Clean desk policy

Estimated time: 15 min

Justification

In any kind of organization, it’s common to handle large amounts of highly sensitive information in paper form. At the same time, devices used to store and manipulate data become physical objects of interest to those who might want to compromise the organization. The idea behind this policy is to establish a set of strategies to protect both physical information and the integrity of devices. This policy is one of the most closely tied to day-to-day tasks since it considers activities that must be carried out throughout the entire working day.

Input data

• Template 3: Clean desk policy available in the physical or digital form to be filled out during the course of the activity.

Policies to be developed

The Clean desk policy is explicitly included in most reference frameworks used by various organizations.

Guiding questions

1. What is the scope of this policy?
2. What measures should be taken in the organization´s workspaces?
3. How should physical information be handled in workspaces?
4. How should physical information be disposed of once it is discarded?

Scope of the policy

In summary, the scope associated with this policy, available in section (1) of the clean desk policy template, covers the following aspects:

• Workspaces affected by this policy.
• A person affected by this policy.

Measures in spaces with work devices

What measures should be taken in the organization’s workspaces? Discuss, modify and approve the content of section (2) of the corresponding template. Some of the most important aspects discussed in this section are:

• Particular steps to follow at the end of the workday.
• Management of unattended devices during the workday.
• Use of a physical shield mechanism for devices in workspaces.

Management of physical data in workspaces

How should physical data be managed in workspaces? Discuss, modify and approve the content of section (3) of the corresponding template. Some of the most important aspects discussed in this section are:

• Processes to follow at the end of the day to keep the workspaces free of sensitive data.
• Management of filing cabinets or other physical data protection mechanisms.
• Management of furniture keys and safety boxes.
• Existence of sensitive data in workspaces.
• Management of paper in printers.
• Management of information on blackboards and billboards.
• Management of portable digital storage devices.

Physical information disposal

How should physical information be disposed of once it has to be discarded?

Discuss, modify and approve the content in the section (4) of the corresponding template. Some of the most important aspects discussed in this section are:

• The use of equipment or techniques to render physical information unintelligible.
• Secure locations for depositing physical information after it has been processed for disposal.

References

• R19:
  Clean Desk Policy template SANS Institute