Creating and enforcing a clear-desk policy

With the holiday season fast approaching, many offices will be left empty for longer than usual. A clear-desk policy can help you protect the sensitive data that may be left around the office.

I can never claim to be a tidy person, just ask my wife, but I do have a rule that I clear my desk at the end of every day. Client documents are shredded or filed in a cabinet, and the keys, along with backup tapes and other media, are put into my fireproof safe. It doesn't take long and is a worthwhile task; I know confidential data is safely stored, and I know where it is -- both key tenets of good security.

Yet I visit so many offices where there is obviously no clear-desk policy, or if there is, the policy isn't enforced. Desks with papers piled high are not only a fire risk, possibly invalidating your fire insurance, but may well be in breach of the Data Protection Act. The act places a legal obligation on information owners to protect sensitive personal information, and failure to do so may be treated as a criminal offence.

Now I know you're never going to be the most popular person in the office if you instigate a clear-desk policy, but it does play an important part in any organisation's data security efforts. A clear-desk policy is consistent with the ISO/IEC 27002 standard -- Code of practice for information security management -- and should be an integral part of any information classification policy. Obviously the success of a clear-desk policy is dependent on appropriate and adequate facilities being provided to enable employees to securely use and store information. Workspaces should be organised to provide an area for carrying out regular work activities without being overlooked, together with furniture such as lockable desk pedestals or filing cabinets. Access to keys for lockable furniture should also be controlled. For example, they can be signed in and out when employees enter or leave for work.

Your clear-desk practices and procedures must be communicated to all personnel, and where appropriate they should be tested to ensure that they are understood. Consistent enforcement of your policy is essential; otherwise bad habits quickly take over, and piles of paperwork quickly reappear. All data should have a designated and accountable information owner who is responsible for its processing and storage. It is their role to ensure that good working practices are being used to manage the information.

A clear-desk policy should also cover areas such as meeting rooms. I've often entered a room to find the flip chart from the previous meeting still there, many times with confidential notes still in plain view. Confidential documents should never be left unattended, and flip charts and whiteboards are no different. At the end of the working day or when leaving the office, I would recommend that employees ensure that:

  • All documents, including in-trays, are returned to the appropriate filing systems or storage furniture.
  • Newly created documents are correctly filed.
  • All sensitive documents are removed from printers and faxes for filing or disposal.
  • Expired, scrapped and unwanted copies of documents are disposed of in the correct manner.
  • All removable computer media, including floppy disks, CDs, DVDs, digital storage media and drives, are filed away.
  • Filing systems or furniture, desks, pedestals and cupboards are locked and keys stored in the correct locations.
  • Computer systems are logged off and, where appropriate, closed down.
  • Laptops left in the office are removed from the desk and locked away.

Obviously employees need to be allowed time for desk management during the day and workspace clearance at the end of the day, but setting aside time for the structured filing of information is time well spent. With the holiday season fast approaching, when many offices will be left empty for longer than usual, it's a great time to have everyone make a New Year's resolution and clear the decks ready for a new year.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Content Continues Below

Read more on Security policy and user awareness