Physical security is a critical and sometimes overlooked aspect of cyber security. Security should be looked at as a holistic effort to protect important assets – from employees and hardware to customer data and intellectual property. An important part of protecting these assets and bolstering both your physical and cyber security is through the implementation of a clean desk policy.
In addition to improved security, a clean desk policy is also a simple way to promote security awareness among your employees. Plus, organizations are increasingly including clean desk policy mandates into standard vendor contracts, and similar policies are a requirement of many security and privacy frameworks, including ISO27001 and 27002.
What is a Clean Desk Policy?
A clean desk policy is simply a documented protocol that establishes requirements for how employees should handle company information and materials within the office. It can include requirements for computers, mobile devices, printed materials, and access cards, as well as for how workspaces should be maintained.
Best Practices for Implementing a Clean Desk Policy
Document your clean desk policy. Include it in your employee handbook or information security policy.
Communicate the policy. Provide periodic reminders of what it is and where to find it (make it part of the culture).
Hold everyone accountable. Everyone from the CEO down to the newest hire should be required to adhere to the policy. Every employee handles information that could compromise the organization.
Provide alternatives. Give your employees secure places to keep things – locking drawers, file cabinets, lockers, etc. Without the right tools, you won’t be able to create a secure environment.
Assign responsibility for enforcement. Department managers should pass through the office near the end of each work day to ensure that workspaces are compliant with the policy.
Limit hard copies. Only print documents when absolutely necessary; your organization should develop a preference for electronic documents.
A clean desk policy is relatively easy to enforce, and has a place at any organization regardless of industry, so we encourage its widespread adoption. To help get you started, we’ve provided a proven template below.
Template: Clean Desk Policy
[Company Name] stands committed to the development of secure policies and practices, and in doing so, has implemented this Clean Desk Policy to increase physical security at [Company Name] locations. This policy ensures that confidential information and sensitive materials are stored away and out of sight when they are not in use or when the workspace is vacant.
This policy sets forth the basic requirements for keeping a clean workspace, where sensitive and confidential information about [Company Name] employees, clients, vendors, and intellectual property is secured.
The policy shall apply to all [Company Name] employees, contractors, and affiliates.
- Employees are required to secure all sensitive/confidential information in their workspace at the conclusion of the work day and when they are expected to be away from their workspace for an extended period of time. This includes both electronic and physical hardcopy information.
- Computer workstations/laptops must be locked (logged out or shut down) when unattended and at the end of the work day. Portable devices like laptops and tablets that remain in the office overnight must be shut down and stored away.
- Mass storage devices such as CD, DVD, USB drives, or external hard drives must be treated as sensitive material and locked away when not in use.
- Printed materials must be immediately removed from printers or fax machines. Printing physical copies should be reserved for moments of absolute necessity. Documents should be viewed, shared and managed electronically whenever possible.
- All sensitive documents and restricted information must be placed in the designated shredder bins for destruction, or placed in the locked confidential disposal bins. Please refer to the Records Retention Policy for additional information pertaining to document destruction.
- File cabinets and drawers containing sensitive information must be kept closed and locked when unattended and not in use.
- Passwords must not be written down or stored anywhere in the office.
- Keys and physical access cards must not be left unattended anywhere in the office.
It is the responsibility of each [DEPARTMENT MANAGER OR EQUIVALENT] to ensure enforcement with the policies above. Repeated or serious violations of the clean desk policy can result in disciplinary actions in accordance with [COMPANY NAME]’s Employee Handbook.
If you notice that any of your devices or documents have gone missing, or if you believe your workspace has been tampered with in any way, please notify [RELEVANT CONTACT] immediately.
Want more awesome templates like this?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.