Enhancing Security in the Workplace
Introduction
A clear desk and clear screen policy is an essential component of an organisation’s physical and information security strategy. By defining and enforcing clear rules for handling papers, removable storage media, and information displayed on screens, organisations can significantly reduce the risks of unauthorised access, loss, and damage to sensitive information.
Purpose of a Clear Desk and Clear Screen Policy
The primary objective of this policy is to protect sensitive information by minimising its exposure on desks, screens, and other accessible locations. This reduces the risk of unauthorised access during and outside normal working hours and ensures a secure and organised workplace environment.
Key Guidelines for Clear Desk and Clear Screen Practices
Securing Sensitive Information
Lock away sensitive or critical business information, such as papers or electronic storage media, when not in use. Use safes, cabinets, or other secure furniture to store these items, particularly when leaving the office.
Protecting User Endpoint Devices
Equip user endpoint devices with physical security measures, such as key locks, when unattended.
Ensure that devices are logged off or protected with screen and keyboard locks controlled by user authentication mechanisms when not in use.
Configure all computers and systems with automatic timeout or logout features to prevent unauthorised access.
Collecting Outputs from Devices
Require users to collect printed documents from printers or multi-function devices immediately.
Encourage the use of printers with authentication functions, ensuring that only the originator can retrieve printouts while present at the printer.
Secure Storage and Disposal
Store documents and removable storage media containing sensitive information securely when not in use.
When no longer required, dispose of such items using secure disposal mechanisms, such as shredding or data wiping.
Managing Displayed Information
Establish rules for configuring screen pop-ups to minimise exposure of sensitive information during presentations, screen sharing, or in public areas. For instance, turn off new email and messaging notifications when possible.
Clear whiteboards and other display surfaces of sensitive or critical information as soon as it is no longer needed.
Final Sweep Procedures
When vacating facilities, conduct a final sweep to ensure no sensitive assets are left behind. This includes checking for documents that may have fallen behind furniture or drawers.
Communication and Awareness
Develop and distribute a topic-specific policy on clear desk and clear screen practices to all relevant personnel.
Provide training and awareness sessions to reinforce the importance of these practices and ensure consistent adherence.
Additional Considerations
Regularly review and update the policy to adapt to changing organisational needs and emerging threats.
Monitor compliance through periodic audits and provide feedback to employees on areas of improvement.
Key Concepts and Domains
Control Type: Preventive
Security Properties: Confidentiality
Cybersecurity Concepts: Protection
Operational Capabilities: Physical Security, Asset Management
Conclusion
A clear desk and clear screen policy is a fundamental element of an organisation’s effort to safeguard sensitive information. By implementing robust guidelines and fostering a culture of security, organisations can significantly reduce risks associated with unauthorised access and data breaches. These measures not only enhance physical and information security but also promote a more organised and professional workplace environment.
Comments