Clean Desk Policy

A1.0 ~~clean~~Purpose

~~desk~~

This policy can be an import tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. ~~Such a policy can also increase employee’s awareness about protecting sensitive information.~~

~~The purpose for this policy is to establish~~establishes the minimum requirements for maintaining a “secure workspace environment, commonly referred to as a "clean ~~desk”~~desk." –A ~~where~~clean ~~sensitive/~~desk practice is a critical control for protecting sensitive and confidential information ~~about~~(in ~~our~~both ~~employees, our intellectual property, our customers~~physical and ~~our~~electronic ~~vendors~~formats) isfrom ~~secure~~unauthorized inaccess, ~~locked~~disclosure, ~~areas~~or loss. It helps reduce the risk of security breaches, increases awareness about information protection responsibilities, and ~~out~~supports ofcompliance ~~site.~~with information Asecurity ~~Clean~~standards ~~Desk~~(such ~~policy is not only~~as ISO ~~27001/17799~~27001) ~~compliant, but it is also part of standard basic~~and privacy ~~controls.~~regulations.

The

~~This~~goal ~~policy applies to all <Company Name> employees and affiliates.~~

~~Employees are required~~is to ensure that ~~all~~sensitive ~~sensitive/confidential~~or critical information inpertaining ~~hardcopy~~to orthe ~~electronic~~organization, ~~form~~its employees, customers, vendors, and intellectual property is ~~secure~~appropriately insecured ~~their~~when ~~work~~unattended ~~area~~or at the end of the ~~day~~workday.

2.0 Scope

This policy applies to all employees, contractors, consultants, temporary staff, and ~~when~~affiliates ~~they~~of the organization working within organizational facilities or handling organizational information assets.

3.0 Policy Statements

All individuals subject to this policy are ~~expected~~required to beadhere ~~gone~~to ~~for~~the anfollowing ~~extended~~clean ~~period.~~desk practices:

3.1 Securing Workstations and Electronic Media

* **Lock Workstations:** Computer workstations must be locked ~~when~~(e.g., using Ctrl+Alt+Del or Win+L) whenever the workspace is ~~unoccupied.~~

unoccupied,

even for short periods.
* **End-of-Day Shutdown:** Computer workstations ~~must~~should typically be logged off or shut ~~completely~~ down at the end of the ~~work~~workday, ~~day.~~unless specific instructions are provided by IT for maintenance purposes.
* **Secure Laptops and Portable Devices:** Laptops and other portable computing devices (e.g., tablets) must be physically secured using a locking cable or stored in a locked drawer or cabinet when unattended and at the end of the workday.
* **Secure Removable Media:** Mass storage devices (e.g., USB drives, external hard drives, CDs, DVDs) containing sensitive or confidential information must be treated as sensitive and secured appropriately, typically by storing them in a locked drawer or cabinet when not in use.

~~Any~~3.2 Securing Physical Documents and Materials

* **Clear Desks:** Sensitive or confidential documents (Restricted or Sensitive information as per the Data Classification Policy) must be removed from the desk surface and ~~locked~~secured in a ~~drawer~~locked drawer, cabinet, or other approved secure container when the ~~desk~~workspace is unoccupied and always at the end of the ~~work~~workday.
* ~~day.~~**Lock

Cabinets:**

File cabinets and drawers containing ~~Restricted~~sensitive or ~~Sensitive~~confidential information must be kept closed and locked when not in direct use or when ~~not~~unattended.
* ~~attended.~~**Secure

Keys:**

Keys used ~~for~~to access ~~to Restricted~~cabinets or ~~Sensitive~~drawers containing sensitive or confidential information must not be left unattended at a desk or in an ~~unattended~~unsecured ~~desk.~~location.
*

**Printer/Fax

~~Laptops~~Output:** Printouts and faxes, especially those containing sensitive or confidential information, should be retrieved immediately from printers, copiers, and fax machines to prevent unauthorized viewing or removal.
* **Secure Disposal:** Documents containing sensitive or confidential information must be ~~either~~disposed ~~locked~~of ~~with~~properly ausing ~~locking~~designated ~~cable~~secure ormethods, ~~locked~~such ~~away in a drawer.~~

~~Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.~~

~~Printouts containing Restricted or Sensitive information should be immediately removed from the printer.~~

~~Upon disposal Restricted and/or Sensitive documents should be shredded in the~~as official shredder bins or ~~placed in the lock~~locked confidential disposal bins.

They should not be placed in regular trash receptacles.
* **Whiteboards:** Whiteboards containing ~~Restricted~~sensitive ~~and/~~or ~~Sensitive~~confidential information should be ~~erased.~~erased when the information is no longer needed or when the workspace will be left unattended.

~~Lock~~3.3 ~~away~~Password ~~portable~~Security

~~computing~~

* ~~devices~~Passwords must never be written down and left in an accessible location, such as ~~laptops~~on ~~and~~sticky ~~tablets.~~notes attached to monitors, under keyboards, or in unlocked drawers. Refer to the Password Policy for secure password management practices.

~~Treat~~4.0 ~~mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer~~Compliance

~~All~~4.1 ~~printers~~Compliance ~~and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.~~ Measurement

The

designated

~~Compliance~~authority ~~Measurement~~

~~The~~(e.g., Precision Computer ~~team~~team, Facilities Security, Internal Audit) will verify compliance towith this policy through various methods, including but not limited to, periodic physical walk-~~thrus,~~throughs ~~video~~of ~~monitoring,~~workspaces, ~~business~~awareness ~~tool reports, internal and external~~checks, audits, and ~~feedback~~review toof ~~the~~security ~~policy~~incident ~~owner.~~ reports.

4.2 Exceptions

Any exception to ~~the~~this policy requires formal, documented justification based on business needs and must be approved in advance by the designated authority (e.g., Precision Computer team inor ~~advance.~~relevant department manager). Compensating controls may be required.

An4.3 ~~employee~~Enforcement

~~found~~

Failure to ~~have~~adhere ~~violated~~to this policy may beresult ~~subject to~~in disciplinary action, up to and including termination of ~~employment.~~employment or contract, consistent with organizational procedures and the severity of the violation. Repeated non-compliance may lead to removal of access privileges.

Users should also be familiar with policies related to:

* Data Classification Policy
* Password Policy
* Information Handling Policy
* Workstation Security Policy