Clear Desk and Clear Screen Policy
Somebody just nipping out to lunch or to a meeting is business as usual in every office and may seem innocuous. However, this situation, which happens on a daily basis in every workplace, can pose a serious information risk to businesses. Without proper precautions, information and assets left at the desk by the employee can be accessed and taken by an unauthorised person. In addition, any systems that are left logged in can be compromised and anyone who has access to the desk can use them in the name of the employee who is absent.
To help prevent and protect against this, businesses should explain to its employees, and those who handle its information, the proper procedure for safeguarding information and other assets within the workplace. ISO 27001, a widely used information security standard, can help to provide good controls. Specifically security control 11.2.9 – Clear desk and clear screen policy, which deals with just this kind of situation.
What is a Clear Desk and Clear Screen Policy?
The clear desk and clear screen policy aims to ensure the protection of sensitive information, both physical and digital, as well as assets such as mobile phones and laptops within the workspace whilst they are not in use. Typically, this when somebody leaves their workstation for a short time, or during non-working hours. The clear desk and clear screen policy is relatively easy to implement as it is normally low-tech.
Examples of Clear Desk and Clear Screen
Use of locked areas within the workplace such as safes, filing cabinets and even simple lockable drawers, should be available for use in storing physical information, like documents and easily stolen devices such as phones, tablets and laptops when they are unattended. This practice can also help to prevent loss of assets or information due to unforeseen events such as fire, flooding or natural disasters.
Computer screens chould be placed in a way that those walking past cannot see them easily and can be setup to use time-activated locking to protect them in the event that they are left unattended. All information systems should be logged off whenever they are not in use and should be shut down outside working hours. If a device is switched off there is no opportunity for somebody to try and access it.
NB The quickest way to screen-lock a windows PC or laptop is to hit the windows key + L (as indicated in the image above)
The number of printers, copiers and similar devices should be reduced as much as possible to limit the number of potential data leak points. In addition, they should be configured so as to only allow authorised personnel to access the documents. Printed documents should be removed once printed as soon as possible to minimise the risk of them being taken.
The paperless off is not just for efficiency. It is also more secure. Documents in the workplace should only be printed if necessary and post-it notes should be kept to a minimum. Even if these do not hold secure information themselves they can be used to help potential attackers compromise information by providing them with knowledge of the business.
Meeting Rooms also have risks of their own. At the end of any meeting all whiteboards should be properly erased and all papers properly disposed of using a shredder if they are no longer needed.
Implementing a Clear Desk and Clear Screen Policy
According to ISO 27001, control 11.2.9, a Clear Desk and Clear Screen Policy should consider:
The level of information that would require secure handling
Legal and contractual requirements that demand information protection
Identified organisational risks
Cultural aspects
Measures that should be adopted to secure desks, devices, and media
In addition to this, businesses should ensure that regular training is carried out to raise awareness of the policy and that other reminders such as posters and emails are used. Businesses should also carry out periodic evaluations of employees’ compliance with the standard so any problems can be dealt with before an information leak occurs.
Be Proactive
Failure to implement policies to prevent unauthorised access can be devastating for businesses and could impact others willingness to do business with them. However, with such a low-tech and cost efficient solutions available there is no excuse for businesses to become victims. Being proactive and putting these measures in place early, before any information is compromised, will ensure that your workplace far more secure for the future.
If you found this article useful, you may like:-
ISO 27001 Implementation Guide – No Sales Pitch
Security Gap Analysis
Implementing ISO 27001 – 3 Basic Approaches
Other ISO 27001 Articles