This weeks’ instalment tackles a specific security policy which is neither costly nor technical. The topic dawned on me when I was writing up the conclusion for last week’s post which is part of the GDPR & ePrivacy titbits series on Security. As you might have gathered from the title, this post will tackle the clean desk policy.
When mentioning the clean desk policy we’re not referring to how clean and shiny your working desk is (although that doesn’t hurt). Rather we’re referring to the potentially sensitive documents, papers or information that might be lying around on your desk or in your office. The premise is that unauthorised eyes might be seeing those documents whilst you’re away from your desk and that measures should be taken to safeguard against that possibility.
Depending on the company’s nature of business and the sensitivity of data handled the clean desk policy can be made stricter or more lenient as may be required. Below is a sample of the clauses one would expect to find in a clean desk policy interspersed with some considerations in italics.
- Employees are required to ensure that all sensitive/confidential information in hard copy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for: (author’s comment: check all those that apply)
- an extended period,
- away from their desk,
- at day’s end.
- Computer workstations must be locked when workspace is unoccupied.
- Computer workstations must be shut completely down at the end of the work day. (author’s comment: It is recommended that an IT policy is set to either disable the sleep function, or automatically force shut down after a set and agreed time e.g. 20:00)
- Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day. This also applies to those employees within shared offices. Employees with their own offices are to either lock items in a drawer or lock the office. This is only permitted when the office will not be in use by anyone else in their absence.
- File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
- Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
- Laptops must be either locked with a locking cable or locked away in a drawer or within a locked office.
- Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location. (author’s comment: Passwords should not be written down at all but let’s face it with having to change your password every 30 to 60 days, it’s what most people end up doing.)
- Printouts containing Restricted or Sensitive information should be immediately removed from the printer this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up. A secure printing policy could also be enacted and referenced to in relation to this point.
- When no longer required restricted and/or sensitive documents should be shredded. (author’s comment: For highly sensitive environments shredders may only be placed in specific locations and are emptied and the contents disposed of by authorised personnel.)
- Whiteboards containing restricted and/or sensitive information should be erased. Any information portrayed on a whiteboard, flipchart etc… in meeting rooms is to be erased at the end of the same meeting.
- Lock away portable computing devices such as laptops and tablets.
- Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer. (author’s comment: For highly sensitive environments mass storage devices such as USB’s or external hard drives should be banned and automatically blocked through an IT policy.)
It is important to not opt for the stricter policy by default as employees might not follow this. It’s best to have a more lenient policy that is followed than a strict one which is totally ignored.
Before jumping in and publishing a clean desk policy there are a few items that should be considered and taken care of. If you’re asking your employees to do something you must first ensure that they are equipped to do so. In this case:
- Has everyone been provided with a lockable drawer/cabinet and a key?
- Are there any key copies running around?
- Do the people occupying an office have key?
- Are offices accessed by cleaning and maintenance service people out of office hours? Hence is locking the office enough?
- Can you enact any automatic policies to enforce and support any aspect of the clean desk policy.
Assuming you have considered and catered for all the above, there 2 further items to think about. The same as with every policy and process, you would need to think about how to roll it out and enforce it. A policy on paper is worth nothing more than the paper it is printed on and if like me, you use a digital internal wiki it’s worth even less.
- Do you have a security officer who could make random checks periodically? Or a member of staff that can be entrusted to do so?
- In case someone is not complying, what is the action plan? Are there any repercussions?
- Is training in order to explain the scope and importance of the policy required? If so is it required once upon roll out or should it be repeated periodically?
- If training is only carried out at roll out, how are new joiner’s notified and trained on this policy?
As you can see there is a lot to consider even for the simplest of policies. Right now though all I want to consider is how much sugar and cinnamon should I add to my mulled wine making process.
Wishing you all the best for the upcoming festivities and we’ll be back with more in the new year.
If you wish to be notified when new posts come out, drop us a note via the contact us section of the website and we’ll add you to our mailing list.