Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

12) Does your organisation enforce a Clear Desk and Screen Policy?

August 30, 2022
Security Governance
Policies
Clear Desk
Clear Screen

Answer yes if your organisation has implemented and enforces a Clear Desk and Screen Policy. Please provide the Clear Desk and Screen Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

What is it?

Clear desk and clear screen policies, often combined into a single policy, aim to define rules to ensure that sensitive information is not left on display or physically accessible. In addition to sensitive business or customer data, information that could help others gain unauthorised access to systems can be particularly valuable.

For example, while access controls may protect access to the information and limit its access to authorised individuals, it could still be read off of their computer screen or on printouts if left unattended or overly visible. Some elements around the physical security of data, which could include hard copies of documents or even entire hard drives left on desks or in desk drawers, can also be included in a Clear Desk and Screen Policy.

Why should I have it?

Clear desk and screen policies typically cover requirements around locking screens when stepping away from one’s desk, or the mandatory use of screen guards which make it difficult to see the screen from indirect angles. Some of these requirements can be reinforced through technical measures such as automatic screen locking after a brief period of inactivity, or physically limiting access to systems.

They can also have requirements for not leaving any sensitive information in plain view on the desk when not in use, the clearing of one’s desk when stepping away of leaving the office for the day, and the locking of desk drawers.

As a supplier, having a clean desk and screen policy assures clients that you’ve considered how to protect your systems and their data from less technical avenues of compromise such as “shoulder surfing” or physical theft.

How to implement the control

Clear desk and screen policies are relatively simple to create and have relatively well-defined best practices. Simple measures such as screen locking, privacy screens, and requiring that desks be left clear of sensitive information is relatively straight forward.

The policy must however be occasionally tested against, with clean desk inspections for example, and disciplinary processes may need to be put in place for individuals that repeatedly fail to comply with the policy.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.