Are you doing Clear Desk and Clear Screen?

One security policy that is probably used at most organizations is “clear desk, clear screen”. Are you aware and doing it?

The simple story

On the surface, “clear desk, clear screen” means you should take care to keep your desk or work area clean and neat, and to be aware of what is on your screen, locking your computer with a screensaver or lock screen, to avoid leaking confidential information.

However the fact is, even this simple directive is sometimes ignored, leading to information leaks and other issues.

There’s more to it

“Clear desk, clear screen” is an easy-to-remember mnemonic, and the reality is it covers a lot more areas that you should be aware of, besides just keeping your desk tidy.

Like what?

• Go paperless where possible
• Lock assets up when they are not in use
• Log off computers and devices when not used, and protect them with an automatic screen locking mechanism that is enabled after a specified period, that requires a password or PIN to disable
• Restrict copying, printing and scanning to authorized personnel
• Remove printed media immediately, never leaving it on the printer
• Clean up meeting rooms of any printed materials, and clean whiteboards after use, properly disposing of unneeded printed materials using a shredder
• Make it clear using software where possible, such as with labels and popups in the UI, that the information being accessed is sensitive

While you think about these areas, of course you need to consider culture, laws and regulations, contractual requirements and identified risks, because they will all impact the details of your policy.