S 2.212 Organisational requirements regarding cleaning contractors

Initiation responsibility: IT Security Officer

Implementation responsibility: Internal Services

Cleaning services are almost exclusively provided by external contractors. The cleaning personnel not belonging to the institution itself accesses all rooms and areas of the building; this also includes building parts such as technology rooms or boardrooms that are only accessible by certain employee groups. Furthermore, the external cleaning personnel often uses its own cleaning devices and, depending on the contract, also brings cleaning agents and other consumables. This creates weak points as this e.g. allowing for removal of internal material on the way out.

Besides the general characteristics of a contract specification for cleaning work such as type, name and location of the property, room use groups, current room lists as well as the individual activities must also be described in detail. Activities could be, for example, cleaning of textile and non-textile coverings, cleaning and care of objects of room setup and furniture as well as disposal tasks. This will be the basis for description of the individual requirements, including the details for the individual rooms.

Often, cleaning work is performed out of the office hours so as not to affect the work process. However, this requires clearing up the question of whether the cleaning personnel is to be supervised. Expectations regarding the cleaning times as well as special treatment of certain areas with particular protection requirements that cannot be accessed without control must be stated in the contract specification.

Before start of work, cleaning personnel should be instructed on their tasks. Above all, this includes instruction on the areas and the corresponding requirements for access, the cleaning of IT systems and/or the particular considerations in connection with IT systems as well as handling of confidential information received during work. For example, this may include documents located on the desk or in the waste basket, or overheard discussions.

The access of cleaning personnel can cause problems, especially in areas with higher security requirements such as computer centres, server rooms, technology rooms, or communication centres, which means additional security safeguards are required. In such areas it could be reasonable to verify the trustworthiness of the cleaning personnel or to supervise the cleaning personnel during their activities.

If the cleaning company is trusted, then access by the cleaning staff can be controlled using the existing access control and closing system. However, such a system is only effective as a security measure if the passes or keys are handed out to announced or known employees of the cleaning company for a limited time and only after signing a receipt. If the cleaning company agrees to use only permanent members of its staff, then the identification system can serve as an effective method for checking if the contract is being fulfilled.

The contractor must appoint someone who is available at all times to be responsible for the building to co-ordinate cleaning and handle any problems that arise. This person must be authorised to decide which employees of the cleaning company will be deployed (and especially which of its employees will not be deployed any more because they are not desired).

Special handling for sensitive areas should be included in the request for tenders documents and wording of the contract. For example, for computer centres, random checks of bags or transported goods should be written into the contracts for the areas accessed by external personnel and vehicles.

Since it cannot be assumed that the cleaning staff knows how to handle IT properly, this staff should be informed which tasks can cause damage to IT equipment or problems during IT operations in the areas containing business-critical IT systems. Examples of such problems include the following:

• When cleaning the keyboards of servers or other central components, the cleaning staff may accidentally hit keys that then lead to disruptions in IT operations.
• IT systems can be accidentally switched off.
• Electrical power or communication cables can be damaged or torn out of their socket by a vacuum cleaner.
• Water or cleaning fluids can cause short-circuits in hardware components.

Areas with higher security requirements such as machine rooms or data media archives may only be cleaned in the presence of someone assigned to be responsible by the client, or in some cases in the presence of someone trusted by the contractor as well (when the two-person rule applies, for example).

Review questions:

• Is it checked if the employees of the cleaning company contracted to clean the building use the keys and ID cards issued to them as stipulated in the contract?
• Is the cleaning staff adequately instructed in the handling of the IT?
• Is the cleaning staff monitored when working in especially sensitive areas?