Clear Desk Policy and Checks

Clear Desk Policy

A Clear Desk Policy should be developed in the organization and it should be endorsed by Senior Management.

The Policy should be part of the New Joiner’s Training and should also be included as part of the Annual Security Awareness Training.

Posters should be used in different locations in the office to generate awareness.

Main points to include in the Clear Desk Policy:

  • Computer screens should be locked and password protected.
  • Laptop, Tablet, Phone and Removable Storage Devices (RSD) should be securely locked.
  • Confidential documents (example: Network diagrams, Project plans, Salary Slip, Medical Records, User Listing, Client Reports, Login Credentials, etc) should not be left unsecured.  They should be locked in cabinet filing areas or securely shredded.

Clear Desk Checks

It is ideal to carry out clear desk checks once a quarter.  At least 20% of the population should be sampled up to a maximum of 40 people.

The team carrying out the checks should carry Examination Slips, Camera, Cello Tape and a Log Book.

The Examination Slip should show if any violation was discovered at the desk, materials confiscated, the person carrying out the check, the date of check and contact information of the checker.  The Examination Slip should be cello taped onto the desk where the check was performed.

If any violation is discovered, a photo should be taken of the same with the name tag of the offender.  The materials in violation – Laptop, Tablet, Phone, RSD, Confidential Document – should be confiscated.

After a check, the details – desk location, employee who was checked, details of violation and materials confiscated – should be entered into a Log Book.

The next day, an email should be send to all the offenders, with their managers in copy, asking them to attend a Clear Desk Briefing where they can collect back the materials confiscated.

An acknowledgement with signature, in writing, should be collected from the offenders.

The Clear Desk Briefing should explain about the Clear Desk Policy, the consequences to the company if a real attack materializes and the benefits of the mock attack that was just carried out.  The offenders should be asked to become messengers of the Clear Desk Policy within their teams.

Finally, a Clear Desk Check Report should be created.  It should contain details from the Log Book, Photo Evidences of Violation and Written Acknowledgement from the Offenders.  The report should show trends in number of violations and highlight any repeat offenders.

It should be mandatory that offenders from the current quarter be included for the next quarter’s Clear Desk Check.

If an offender fails the Clear Desk Check thrice consecutively, the matter should be raised to Senior Management and HR.

References:

http://www.raosoft.com/samplesize.html

http://www.shredit.com/en-us/blog/securing-your-information/june-2014/how-to-implement-a-clean-desk-policy

http://www.privacysense.net/clean-desk-policy/ 

https://www.sans.org/security-resources/policies/general/pdf/clean-desk-policy

Clear Desk Policy and Checks