A policy for clear desks and clear screens SHALL be implemented along with guidelines for compliance and system security controls supplementing the policy.

Control Type: Administrative

Control Function: Preventive

Description: Insider threats are more prominent than any business owner likes to think they are. The possibility of an outside attacker breaching your business premises and blending in to the interior is also much more prominent than any business owner likes to think. In both cases, an attacker will be looking for any exposed data on computer screens, desks, printer trays, etc.

To help mitigate the risk of inside forces physically stealing sensitive data, every business should implement a Clear Desk and Clear Screen Policy and accompanying procedures. The wording should be straightforward, and all employees should become well-versed in the policy during onboarding. Regular reviews and workplace observations should also be held to ensure continuing compliance.

Basic Clear Desk/Screen procedures include:

  • All computers must be locked when unattended. This policy can be enforced by configuring screens to lock after a set period of inactivity. Users should be required to re-authenticate when re-attending to their computer.
  • Any Confidential or Restricted information should be enclosed and filed correctly; it should never be left open and unattended on a desk.
  • Employees should not be permitted to stand behind another employee’s desk unless solicited by the employee.
  • If an employee permits another employee to stand behind their desk, they should lock their computer screen and/or close any open windows unless necessary for a business procedure.
  • All filing cabinets must be closed and locked when not in use.
  • All office doors must be shut and locked when left unattended by the assigned employee.
  • Whiteboards in meeting rooms and personal offices should be erased when not in use.
  • Under no circumstances should credentials be written down and taped onto a device or desk.
  • Printed data should be retrieved from a printer as soon as it is printed.