A Clean Desk Policy doesn’t mean you need to wipe down your desk every day. Although, please do this anyway!
A Clean Desk Policy means so much more than that.
It means protecting important data like sensitive data and passwords.
Yes - passwords - a Clean Desk Policy absolutely means you need to stop writing passwords on post-its and leaving them under your keyboard. No no no.
This article will explore the Clean Desk Policy, its benefits, how to implement it and other factors to consider.
It goes without saying, but a clean desk looks good. But what about actual benefits that help your company?
First of all, a Clean Desk Policy encourages the use of digital documents instead of printed copies. This cuts down on the cost of paper and printing. This can also mean sensitive information is stored safely in the cloud (with the properly configured security controls, of course!)
The second important benefit of a Clean Desk Policy is it helps your company comply with industry standards of protecting important data. Does your company need to comply with HIPAA, SEC regulations, NIST, or CMMC? You need a Clean Desk Policy.
So what exactly is a Clean Desk Policy and how do you implement it in your company? We’ll discuss that below.
A clean desk policy ensures that all important documents, confidential letters, binders, books, etc are removed from a desk and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches.
Having a clean desk helps to not only eliminate clutter, but also helps prevent the likelihood that anyone can gain access to your company’s information or the information of your clients.
When implementing a Clean Desk Policy, it is important to get everyone in your company, including senior management, on board. This requires putting the policy in writing, reminding your employees of the policy, and conducting spot checks to ensure the policy is being followed. It is crucial to let all of your employees know how to follow the policy, its importance, and the consequences of disregarding the policy.
What about remote and hybrid workers? Your policy may need to be adjusted to include specific language about abiding by the Clean Desk Policy at home. Depending on your industry, you may need to have video spot checks to ensure that your employees are following the policy.
Providing employees with the tools they need to make the policy work is crucial. Having lockable storage for employees to store items, a reliable and routine back-up system for keeping electronic documents safe, and designated lockable shred bins will all aid employees in following the policy.
The same applies for remote and hybrid workers. Make sure they have the tools at home to effectively secure items and documents.
It is important that the rules of a Clean Desk Policy encourage a neat, clutter-free work environment. This means the work area should not contain post-it notes, papers with information like user ID’s, passwords, or account numbers, and should be free of non-essential documents. Loose papers and printed documents, which may contain confidential data, should always be secured in a locked desk until they are needed.
Putting away nonessential items and documents whenever an extended absence is anticipated and securing documents and electronic media at the end of the work day will also help mitigate some of the risks associated with leaving information unprotected.
Access cards and keys should be kept on employees at all times while items such as laptops should be secured to the desk. In the event that an item is lost or stolen, security should be notified immediately.
What about those post-its with passwords and such! Please stop doing this. Implementing a Password Manager for your company is a great method for avoiding those password papers floating around.
Creating a list of basic items that are allowed at work stations may help employees maintain a clean space more easily. By knowing what items are allowed on the desk, they may have a better understanding of the policy and be more efficient in their end of the day clean-ups.
Distributing a list indicating the allowed items will help to further educate your employees. Example of list of allowed items:
Focal Point Data Risk - clean desk template
University of Cincinnati - clean desk policy
Usecure - clean desk policy
Instead of a separate policy, you may want to add a Clean Desk section to your Information Security Policy, like this:
Clean Desk & Workstation Locking
Staff are not to leave sensitive data exposed in locations where they might be viewed by people from outside the firm (e.g., clients, cleaning staff, office visitors). Any printed materials containing sensitive information should be kept in a locked location when staff are away from their desks.
All staff are responsible for securely shredding any printed materials containing sensitive information before disposal.
If working in a public location (like a coffee shop or airplane), staff should use a privacy screen.
All devices (e.g., laptops and phones) must have auto-lock enabled with a maximum timeout of 15 minutes. Staff are encouraged to lock their workstations manually when leaving their desk (Windows key + L or CTRL+ALT+DEL).
Cybersecurity services are not just for the ‘big’ companies.
Small and medium-sized businesses need cybersecurity help too. But it doesn’t make sense to hire a full-time CISO.
That’s where a Virtual CISO (or vCISO) comes in.
If you need help with security compliance, protecting client data, or overseeing your IT company (because let’s face it, most hacks are successful due to IT mistakes) – then an Adelia Risk vCISO may be the right choice for you.