Clear desks and clear screens
Introduction
Whilst physical security measures around a site and logical security measures around a network can provide a lot of comfort to a security-conscious organisation, the “Human Factor” is often a less considered vulnerability.
Where it is considered, often steps are taken to address and educate employees regarding phishing, disabling security measures, or other ways to leak information – but visitors are often not a major consideration, nor are the data that employees leave unguarded or visible within the offices.
This policy is intended to limit sensitive data that could be easily viewed or taken by a visitor or employee. Basic data security should be ensured to avoid internal leaks of data.
Whilst some documents are relatively harmless (such as paper copies of contracts out of sight in cupboards), notepads or guides with ‘working knowledge’ may present a risk, as may the temporary display of more serious documentation on desks and screens whilst work is done. This policy will describe controls for information by Sensitivity category – see the Information Sensitivity policy (Insert link). For information rated as Public, no “Clear Desks and Clear Screens” controls apply as this data is completely without harm to be shared. The other three categories of data are detailed below;
|
Confidential
|
This includes contracts, unpublished marketing releases, customer service designs etc.
These documents are not in-of-themselves of any major concern, though they may present a concern if exposed in-bulk, leaked to a competitor, or if leaked in combination with other documentation.
|
|
Internal Only
|
This includes notepads, memos/internal communication, training documents etc.
These documents present a concern, due to ‘unknown’/uncontrolled copies of protected data or due to explicit if fragmented insights into company policies and mechanisms.
|
|
Restricted Access
|
This includes developer documentation, HR records, director/board member’s notes, elevated access credentials etc.
These documents present a direct and certain danger. These may include data sensitive enough to result in civil or legal action if lost, data that provides key insight into company strategy, or data that provides sufficient detail into company secrets for a rival to replicate our efforts.
|
Clear desks
Available and utilised physical storage varies from locked and hidden filing cabinets to exposed desk surfaces adjacent to ground-floor windows, and the differing levels of exposure may require different responses from employees to address security concerns.
For unexceptional (Public or Confidential) documents, visibility alone is not a serious concern. It is recommended that these documents as all are discretely stored, but it is recognised that there is not unlimited storage space within a working office. The sole requirements for safe storage of these documents is that they are not left in an unattended area whilst a visitor is present, and that increased caution is taken with these documents if any similar documents become misplaced.
For Internal Only documents, it is recognised that these tend to be sensitive in part because they are useful extensions of an employee’s ‘working memory’. As such, they will tend to be kept somewhat available for quick use. For safe storage of these documents, it is required that they are ‘masked’ (notebooks closed, papers covered) when not in use. It is also required that these documents are kept masked and attended during any visit, and are kept in a locked desk drawer during any protracted absence (such as weekends or holiday time) by their responsible owner. If working on or viewing these documents outside the office, this should be done in a reasonably private area and the documents securely held or stored at all times.
For Restricted Access documents, these must be secured at all times including during usage. Individuals that handle such documents (such as Developers, Directors, and HR employees) must have regular seating available in an isolated or concealed location. These documents must be masked when not in immediate use, and be secured in a locked drawer or cabinet anytime the responsible owner will be away from their desk, including for meetings or lunch breaks. These documents are not to be worked on adjacent to ground-floor windows or any other public or externally visible areas.
Clear screens
PCI Pal tends to use and store data largely in an electronic format.
In general, all employees are strongly encouraged to lock their computers during even brief (<1 minute) absences, using Windows Key + L (on the Windows majority of devices) – this does also apply to phones/other devices that hold company data. Care should be taken when using company devices outside company premises, particularly if they store private company data. The IT Team shall also enforce an inactivity-timeout policy on all laptops that will lock machines after 5 minutes of inactivity and show a screensaver.
For unexceptional (Public or Confidential) documents, this is all that is required of employees.
For Internal Only documents, employees are required to be aware and considerate of the proximity of other individuals. If an employee is viewing sensitive data when another person (such as a visitor or member of the public) approaches, they should take steps to remove the item from view. If working on or viewing these documents outside the office, this should be done in a secure environment with reasonable efforts towards privacy.
For Restricted Access documents, the document must be minimised upon anyone’s approach, and the minimal number of highly sensitive documents kept open at any one time. Individuals that handle such documents (such as Developers, Directors, and HR employees) must have regular seating available in an isolated or concealed location, the IT team must verify that the inactivity-timeout policy is functioning on the laptops of these individuals, and it is recommended the inactivity time is a brief period such as 1 to 3 minutes. These documents are not to be worked on adjacent to ground-floor windows or any other public or externally visible area.
