establishments and organizations engaged in prevention, diagnosis, or care must promptly report serious information security incidents to the regional health agency Furthermore, significant security incidents are also immediately communicated by the regional health agency to the relevant state authorities.
Un décret définit les catégories d‟incidents concernés et les conditions dans lesquelles sont traités les incidents de sécurité des systèmes d‟information
3.2.12- Décret n° 2016-1151 du 24 aỏt 2016 relatif au portail de signalement des événements sanitaires indésirables
The article addresses key stakeholders, including the general public and professionals across three healthcare sectors: outpatient care, health institutions, and social-medical establishments It also involves national health security agencies, regional health authorities, and organizations focused on shared health information systems.
Subject: Creation of a reporting portal for undesirable health events aimed at promoting and collecting reports of such incidents Effective Date: The operation and organization of the portal will be outlined by a decree from the Minister of Health Reporting Portal for Undesirable Health Events.
Procédure Fondation SAVART
Following the internal qualification process of the incident's nature, the director of the Savart Foundation or the HR Manager implements the established incident management procedures.
Clôture de l‟incident
When an incident is successfully resolved, a solution is proposed for any reported issue or problem This solution is aimed at the HR Manager in collaboration with service providers.
Analyse des incidents
Lors de la clôture des incidents, le RRH est en charge de déterminé si ce dernier nécessite une analyse en fonction de :
Sa qualification en tant qu‟incident de sécurité
Les conséquences sur la production ou le nombre d‟utilisateurs impactés
La probabilité qu‟il se reproduise
Revue des incidents de sécurité
Une revue trimestrielle doit être effectuée Une analyse extraordinaire peut être si cela est jugé nécessaire, par le RRH/DG/DE
Recueil de preuves
Quand un incident de sécurité est détecté, le RRH/DE doit initier une procédure de recueil de preuves Elle permet notamment :
De réunir toutes les traces nécessaires à la compréhension de l‟incident
De ne pas modifier l‟environnement afin que le recueil de preuve soit e plus complet possible
De centraliser autour du ticket l‟intégralité du recueil.
Non conformités et Actions correctives
In the event of an incident highlighting non-compliance with internal procedures, the General Director will be tasked with addressing the issue A root cause analysis will be required to investigate the underlying factors contributing to the incident and to implement corrective measures to resolve the identified dysfunctions.
Politique de Gestion de contrôles d‟accès logiques et physiques
Les accès physiques
Accès aux espaces des différents établissements de la fondation
Accès aux espaces hébergeant les infrastructures réseaux.
Compte utilisateur & authentification
A user account is a collection of elements that enables an individual to access various resources Typically, a user account consists of a username or identifier and a password, which must adhere to specific security principles.
Authentication is the process implemented to verify that the individual accessing a user account at any given moment is indeed the rightful owner It serves to prevent identity theft, ensure traceability, and enhance the overall security of a system.
Habilitation/profil
User permissions and profiles encompass the rights and authorizations associated with a user account for accessing various resources These resources can include systems, data, applications, tools, hardware, and physical locations.
Gestion des comptes utilisateurs et habilitations (Profil)
Accès physique aux différents bâtiments de la fondation SAVART
Les locaux des établissements de la fondation Savart se composent des zones suivantes :
Salle ó sont installés les équipements réseaux
Chambre Cours Cafétéria Salle réunion /Formation/ Salle de pause/Bureau
Accès général
L‟accès général aux bâtiments se fait par :
Directement pour tous les employés
Accueil pour toute autre personne (visiteurs, livreurs, …)
L‟accès des visiteurs est fait à travers l‟accueil de l‟établissement en question par un secrétaire, comme suit :
Date et heure de sortie
3.4.6.2- Accès salle des équipements réseaux
Access to the IT installation room at the Savart Foundation is governed by the "Access Control Matrix." Currently, access to these rooms is restricted by a key lock, allowing entry only to authorized personnel If the equipment is installed in common areas, it must be secured in locked cages Additionally, restrictions should be implemented regarding who can access these locations to minimize the risk of network intrusions and other security threats.
3.4.6.3- Accốs aux espaces ô baies sur site / Siốge social ằ
The service provider's area, responsible for handling information and managing infrastructure within the application domain, is physically separated from other foundation teams Anyone wishing to access the foundation's premises must present a form of identification.
L‟accès à l‟espace d‟installation des matériels réseaux est interdit au personnel, à l‟exception des situations dictées par les mesures de sécurité du personnel ou l‟autorisation du RRH et du DG
Access to the Savart Foundation's network is restricted to its dedicated equipment, which includes cables, switches, routers, VPNs, DMZs, and firewalls Only individuals with authorized physical access to the facilities are permitted to connect to the foundation's network.
3.4.6.5- Depuis l’un des établissements de la fondation Savart
L‟accès au réseau de la fondation Savart peut se faire :
En filaire via câble Ethernet
En mode sans fil via réseau Wi-Fi
Seuls les postes et imprimantes des employés peuvent disposer d‟un accès filaire au réseau de la fondation Savart
La fondation Savart dispose également d‟un réseau Wifi unique :
Un réseau SAVART est disponible sur tous les établissements, destiné aux salariés L‟accès à ce réseau est restreint par :
Plan de sauvegarde
Mise en application de la règle 3-2-1
One timeless rule for effectively managing any failure scenario is the 3-2-1 backup rule This approach addresses two crucial questions: how many backup files should I keep, and where should I store them?
The 3-2-1 backup rule, popularized by renowned photographer Peter Krogh, highlights the importance of data protection by categorizing individuals into two groups: those who have experienced storage failures and those who will This rule emphasizes that for effective backup, you should maintain three total copies of your data, store two of those copies on different media, and keep one copy offsite to ensure its safety.
disposer de trois copies de vos données au moins ;
stocker ces copies sur deux supports différents ;
conserver une copie de la sauvegarde hors site
Deuxième approche de la Politique 3-2-1
La mise en place d‟une politique de3-2-1 pour s‟assurer l‟intégrité et la disponibilité des données
Une politique de sauvegardes ô 3-2-1 ằ est une appellation mnộmonique pour un système basé sur les principes suivants :
- 3 copies au moins des données protégées, les données primaires et deux sauvegardes
To ensure data resilience, it is essential to utilize two media and systems, as each storage medium (hard drive or tape) or system (SAN or NAS) can represent a single point of failure The initial backup should be located on-site to facilitate rapid recovery capabilities.
- 1 site externe pour la deuxième sauvegarde afin de disposer d‟une ressource ultime, même si un événement catastrophique touchait le premier site
The Savart Foundation's data is primarily hosted on subcontractors' servers, such as EIG and Medialist, which must adhere to all data protection measures, including GDPR compliance It is crucial for the foundation to implement the 3-2-1 backup rule, which entails having 3 copies of data, stored on 2 different media, with 1 external backup This means that data hosted by subcontractors must comply with these rules across all foundation establishments Additionally, storage media must be kept in secure locations, and employees are advised against taking these media home By following the 3-2-1 rule, the risk of data loss will be significantly minimized, making it nearly impossible.
All data from the Savart Foundation, whether sensitive or personal, must adhere to this guideline to ensure their availability, integrity, and restoration when necessary.
Plan de sauvegarde dans EIG
The EIG software is the most utilized within the Savart Foundation, containing various types of sensitive and personal data, making its availability crucial for the effective operation of the foundation's information system EIG implements backup measures, as all data is securely stored on their servers.
Les utilisateurs sont déconnectés automatiquement avant l‟exécution des sauvegardes ;
Les sauvegardes (Backup) sont effectuées chaque soir à partir de 23 heures sur des supports différents
Une sauvegarde est stockée à l‟extérieur les locaux d‟EIG chaque semaine, avec une antériorité de 10 jours ouvrés
Le délai de restauration ne doit pas passer deux heures
EIG ensures the daily operation of backup processes, providing reliable data protection The backup software sends a daily report via email to the monitoring team, detailing its activities and performance.
To implement the 3-2-1 backup policy within the foundation, it is essential for authorized personnel to duplicate certain data stored on EIG and ensure it is kept in secure locations.
1 Utilisateurs de la fondation Savart
2 Serveurs d‟hébergements dans les locaux d‟EIG
3 Copie dans serveurs externes des locaux d‟EIG
La restauration des données d‟EIG est assurée par EIG et le temps de restauration ne doit pas perturber le temps de travail des salariés
Plan de sauvegarde dans OCTIME
The data utilized and stored within the Optime software is managed by the software publisher As part of the backup policy, we recommend creating a copy of all daily activity data.
The OCTIME editor is responsible for the automatic restoration of data to ensure the continuous use of the software Personal data must not be stored on removable hard drives by employees, except for establishment directors, to maintain confidentiality and integrity.
To comply with the 3-2-1 backup rule, it is essential for the editor to implement this guideline The management, specifically the director, is advised to create two copies stored on an external hard drive, which must be securely protected by the designated executive or director general.
Plan de sauvegarde dans TITAN
Given that the TITAN software is hosted on a local server, it is crucial to implement security measures for both the physical location of the server and the data stored on it, as it contains sensitive personal information.
Unauthorized individuals must not access the server room without permission from the establishment's management Users of the software, including doctors, accountants, educators, and department heads, are reminded not to copy sensitive or personal data onto removable drives.
In line with implementing the 3-2-1 backup rule at the Savart Foundation, this strategy not only enhances data security but also ensures data integrity, availability, and minimizes loss, ultimately facilitating efficient data restoration.
To ensure data integrity and security, daily data hosted in TITAN must be duplicated three times onto two external hard drives, with one drive stored at the FAM/FDV management and the other at the general management Access to these drives should be restricted solely to the FAM/FDV director, prohibiting any other individuals, including the general director, from accessing them This operation must be carried out monthly by the FAM/FDV director.
Plan de sauvegarde dans FOCAT
FOCAT is a scheduling software utilized by FDH/SAVS, containing personal data of employees from the Savart Foundation This data must not be used for personal purposes, and only FDH/SAVS management is authorized to store it on external hard drives, adhering to the 3-2-1 rule.
Sécurité : Les personnes non autorisées ne doivent pas accéder à la salle du serveur sans autorisation des chefs de service ou de la direction de l‟établissement.
Plan de sauvegarde dans MEDIATEAM
MEDIATEAM is a SaaS software designed for management in the medico-social sector, developed by a health data-certified host (ASIP Santé) It handles sensitive data and ensures daily secure backups on their servers, allowing for data restoration and adherence to the 3-2-1 or 3-2-1-0 backup rule (with '0' indicating zero errors) Users from the Savart Foundation are strictly prohibited from copying sensitive MEDIATEAM data onto removable drives, except for the FDH/SAVS management in exceptional cases MEDIATEAM data should only be processed for activities related to the Savart Foundation's operations.
Données bureautique
Data files (in EXCEL, WORD, POWER POINT, PDF formats, etc.) from the Savart Foundation must adhere to the 3-2-1 backup rule and comply with the security measures established by the Savart Foundation regarding information system security (ISS).
The use of removable disks for data storage is discouraged, and employees are encouraged to minimize their use in favor of EIG, except for those authorized by upper management Additionally, data must be well-structured and organized on the disks, which should only be stored under the supervision of the establishment directors.
Le stockage des données sensibles sur le PC est aussi à réduire le plus que possible.
Durée de sauvegarde des données
The data retention period for the foundation, when hosted by software service providers such as EIG, OCTIME, and MEDIATEAM, must not exceed the duration specified in the service contract.
La durée des données stockées dans les locaux de la fondation dépend si la personne est active ou pas
Les données personnelles doivent être supprimées 36 mois soit 3 ans en cas d‟inactivité de la personne au sein ou avec la fondation Savart selon les principes du RGPD.
Données hors site
Le stockage des données hors site de la fondation Savart est fait pour l‟instant de deux manières
1- Sur les serveurs des prestataires
2- Dans les locaux du siège social / FAM
Stockage CLOUD
PS : Les services et logiciel CLOUD sont strictement interdits au sein de la fondation Savart, pour des raisons de sécurité et de confidentialité des données.
Politique de sauvegarde
Sauvegarde différentielle avec déduplication
Today, attackers tend to encrypt or corrupt data on a large scale As detection systems adapt, it is likely that these attackers will modify their tactics to mimic slower hardware corruptions In any case, the only protection against these slow corruptions is to maintain a long backup history, ideally up to one year Traditional full directory copies can lead to significant storage volumes due to this retention period The best practice now involves utilizing differential backups (which only capture new files) and deduplication (which focuses on modified blocks) Since cold data (rarely accessed) typically occupies much more space than hot data (frequently modified), adding 50% more capacity is usually sufficient to extend backup archives for at least a year.
Objectif
L‟objectif est de garantir la pérennité des données en rendant possible la récupération des informations indispensables au fonctionnement opérationnel des SIS de la fondation
Savart à la suite d‟un incident ou d‟un sinistre et de répondre aux demandes de restauration de données.
Champ d‟application
The Savart Foundation, as a medico-social organization, outlines the rules for safeguarding health data and maintaining professional confidentiality in this guide It plays a crucial role in business recovery plans (PRA) and business continuity plans (PCA), serving as the foundation for operational guidelines that ensure the preservation and restoration of essential business and technical data in the event of an incident.
Ce guide s’appuie sur les définitions suivantes :
Backup refers to the process of duplicating and securely storing computer systems and data, such as business information and system configurations, to ensure their availability and usability even in the event of an incident or user error that may compromise their integrity The term "backup" is commonly used in the IT field to describe this important practice.
Backup is asynchronous, differentiating it from replication or clustering techniques that create real-time copies of production platforms, ensuring business continuity during failures of the primary platform, incidents in the data center, or network unavailability While replication primarily addresses the issue of primary platform downtime, backup specifically tackles the problem of data integrity loss Additionally, backup plays a crucial role in restoring operational platforms in the event of a primary platform failure when no redundant systems are available.
Backup differs from data synchronization, which is performed for offline operation In this context, synchronization enables a system to function when it is disconnected from the network.
For instance, the synchronization of mobile PCs and devices like anesthesia stations is notable It is essential to distinguish the concept of backup from the functional notion of archiving, which is not covered in this practical guide.
Restauration : action consistant à utiliser des sauvegardes pour remettre un système d‟information qui a été altéré dans un état antérieur à l‟altération
Plan de sauvegarde : principes généraux de sauvegarde et ensemble des procédures liées à la sauvegarde et à la restauration pour un périmètre identifié sur lequel ils doivent être appliqués.
Enjeux relatifs à la sauvegarde des Systèmes d‟information de santé (SIS)
The backup and restoration capabilities of a Management Information System (MIS) are crucial for ensuring business continuity and data availability Backup serves as a key element in the continuity and recovery process of the MIS following incidents such as theft, water damage, or fire It enables the restoration of a previous state of the MIS after accidental data deletion—such as user input errors—or data corruption due to issues like virus infections, hardware failures, or environmental incidents in a data center.
Ensuring the confidentiality of backup data, especially personal health information, is essential This confidentiality must be maintained both in local management and when outsourcing any part of the backup service, such as utilizing external data hosting providers or storing backup media outside of data centers Services that involve the outsourcing of personal health data backups must comply with the legal framework governing health data hosting.
Le choix des solutions de sauvegardes présente également :
Des enjeux opérationnels d‟exploitation du SIS :
The storage capacities required for backups can vary depending on the chosen backup methods, such as full or partial backups, and differential backups between two backups to minimize the amount of data saved each time.
Operational constraints on applications can vary depending on whether the backup is performed hot, with applications running during the backup process, or cold, with applications shut down during the backup.
Les délais acceptables de restauration pour des données à forte volumétrie peuvent justifier des techniques spécifiques de sauvegarde ;
The effectiveness of data backup is heavily reliant on the expected service level, including backup frequency and retention duration Therefore, it is crucial to select appropriate backup solutions and establish related processes to ensure optimal data protection.
30 répondre aux enjeux de sécurité mais également financiers dans un souci d‟efficience économique en cohérence avec le besoin opérationnel des acteurs de santé.
MENACES
Since 2015, ransomware has posed significant challenges to information system security A catastrophic scenario occurs when a ransomware attack coincides with undetected backup failures, hindering data recovery Major operational losses have been reported, even among large organizations, when malware infiltrates poorly prepared infrastructures, leading to entire teams being incapacitated for weeks and resulting in long-term impacts.
In addition to malware, preparing for system resilience must also consider potential corruption of storage media, backup systems, and user errors For instance, hardware error rates, such as the number of unreadable bits on magnetic media, have not significantly improved, and failure patterns have changed with the advent of SSDs Consequently, as data volumes increase, methods that were adequate in the 2000s are now prone to failure.
Principes essentiels de sauvegarde
Les principes de sécurité de la sauvegarde sont regroupés en 4 thématiques :
Adoption de pratiques conformes à l‟état de l‟art ;
3.6.5.1- Identification du besoin de sauvegarde et de restauration
Afin de définir les processus et dispositifs de sauvegarde adaptés, il est indispensable de mener une analyse préalable des besoins de sauvegarde incluant notamment :
Toutes données sensibles, personnelles, administrative hébergées chez les prestataires doivent subir les mêmes traitements;
Service providers must adhere to restoration guidelines, allowing a maximum recovery period of 24 to 72 hours While it is acceptable to lose non-sensitive data, the 3-2-1 rule must always be followed Additionally, data retention periods must not exceed the deadlines specified in contracts Both providers and employees are obligated to ensure data integrity and maintain the confidentiality of the backed-up information.
3.6.5.2 Formalisation des procédures de sauvegarde et restauration
Afin de mettre en place une méthode pouvant élaborer le plan de sauvegarde :
Le logiciel EIG de plusieurs identifiant exhaustivement les composants logiciels systèmes et applicatifs, et les données à sauvegarder ;
Formalisant les procédures de sauvegarde, de restauration et de gestion des supports de sauvegarde
Given the complexity of implementing effective backup systems and adhering to the 3-2-1 rule, a copy of the internal data from the Savart Foundation should be stored on external disks or servers, as is the case with the EIG and EBP foundations.
Les avantages offerts par une telle solution sont nombreux :
Expertise pour la formalisation des procédures de sauvegarde et de restauration ;
Garantie de cohérence et d‟exhaustivité du périmètre sauvegardé accrue ;
Conformité aux bonnes pratiques de sauvegardes et de restauration ;
Cỏt du service optimisé avec la possibilité de bénéficier de services étendus comme la sauvegarde permanente sous forme de synchronisation de données
Even when personal, sensitive, or financial data of the Savart Foundation is stored on external servers, backups must ensure that this data remains the property of the Savart Foundation Service contracts with providers must clearly outline the scope of services, maximum restoration times, backup frequency, data retention periods, and data return procedures.
Providers responsible for backing up personal health data for the Savart Foundation must comply with the regulations outlined in the Public Health Code regarding the hosting of such sensitive information The HR Manager/Director General is required to ensure adherence to these legal provisions.
Sauvegarde différentielle avec déduplication
Today, attackers are increasingly encrypting or corrupting data on a large scale As detection systems evolve, it is likely that these attackers will adjust their tactics to mimic slower forms of corruption Ultimately, the best defense against such gradual corruption is to maintain a comprehensive backup history, ideally extending up to one year.
Traditional methods of full directory backups can quickly lead to large volumes of data retention The best practice involves utilizing differential backups, which only save new files, along with deduplication that focuses on modified blocks Experience shows that cold data, which is infrequently accessed, tends to be significantly larger than hot data, which is frequently modified Typically, adding 50% more capacity is sufficient to extend backup archives for at least one year.
Le RRH/DG est en charge :
D‟estimer les risques de sécurité et de prévoir les mesures permettant de les réduire ;
De mettre en œuvre les règles prescrites ou de les faire appliquer par leurs sous- traitants ;
D‟estimer et de traiter les risques de sécurité induits par la non-application des règles qui ne sont pas respectées, le cas échéant
Le traitement d‟un risque de sécurité peut consister à adopter une ou plusieurs des options suivantes vis-à-vis de ce risque :
Le réduire, par des mesures de protection ou de prévention ;
L‟accepter tel quel notamment si le risque est jugé mineur par le responsable du SIS ;
Le transférer vers un tiers dans le cadre d‟un contrat, étant précisé que cela n‟exonère pas le responsable du SIS de toute responsabilité
The manager compiles an inventory of the security measures applicable to the Information System (IS) under their responsibility, based on the risk analysis conducted and referencing the list of rules in the following chapter They also consider the risks posed by the measures they are unable to address.
3.6.8- Règles de sécurité applicables à la sauvegarde
The following safety rules outline the essential requirements for data backups In certain instances, the HR Director or General Manager may engage a data hosting provider for personal health information to comply with backup service regulations The rules that can be delegated to a service provider are indicated in the table below by the column labeled "use of a service provider."
Charte Informatique
Objectif de la charte
La charte a pour objectifs de :
Raising user awareness about the risks associated with cybersecurity is essential for protecting freedoms and privacy, particularly concerning the handling of personal data.
Les usages permis des moyens informatiques mis à sa disposition ;
Les règles de sécurité en vigueur ;
Les mesures de contrôle prises par la fondation Savart ;
Les sanctions éventuellement encourues par les utilisateurs
Establishing general security rules that users commit to following is essential for the provision of information systems and IT equipment, thereby defining the rights and responsibilities of users.
These guidelines are part of a responsible approach aimed at protecting both the informational heritage and brand image of the Savart Foundation, as well as the rights and privacy of individuals involved, including employees, persons with disabilities, and external partners The HR Director/General Manager/IT Director is available to users seeking additional information or advice regarding the use of information systems and IT equipment.
Personnes visées au sein de la fondation Savart
The obligations outlined in this charter apply to anyone using the information systems of the Savart Foundation, including employees, interns, temporary workers, and any user granted personal usage rights This charter must be attached to service contracts with third parties related to IT within the framework of subcontracting agreements.
Accès par des tiers aux systèmes d‟information de la fondation Savart
External users of the Savart Foundation can only access its information systems with prior explicit authorization from the Director General By obtaining this authorization, users agree to adhere to all provisions outlined in this charter.
Moyens informatiques et de communication électronique concernés
This charter applies to all computer and electronic communication resources provided to users solely for professional purposes, as well as to personal computer and electronic communication resources owned by the user, for which authorization for professional use has been obtained.
Les systèmes d‟information et de communication de la fondation Savart sont notamment constitués des éléments suivants :
Réseaux informatiques (serveurs, routeurs, connecteurs, bornes WIFI),
Téléphones (fixes et portables) et Smartphones,
Fichiers informatiques et bases de données,
Any request for an exemption from the elements outlined in this charter must be submitted in writing to DE/RRH The final decision will be made in consultation with senior management, which reserves the right to accept or deny exemption requests.
Access to certain elements of the information system, such as email, telephony, workstation sessions, network, and specific applications or interactive services, is secured by login parameters, including a username and password Each user is granted individual access rights, which are implemented through logical or physical means, such as user codes and passwords.
User parameters are personal and must be kept confidential to control user access They should not be shared with anyone, including supervisors or IT personnel Users are encouraged to memorize these parameters rather than storing them in any form Under no circumstances should these parameters be transmitted to third parties or made easily accessible Users must enter their parameters each time they access the system, and they should not be retained in the information system.
When selected by the user, the settings must maintain a certain level of complexity and be updated regularly Safety guidelines are established by the HR Manager/Director General The user commits to adhering to the effectiveness considerations of the system.
A strong password should consist of at least 10 alphanumeric and special characters, avoiding any personal information such as your name or date of birth To enhance security, it is essential to regularly update your password every six months.
Each user must personally identify themselves and cannot use another person's identity, even with their consent Access rights automatically terminate upon departure from the Savart Foundation and may be altered during a reassignment (such as a job change or transfer) or if it is determined that the user has violated any obligations outlined in this charter.
La messagerie électronique
Administrative employees are provided with a professional email address assigned by the HR Director/General Director/IT Manager for their work activities Incoming emails to this professional account undergo antivirus checks and spam filtering to ensure security and efficiency.
Employees are encouraged to report any malfunctions they observe in the filtering system to the DE/CDS Users should be aware that an email holds the same weight as a handwritten letter and can be quickly shared with third parties It is essential to adhere to specific principles to prevent information system failures, limit the sending of unsolicited messages, and avoid civil or criminal liability for both the Savart Foundation and the user.
Users must ensure compliance with laws and regulations, particularly regarding the protection of intellectual property rights and third-party rights Electronic communications should not contain illegal elements, such as defamatory, insulting, or counterfeit statements, or actions that may constitute unfair competition or parasitism.
Due to memory capacity constraints, emails are stored on the mail server for a maximum of three years To encourage users to regularly organize their messages, a size limitation is implemented After this period, emails are automatically deleted If users wish to retain messages beyond this timeframe, they are responsible for backing them up, with assistance from the HR or management if needed.
Envoi de messages électroniques
Before sending any communication, it is crucial to verify the identity of the recipients and their authorization to receive the information When dealing with confidential information, personal data, or sensitive data, these checks must be intensified.
When sending emails to multiple recipients, users must adhere to regulations concerning the prevention of unsolicited mass emails It is advisable to use the blind carbon copy (BCC) feature to protect the privacy of recipients' email addresses Additionally, users should exercise increased caution when handling confidential information, in line with the guidelines provided by the HR/General Directorate.
Important messages should be sent with a read receipt or electronically signed Professional messages must adhere to the formatting guidelines set by the DG, particularly regarding the structure and signature of the communications.
La signature des courriers électroniques fait l‟objet d‟une forme standardisée [Nom établissement + logo de la fondation + fonction] Chaque utilisateur s‟engage à respecter cette forme en évitant tout élément complémentaire.
Réception de messages électroniques
Users must not open or respond to spam emails or unsolicited messages received in their professional email accounts, especially if they are unrelated to their roles at the Savart Foundation In such cases, they are required to delete these messages immediately and report any significant abuse regarding frequency or volume to the DE/DG/RRHCDS.
Absence de l‟utilisateur
The user acknowledges and agrees that in cases of prolonged absence or to ensure service continuity, the IT department reserves the right to access their email and professional files without prior consent During any absence, the user must activate the delegation or out-of-office notification feature to prevent disruptions in message handling and to enable contacts to take appropriate actions.
In case of an emergency or to ensure a high level of service quality, the Savart Foundation may reset or delete a user's access codes.
Utilisation personnelle
Personal messages are permitted as long as they comply with current legislation, do not disrupt the platform, and adhere to the principles outlined in this charter Such messages must be labeled with "Private" or "Personal" in the subject line and organized into a designated folder named accordingly upon sending.
If these rules are not followed, messages will be assumed to be of a professional nature However, users are encouraged to utilize their personal messaging services for personal communications instead of using the Savart Foundation's messaging system whenever possible.
Internet / Intranet
Users may access the Internet as part of their activities; however, the HR Manager/Director General has the authority to limit or prohibit access to certain websites for security reasons They are also empowered to enforce specific browser configurations and restrict the downloading of certain files.
User contributions to discussion forums, instant messaging systems, blogs, and websites are either prohibited or allowed only with prior approval from the information systems manager This form of expression may implicate the responsibility of the Savart Foundation, making it essential for users to exercise heightened vigilance.
Users are strictly prohibited from engaging in any illegal activities or actions that could harm the interests of the Savart Foundation, including online For security and ethical reasons, the HR Director/General Director may restrict or prohibit access to certain websites, implementing browser configurations and filtering mechanisms Only the consultation of websites related to professional activities is permitted.
L‟utilisation de l‟Internet à des fins commerciales personnelles en vue de réaliser des gains financiers ou de soutenir des activités lucratives
La création ou la mise à jour au moyen de l‟infrastructure de la fondation Savart tout site Internet, notamment des pages personnelles
Connecting to websites that contain content contrary to public order, good morals, or the brand image of the Savart Foundation, as well as those that may pose a risk to the security of its information system or financially engage the organization, is prohibited.
Principes généraux
For their professional activities, users can utilize a fixed or mobile phone, a smartphone, a tablet, or a 3G/4G dongle or Wi-Fi hotspot The rules outlined in this charter apply equally to the use of mobile devices for accessing websites or email Additionally, it is emphasized that sending SMS messages is restricted to professional communications and holds the same responsibility for the sender as sending an email.
Engagements de l‟utilisateur
Prévenir sans délai en cas de perte, vol ou faille de sécurité ;
Mettre en œuvre tous les moyens de sécurité prévus par les fonctionnalités du smartphone et qui sont demandées et notamment le code d‟accès ;
Utiliser des codes d‟accès (pin, verrouillage clavier et autre) différents ;
Ne pas rester connectés par défaut ;
Être vigilants vis à vis des données contenues dans le smartphone.
Utilisation personnelle du téléphone
L‟utilisation à caractère personnel du téléphone, fixe ou mobile, est tolérée, à condition qu‟elle reste dans des limites raisonnables en termes tant de temps passé que de quantité d‟appels.
La cessation de l‟utilisation
Upon leaving the Savart Foundation, users must follow the departure procedure and return all provided IT and electronic communication devices (such as computers, peripherals, mobile phones, remote authentication tools, and storage media) in good working condition Users are prohibited from retaining any equipment or data that could grant access to the information system Additionally, users must not destroy any professional information or data prior to their departure Unless necessary for service continuity, the user's email account will be deleted on the day of their departure, with any retention not exceeding six months.
If a user’s email account remains active after their departure, the Savart Foundation can set up message forwarding to the individual who has assumed the user’s role or to any other person in a similar position Additionally, the user’s credentials will be disabled.
Unless a specific exemption is granted by the HR Manager or General Director, which cannot exceed a duration of three months, users must delete any marked private or personal elements no later than the day before their departure from the Savart Foundation.
Accès au Système d‟Information en dehors du service (télétravail, en entreprise, centre mobile, … accès au bureau distant)
This article addresses the use of information systems at the Savart Foundation, focusing on resources and communication methods available to users located outside the foundation's physical site It is important to note that all provisions outlined in this charter apply to users accessing the Savart Foundation's information and communication systems remotely.
Users must inform the DE/RRH/DG in advance about any remote access they intend to establish in order to obtain prior authorization and receive specific security and confidentiality guidelines for their situation The Savart Foundation ensures that necessary insurance is in place to protect the provided IT and electronic communication resources Remote access using personal computing equipment is strictly prohibited unless explicit written permission is granted by the DG.
Utilisation professionnelle
The information systems provided to users are intended solely for professional use Any use of computer and electronic communication resources is considered to have been conducted by the individual identified by the access credentials, strictly for professional purposes.
Additionally, aside from the previously mentioned exceptions, personal use of information systems should be minimal Therefore, both in terms of frequency and duration, such use is only permissible outside of working hours and should be limited during work hours, in accordance with relevant legal precedents.
Données personnelles à caractère sensible
The French Law No 78-17 of January 6, 1978, known as the Data Protection Act, along with Ordinance No 2018-1125 of December 12, 2018, and the General Data Protection Regulation (GDPR), establishes the conditions under which the processing of personal data can take place.
The Data Protection Act and the GDPR establish rights for individuals affected by data processing conducted by users, which this charter aims to protect and uphold for both users and third parties.
A cet égard, le RRH/DE s‟engage d‟informer les utilisateurs à :
ne pas utiliser les données à caractère personnel auxquelles ils peuvent accéder à des fins autres que celles prévues par leurs attributions ;
ne divulguer ces données qu‟aux personnes dûment autorisées, en raison de leurs fonctions, à en recevoir communication, qu‟il s‟agisse de personnes privées, publiques, physiques ou morales ;
ne faire aucune copie de ces données sauf à ce que cela soit nécessaire à l‟exécution de leurs fonctions ;
prendre toutes les mesures conformes aux usages et à l‟état de l‟art dans le cadre de leurs attributions afin d‟éviter l‟utilisation détournée ou frauduleuse de ces données ;
prendre toutes précautions conformes aux usages et à l‟état de l‟art pour préserver la sécurité physique et logique de ces données ;
d‟assurer, dans la limite de leurs attributions, que seuls des moyens de communication sécurisés seront utilisés pour transférer ces données ;
ne pas accéder, tenter d‟accéder ou supprimer les données en dehors de leurs attributions ;
respecter les droits des personnes concernées (droit d‟accès, de rectification, d‟opposition, effacement…) conformément aux procédures mises en place par la fondation Savart ;
en cas de cessation de leurs fonctions, restituer intégralement les données, fichiers informatiques et tout support d‟information relatif à ces données
It is essential to adhere to all data protection procedures established by the Savart Foundation and to support the technical and organizational measures implemented by the foundation to ensure compliance with applicable regulations.
It is important to note that under the Regulation, the Savart Foundation may face significant sanctions, whether administrative, civil, or criminal Therefore, the Savart Foundation, along with its users, commits to adhering to this charter by respecting the fundamental principles of personal data protection, particularly the minimization of data collection and the preservation of confidentiality, integrity, and security of personal data.
Users play a central role in the protection of personal data, which is essential for safeguarding individual freedoms and privacy Given the sensitive nature of certain personal data handled by the Savart Foundation, it is crucial for users to exercise the utmost vigilance in data protection.
Secret et confidentialité – transmission d‟informations
Respecting data confidentiality is a fundamental requirement The Savart Foundation prioritizes the safeguarding of interests by adhering to a general and ongoing obligation of confidentiality and professional secrecy regarding the data provided to users for their professional activities This commitment encompasses the use of information systems and any related processing.
Consequently, users commit to adhering to this charter and relevant regulations, ensuring that unauthorized third parties do not access sensitive information, in accordance with professional ethics and deontology when applicable It is strictly prohibited to leave a session open on a desktop or laptop without locking it To save time, you can use the following key combination (Ctrl+Alt+Delete).
All employees, including HR, management, and directors, are obligated to maintain confidentiality and must not disclose any personal information, regardless of its nature or their hierarchical position Directors are not required to reveal such information unless mandated by specific legal or regulatory provisions Failure to adhere to these confidentiality obligations may result in sanctions, regardless of the circumstances that could lead to liability.
La transmission de données confidentielles ne peut être réalisée qu'aux conditions suivantes :
The Savart Foundation reserves the right, for any reason and whether temporarily or permanently, to grant, deny, modify, or revoke access rights for any individual, in order to ensure the continuity and security of its services.
Règles à respecter
The Savart Foundation is committed to ensuring the security, integrity, and confidentiality of data collected and processed, in compliance with legal and regulatory requirements, as well as the principle of proportionality outlined by the GDPR It implements all necessary organizational and technical measures to protect its information and communication systems from unauthorized modification, transfer, deletion, and intrusions, thereby safeguarding the data against any potential damage.
The primary risk associated with data management lies in human factors, particularly regarding how users handle and manipulate data This includes their interaction with the information and communication systems, as well as the tools associated with them.
Therefore, implementing security tools should not exempt users from reporting any attempts of external intrusion, tampering, or the presence of viruses to the information systems manager.
Every user is responsible for enhancing the security of the resources available to them and the network they access This primarily involves preventing the intrusion of viruses that could potentially harm the information system of the Savart Foundation.
ne pas ouvrir les piốces jointes reỗues de l'extộrieur quand l'ộmetteur du message est inconnu ;
dộtruire les messages du type ô chaợne de solidaritộ ằ ;
ne pas stocker et router des gadgets reỗus ou trouvộs sur Internet ;
ne pas faire suivre les messages d'alerte de l'arrivée d'un virus mais prévenir le DE/CDS
It is essential not to alter the configuration of your computer workstation set up by service providers, whether through additions, deletions, or modifications, unless explicitly agreed upon in exceptional circumstances.
mettre à la disposition d'utilisateurs non autorisés un accès aux systèmes ou aux réseaux à travers les matériels dont il a usage;
utiliser [même avec leur accord) ou tenter d'utiliser des comptes autres que ceux qui lui sont attribués ou masquer son identité ;
ne pas sortir les équipements informatiques de la fondation en dehors du site de la fondation Savart, sauf accord du DE/RRH/DG;
ne pas télécharger de fichiers, en particulier médias, sans rapport avec l‟activité professionnelle ou présentant un risque pour le système d‟information ;
Users must promptly notify their management of any malfunctions, alterations, loss, theft, destruction, or other events that may impact information and electronic communication systems The installation or use of any software not explicitly authorized by the DG/RRH is strictly prohibited.
When traveling for work, regardless of the duration or frequency, users must exercise caution and discretion regarding the information and resources within the information system they may access, handle, or share Specifically, it is advised to avoid using public Wi-Fi networks.
Modalités de contrôle des systèmes d‟information
The Savart Foundation, through its service providers, implements tools for traceability and filtering of the use of information and communication systems (software).
Les journaux de connexion de l‟ensemble des systèmes d‟information :
Filtering tools are essential for analyzing usage conditions, allowing for the potential restriction or prohibition of specific protocols These tools can also limit or block access to the internet or certain categories of websites.
Users are increasingly aware that their activities and communications can be monitored Automated and widespread checks may be implemented to mitigate malfunctions while adhering to existing regulations.
Due to their role, the HR Manager/IT Security Officer has access to all user-related information, including messages and internet activity, as well as data stored on their workstations However, they must adhere to confidentiality regulations The HR Manager/IT Security Officer, authorized by the director, is responsible for monitoring information systems to ensure compliance with the terms outlined in this policy.
In the event of suspected serious violations of this charter, management may undertake necessary investigations in accordance with current regulations Any illegally installed software or suspicious files will be removed by the IT manager as soon as they are detected on the workstation.
Le caractốre ô non professionnel ằ des rộpertoires informatiques clairement identifiộs comme ô privộ ằ ou ô personnel ằ, ne fait pas obstacle à des modalitộs de contrụle dans les conditions précitées
In the event of a failure to adhere to this charter, these elements are subject to technical preservation as part of emergency procedures or continuity and recovery plans.
In the event of detecting or suspecting the presence of malware, it is essential to quarantine or, if necessary, remove any element that contains or may contain malicious code.
Informations complémentaires
The use of information systems necessitates adherence to the intellectual property rights of the company, its partners, and any third-party rights holders In cases of uncertainty, users are advised to reach out to the DE/RRH/DG for clarification.
utiliser les logiciels dans les conditions de la licence souscrite ;
Do not reproduce or use software, databases, web pages, or any other creations protected by copyright or proprietary rights without prior authorization from the rights holder, and in compliance with the GDPR applicable within the Service.
ne pas copier ou diffuser de textes, d‟images, de photographies, d‟œuvres musicales, audiovisuelles ou toute création copiée sur le réseau Internet
Users are informed that counterfeiting is a crime subject to civil and criminal penalties This charter is individually communicated to each employee electronically The Director General/HR Manager/Data Protection Officer can provide employees with information regarding the use of the information system, particularly concerning backup procedures, security measures, and the rights of the data subjects.
Users are regularly updated on the technical limits of the information and communication system, as well as potential security threats It is essential for every user to adhere to the security procedures and rules established by RRH/DGI as outlined in this charter If necessary, employees will receive training from the RRH to ensure proper compliance with the information and communication system usage guidelines.