HRS-03: Clean Desk Policy and Procedures

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, HRS-11: Workspace.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data. Review and update the policies and procedures at least annually.

Implementation Guidance

The organization should establish and communicate a “clean desk” policy to guide personnel on reducing the risk of unauthorized access to information. The following guidelines should be considered:

  1. Sensitive or critical business information (e.g., on paper or electronic storage media) should be locked away—ideally in a safe, cabinet, or other security furniture—when not required.
  2. User endpoint devices should be protected by key locks or other physical security means when not in use.
  3. Documents containing sensitive information from multi-function devices (such as printers and other reproduction technologies) should be stored securely. When these documents are no longer required, they should be discarded using secure disposal methods.
  4. Whiteboard and other types of displays should be cleared when not required.
  5. Computers should be configured to automatically lock the computer screen after an idle period (screen lock timeout).
  6. Users should be trained to log out of systems or lock computer screens when not at workstations.

The organization should have procedures to vacate facilities, including conducting a final sweep before leaving to validate the organization's assets are not left behind (e.g., documents fallen behind drawers or furniture)

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Verify that secure and unsecure work areas are defined and demarcated.
  3. Verify that confidential data is classified appropriately, and that the classification is available at point-of-use.
  4. Verify, via Interviews or otherwise, that the policy is communicated to users.
  5. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.