ISO 27001:2022 A 7.7 Clear desk and clear screen

Audio version of the article

Advertisements

When an employee leaves his/her workstation unattended, sensitive information contained in digital and physical materials on his workspace will be exposed to a heightened risk of unauthorized access, loss of confidentiality, and damage. For instance, if an employee uses a customer relationship management tool that processes health records and leaves his/her computer unattended during a lunch break, malicious parties may capitalize on this opportunity to steal and misuse sensitive health data.The clean desk and clear screen policy refers to practices that ensure sensitive information – both in digital and physical format, and assets (e.g. notebooks, cellphones, tablets, etc.) are not left unprotected at personal and public workspace when they are not in use, or when someone leaves his workstation, either for a short time or at the end of the day. A clear screen policy directs all your organisation’s employees to lock their computers when leaving their desk and to log off when leaving for an extended period of time. This ensures that the contents of the computer screen are protected from prying eyes and the computer is protected from unauthorized use. A clear screen policy and a clean desk policy work hand-in-hand to safeguard your organisation’s information.With the popularity of open plan offices and sharing computer workstations, there is a greater need to safeguard your organisation’s information. In addition, a clean desk and clear screen policy should be adopted because of the benefits it can provide to your organisation.

  1. Prevent Prying Eyes. Computers that are left logged on and unattended pose as a tempting target for prying eyes. For example, many employees entrusted with sensitive information often leave documents open in plain view and leave their desk for breaks. An individual in your accounting department may leave a document open exposing the hourly wages of all employees in the office.
  2. Prevent Unauthorised Access. A clear screen policy not only prevents curious passerby’s from observing information they should not have access to, it also prevents unauthorised access. Computers left unattended provide the opportunity for malicious data input, modification, or deletion, often to the worker’s blame.
Advertisements

Control

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

Purpose

To reduce the risks of unauthorized access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.

ISO 27002 Implementation Guidance

The organization should establish and communicate a topic-specific policy on clear desk and clear screen to all relevant interested parties. The following guidelines should be considered:

  1. locking away sensitive or critical business information (e.g. on paper or on electronic storage media) (ideally in a safe, cabinet or other form of security furniture) when not required, especially when the office is vacated.
  2. protecting user endpoint devices by key locks or other security means when not in use or unattended.
  3. leaving user endpoint devices logged off or protected with a screen and keyboard locking mechanism controlled by a user authentication mechanism when unattended. All computers and systems should be configured with a timeout or automatic logout feature.
  4. making the originator collect outputs from printers or multi-function devices immediately. The use of printers with an authentication function, so the originators are the only ones who can get their printouts and only when standing next to the printer.
  5. securely storing documents and removable storage media containing sensitive information and, when no longer required, discarding them using secure disposal mechanisms.
  6. establishing and communicating rules and guidance for the configuration of pop-ups on screens (e.g. turning off the new email and messaging pop-ups, if possible, during presentations, screen sharing or in a public area).
  7. clearing sensitive or critical information on whiteboards and other types of display when no longer required.
    The organization should have procedures in place when vacating facilities including conducting a final sweep prior to leaving to ensure the organization’s assets are not left behind (e.g. documents fallen behind drawers or furniture).
Advertisements

Organisations should create and enforce a topic-specific policy that sets out clear desk and clear screen rules.A clear screen policy is simple and practical to implement. Your employees should already be accustomed to logging off and/or shutting down their computer when leaving for the day, but few may lock their computers when leaving their desks, especially for short breaks. A clear screen policy is most difficult to enforce in its infancy. However, once your organization stresses the importance of having a clear screen policy, your employees will eventually make it into a habit. A clear screen policy should be in writing and communicated to all employees, especially during introductory and refresher training. Have all employees sign the document for approval. Organisations should take into account when establishing and enforcing clear desk and clear screen rules

  • Sensitive or critical information assets stored on digital or physical items should be locked securely when they are not in use or when the workstation hosting those materials is vacated. For example, items such as paper records, computers, and printers should be stored in secure furniture such as a locked or password-protected cabinet or drawer.
  • Devices used by employees such as computers, scanners, printers, and notebooks should be protected via security mechanisms such as key locks when they are not used or when they are left unattended.
  • When employees vacate their workspace and leave their devices unattended, they should leave their devices logged off and the reactivation of the device should be only via a user authentication mechanism. Furthermore, automatic time-out and log-out features should be installed on all end-point employee devices such as computers.
  • Printers should be designed in a way that print-outs are collected immediately by the person(originator) who printed the document. Furthermore, a strong authentication mechanism should be in place so that only the originator is allowed to collect the printout.
  • Physical materials and removable storage media containing sensitive information should be kept secure at all times. When they are no longer needed, they should be disposed of through a secure mechanism.
  • Organisations should create rules for the display of pop-ups on screens and these rules should be communicated to all relevant employees. For example, e-mail and messaging pop-ups can contain sensitive information and if they are displayed on the screen during a presentation or in a public space, this may compromise the confidentiality of sensitive information.
  • Sensitive or critical information displayed on whiteboards should be erased when they are no longer needed.

When an organisation vacates a facility, physical and digital materials previously stored in that facility should be securely removed so that sensitive information is not left insecure. Therefore organisations need to establish procedures for the vacation of facilities so that all sensitive information assets housed in that facility are securely disposed of. These procedures may include carrying out a final sweep so that no sensitive information is left unprotected. Pressing CTRL+ALT+DEL and clicking Lock this computer is straight-forward and simple. However, a windows key combination is yet much simpler. Press Windows Key + L and your computer will lock automatically.

Advertisements

Some basic guidelines while establishing a Clear desk and clear screen

1. Be aware of the classification of the information you hold.

  • Public data can generally be made available or distributed to the general public;
  • Internal data is for internal use and not for external distribution; and
  • Restricted (moderately to highly sensitive) data is to be used only by individuals who require it in the course of performing their responsibilities, or data which is protected by legal requirements.

2. Ensure that your desk and surrounding workspace is clear of papers and clutter.

  • A clear desk assists clear thinking, enables you or your colleagues to find items quickly and promotes a more professional image to visitors.
  • Maintaining a clutter-free workspace can also help to reduce workplace accidents and falls.
  • Papers containing restricted information should be kept locked away whilst you are working on them but are temporarily away from your desk. A locked drawer is suitable for this purpose but if you have your own office, locking the door will suffice too.
  • Post-its should not be used to record restricted information, such as passwords, or other similar information.
  • If large numbers of files are required, a lockable filing cabinet should be procured and when you are finished with a file, it should be put away as soon as possible.
  • Don’t print out emails or papers only to read them and then throw them away. Only print what you absolutely need a hard copy of.
  • Always clear your desk before you leave for the day, that way information isn’t kept unsecured and you are ready to work when you arrive the next morning.
  • All waste paper which contains restricted information must be shredded or placed in ‘confidential waste’ bins. Under no circumstances should this type of waste paper be thrown away in normal wastebins.

3. Ensure that restricted information is not kept on your screen when not needed.

A clear screen works in a similar way to a clear desk and allows you to think more clearly

How?

  • Close any applications or windows that are not required. Any that are required on an ongoing basis, such as Outlook, can be minimised to reduce clutter on the desktop.
  • Every time you leave your desk, even if only for a few minutes, you should lock your screen (Press the windows button on your keyboard and L at the same time). A quick chat or coffee break can turn into an extended time away from your desk. computers should be set up to require a password to unlock computers, this should not be disabled.

4. Know where your mobile and portable storage devices are at all times.

Theft or misuse of devices leaves you susceptible to exploitation of any data they may hold.Every time you leave your desk, ensure any mobile devices are locked away or taken with you.

5. Keep your copies safe.

Restricted information left lying around in printer trays or fax machines may be picked up and/or used maliciously by someone who shouldn’t have access to that information. All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

Advertisements

Leave a Reply