S 2.37 Clean desk policy

Initiation responsibility: IT Security Officer, Head of Organisation

Implementation responsibility: Employee

All employees should be required to keep their workplaces "tidy" when they leave them. IT users must ensure that unauthorised persons cannot gain access to IT applications or data. All employees must check their workplaces with the same degree of meticulousness and must ensure that all sensitive information is inaccessible and that the availability, confidentiality, or integrity of data cannot be diminished. It must not be possible for unauthorised persons to access data media (such as diskettes, USB sticks, or hard disks) or documents (e.g. printouts).

For brief periods of absence during working hours, it is sufficient to lock the room, provided that this is possible, and/or lock the screen in such a way that access is only possible after successful authentication. In the event of planned periods of absence of an employee (due to longer meetings, business trips, holidays, or training seminars), the workplace must be tidied in such a way that all data media or documents requiring protection are locked up and none are left in the open at the workplace. The employees require adequately sized and lockable storage facilities such as sturdy cabinets for this purpose.

Passwords must not be stored at a location open to plain view under any circumstances (for example on a label adhered on the screen or at easy-to-guess locations such as under the desk pad or in an unlocked desk drawer, see S 2.2 Resource management). In addition, clear hints (e.g. names of family members or "trivial passwords" such as sequences of consecutive numbers or letters) that could be used to quickly guess a password must be eliminated (see S 2.11 Provisions governing the use of passwords).

Supervisors and employees in security management should examine workplaces sporadically to verify as to whether any information requiring protection is openly accessible and inform the employees how to clean their workplaces properly.

Review questions:

• Were all employees informed that no sensitive information is allowed to be openly accessible at unattended workplaces?
• Are workplaces checked randomly to see if any information requiring protection is openly accessible?