T2.3.9 - CLEAR DESK AND CLEAR SCREEN POLICY Implementation Guidance
The entity shall adopt a clear desk policy for papers and removable storage media and a clear screen policy.
Back to T2.3.9 - P3 - CLEAR DESK AND CLEAR SCREEN POLICY
The clear desk and clear screen policy should take into account the information classifications, legal and contractual requirements and the corresponding risks and cultural aspects of the entity. The following guidelines should be considered:
- A. Sensitive or critical business information (e.g. on paper, flipcharts, white boards or on electronic storage media), should be locked away ideally in a safe or cabinet or other forms of security furniture when not required, especially when the office is vacated
- B. Computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use
- C. Unauthorized use of photocopiers and other reproduction technology (e.g., scanners, digital cameras) should be prevented
- D. Media containing sensitive or classified information should be removed from printers immediately
