Today’s clean desk policy is about a bit more than wiping down the computer screen and cleaning crumbs out of the keyboard at the end of the workday (although you should do that too for a healthy work environment and a clean office). Let’s take a look at how you can develop a clean desk policy, and how to enforce it to keep your business safe from losing sensitive information to data breaches, hacking, and plain old theft.
What is a clean desk policy?
The SANS Institute, which has provided information security training and various security and cybersecurity certifications since 1989, encourages a clean desk policy as one of the most important security measures a business can take. The policy is meant to assure that workspaces are cleaned up, and sensitive documents are either locked away or filed appropriately in the computer system at the end of each workday.
What is the purpose of a clean desk policy?
A strong clean desk policy helps to guard against security breaches. It serves as a daily reminder to employees that protecting confidential information and data is a high priority, and something every employee needs to take seriously.
Your clean desk policy should also apply to remote workers — who may or may not have a private workspace in their homes, or may feel tempted to share company-owned laptops and other hardware with spouses or roommates who also work from home. Many businesses never had a remote workforce until COVID-19 shut down traditional office spaces, so it’s critical to reinforce a clean desk policy even when (or especially when) employees are no longer on premises.
A clean desk policy meets ISO 27001 standards for properly operating information security management systems (ISMS). It also serves to protect clients and customers as well as your company.
What are the components of a clean desk policy?
A solid clean desk policy addresses each component of an employee’s work area, from computer and internet hygiene to how hard copies of sensitive documents are handled, as well as which computer processes must be run at the end of the workday. Let’s break it down:
- Workstation policy: this section instructs employees to lock computers, laptops and tablets the moment those items are not in use or the workstation is unoccupied. It should also address password practices: passwords should not be written on equipment, on notes stuck to computer screens, or anywhere else. It should also establish specific protocols for external hard drives, USB drives and other mass storage devices; for example, at the end of the workday, those items must be in locked storage with keys kept in a defined location.
- Remote worker policy: the policy should address where and how company- owned hardware is stored when not in use at the remote location. This is especially important in a home environment where unauthorized access may be more likely than when the employee is on premises.
- Software and cybersecurity policy: this addresses how employees are expected to log onto and off of company VPNs, how electronic documents must be filed, and which backup procedures and reports should be run at the end of each workday.
- Handling of physical documents: one of the many benefits of a clean desk policy is that it instructs your coworker with a super messy desk on how to clean up at the end of the workday. This part of the clean desk policy should also spell out how to handle restricted or sensitive information, and whether such documents may be left out on desk for any extended period of time. It should provide clear guidelines for document destruction (which documents, where, and how) as well as which files may be kept in file cabinets, and whether these cabinets should be locked at all times.
- Follow-up: Establish compliance measures and also consequences in case the policy is not followed.
What are best practices for implementing a clean desk policy?
The debut of your clean desk policy can lead to some grumbling among staff, but if management leads by example and gets everyone involved in developing the new policy, there is a good chance of compliance and success. Consider these steps:
- Put the clean desk policy in writing, hand it out, and store it on your intranet for everyone’s easy access and referral.
- Make sure senior management supports the policy and leads by example. The rules that apply on the floor must also apply in the corner offices.
- Allocate time in the workday to follow the clean desk policy. Be sensitive to different requirements in different departments: what takes minutes at the front desk may take half an hour in accounting.
- Provide the tools needed whether that’s hardware, cleaning supplies, working shredders, or file cabinets. Make sure lockable drawers and closets have keys that work.
- Encourage the use of electronic storage to cut down on the number of printed copies produced. (This is also good for the environment.) If computer training is needed, make sure it’s available.
How do you enforce a clean desk policy?
Compliance can be tricky to enforce, especially for remote workers; but there should be established consequences for those who do not follow the policy.
In some work environments a team enforcement process may work best. For instance, if everyone is leaving at 5 p.m., agree to take the last 30 minutes to clean up and lockdown. Soon this will become a welcome end of the work day ritual.
For remote workers, a quick email or team meeting toward the end of the day may be a good reminder that it’s time to clean up and wrap up, and remember to follow all the guidelines.
Cybersecurity and compliance management tools
As you forge a path for your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and your information secure.
ZenGRC’s compliance management, risk and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.