Creating and enforcing a clear-desk policy

Creating and enforcing a clear-desk policy

I can never claim to be a tidy person, just ask my wife, but I do have a rule that I clear my desk at the end of every day. Client documents are shredded or filed in a cabinet, and the keys, along with backup tapes and other media, are put into my fireproof safe. It doesn't take long and is a worthwhile task; I know confidential data is safely stored, and I know where it is -- both key tenets of good security.

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Don't give your data away

Infosec pros may not think much about physical security, but they should all have a basic understanding of who accesses their building.

Yet I visit so many offices where there is obviously no clear-desk policy, or if there is, the policy isn't enforced. Desks with papers piled high are not only a fire risk, possibly invalidating your fire insurance, but may well be in breach of the Data Protection Act. The act places a legal obligation on information owners to protect sensitive personal information, and failure to do so may be treated as a criminal offence.

Now I know you're never going to be the most popular person in the office if you instigate a clear-desk policy, but it does play an important part in any organisation's data security efforts. A clear-desk policy is consistent with the ISO/IEC 27002 standard -- Code of practice for information security management -- and should be an integral part of any information classification policy. Obviously the success of a clear-desk policy is dependent on appropriate and adequate facilities being provided to enable employees to securely use and store information. Workspaces should be organised to provide an area for carrying out regular work activities without being overlooked, together with furniture such as lockable desk pedestals or filing cabinets. Access to keys for lockable furniture should also be controlled. For example, they can be signed in and out when employees enter or leave for work.

Your clear-desk practices and procedures must be communicated to all personnel, and where appropriate they should be tested to ensure that they are understood. Consistent enforcement of your policy is essential; otherwise bad habits quickly take over, and piles of paperwork quickly reappear. All data should have a designated and accountable information owner who is responsible for its processing and storage. It is their role to ensure that good working practices are being used to manage the information.

A clear-desk policy should also cover areas such as meeting rooms. I've often entered a room to find the flip chart from the previous meeting still there, many times with confidential notes still in plain view. Confidential documents should never be left unattended, and flip charts and whiteboards are no different. At the end of the working day or when leaving the office, I would recommend that employees ensure that:

  • All documents, including in-trays, are returned to the appropriate filing systems or storage furniture.
  • Newly created documents are correctly filed.
  • All sensitive documents are removed from printers and faxes for filing or disposal.
  • Expired, scrapped and unwanted copies of documents are disposed of in the correct manner.
  • All removable computer media, including floppy disks, CDs, DVDs, digital storage media and drives, are filed away.
  • Filing systems or furniture, desks, pedestals and cupboards are locked and keys stored in the correct locations.
  • Computer systems are logged off and, where appropriate, closed down.
  • Laptops left in the office are removed from the desk and locked away.

Obviously employees need to be allowed time for desk management during the day and workspace clearance at the end of the day, but setting aside time for the structured filing of information is time well spent. With the holiday season fast approaching, when many offices will be left empty for longer than usual, it's a great time to have everyone make a New Year's resolution and clear the decks ready for a new year.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

This was first published in December 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top