Many organisations in Switzerland provide their employees with laptops, smartphones and access to internal networks. An IT usage agreement clarifies how these tools may be used responsibly and what obligations staff have to protect company data.
Data protection and confidentiality: Employees must handle personal and customer data in accordance with the Swiss Data Protection Act (DSG) and, where applicable, the EU General Data Protection Regulation. Confidential information must not be disclosed to unauthorised third parties, and personal data must only be processed when necessary for work.
Permitted and prohibited use: Company equipment is primarily for business purposes. Limited private use may be allowed if it does not interfere with work or violate the law. The agreement should explicitly prohibit illegal activities, visiting inappropriate websites and installing unapproved software. If employees use their own devices (BYOD), they should meet the same security standards as company devices.
Passwords and multi‑factor authentication: Strong, unique passwords are essential. Employees should change them regularly, avoid reusing them across services and never share them. Wherever possible, multi‑factor authentication should be enabled. Using a password manager can help maintain secure credentials.
Access rights and roles: Staff should only access data and systems that are necessary for their role. The principle of least privilege reduces the risk of accidental or intentional misuse. Access rights need to be reviewed when roles change and removed when an employee leaves the company.
Device handling and security: Company devices must be protected with up‑to‑date operating systems, security patches and antivirus software. Storage encryption should be enabled. Screens should be locked when unattended, and devices must not be left in unlocked cars or other insecure locations. In case of loss or theft, the IT department should be able to erase data remotely.
Email and internet use: Employees should exercise caution when opening attachments or clicking links, especially if the sender is unknown. Phishing attempts are common. Work email accounts must not be used to register for personal services, and sensitive information should be shared securely. Social media use should comply with company policies.
Home office and remote work: When working from home or on the road, a secure VPN connection should be used. Home routers and Wi‑Fi networks must be secured with strong passwords. Family members or roommates should not have access to company devices or confidential information.
Reporting security incidents: The agreement should define clear procedures for reporting security incidents, such as lost devices, malware infections or suspected data breaches. Staff need to know whom to contact and should be encouraged to report incidents promptly without fear of blame.
Training and awareness: Regular training sessions help employees recognise threats and follow best practices. Awareness programmes can make security part of everyday culture.
Legal basis and sanctions: The agreement should reference the relevant legal framework, including labour law and the DSG. It should explain the possible consequences of non‑compliance, ranging from warnings to disciplinary measures, and emphasise that monitoring will be proportionate and transparent.
A well‑drafted IT usage agreement builds trust and clarity. It helps protect data and systems and should be reviewed regularly to adapt to new threats.
Zerberos offers professional IT security consulting services to help organisations develop and implement effective security policies.