Creating and enforcing a clear-desk policy

I can never claim to be a tidy person, just ask my wife, but I do have a rule that I clear my desk at the end of every day. Client documents are shredded or filed in a cabinet, and the keys, along with backup tapes and other media, are put into my fireproof safe. It doesn't take long and is a worthwhile task; I know confidential data is safely stored, and I know where it is -- both key tenets of good security. Implementing a similar policy in business should be a standard practice.

RELATED CONTENT Risk management strategies Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser Using resource allocation management to prevent DoS and other attacks How risk management standards can work for enterprise IT Are you too small for an email retention and archiving policy? Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Physical security threats: Don't gift your data away Using unique device identification for bank website security Security Policies and User Awareness Company files at risk of employee data theft Employee security training for Data Protection Act compliance Spy recording devices can be thwarted by portable USB security policy Background employment screening decreases insider threats, study says Risk management in information technology Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Data Protection Solutions and Strategy Pros and cons of Skype security for encrypted phone calls NHS smart card devices enable secure access to health care apps Company files at risk of employee data theft McAfee-Intel: Why the McAfee acquisition is being met with scepticism Mobile digital pad/pen helps secure patient data collection Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Yet I visit so many offices where there is obviously no clear-desk policy, or if there is, the policy isn't enforced. Desks with papers piled high are not only a fire risk, possibly invalidating your fire insurance, but may well be in breach of the Data Protection Act. The act places a legal obligation on information owners to protect sensitive personal information, and failure to do so may be treated as a criminal offence.

Now I know you're never going to be the most popular person in the office if you instigate a clear-desk policy, but it does play an important part in any organisation's data security efforts. A clear-desk policy is consistent with the ISO/IEC 27002 standard -- Code of practice for information security management -- and should be an integral part of any information classification policy. Obviously the success of a clear-desk policy is dependent on appropriate and adequate facilities being provided to enable employees to securely use and store information. Workspaces should be organised to provide an area for carrying out regular work activities without being overlooked, together with furniture such as lockable desk pedestals or filing cabinets. Access to keys for lockable furniture should also be controlled. For example, they can be signed in and out when employees enter or leave for work.

Your clear-desk practices and procedures must be communicated to all personnel, and where appropriate they should be tested to ensure that they are understood. Consistent enforcement of your policy is essential; otherwise bad habits quickly take over, and piles of paperwork quickly reappear. All data should have a designated and accountable information owner who is responsible for its processing and storage. It is their role to ensure that good working practices are being used to manage the information.

A clear-desk policy should also cover areas such as meeting rooms. I've often entered a room to find the flip chart from the previous meeting still there, many times with confidential notes still in plain view. Confidential documents should never be left unattended, and flip charts and whiteboards are no different. At the end of the working day or when leaving the office, I would recommend that employees ensure that:

• All documents, including in-trays, are returned to the appropriate filing systems or storage furniture.
• Newly created documents are correctly filed.
• All sensitive documents are removed from printers and faxes for filing or disposal.
• Expired, scrapped and unwanted copies of documents are disposed of in the correct manner.
• All removable computer media, including floppy disks, CDs, DVDs, digital storage media and drives, are filed away.
• Filing systems or furniture, desks, pedestals and cupboards are locked and keys stored in the correct locations.
• Computer systems are logged off and, where appropriate, closed down.
• Laptops left in the office are removed from the desk and locked away.

Obviously employees need to be allowed time for desk management during the day and workspace clearance at the end of the day, but setting aside time for the structured filing of information is time well spent. With the holiday season fast approaching, when many offices will be left empty for longer than usual, it's a great time to have everyone make a New Year's resolution and clear the decks ready for a new year.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.