Clear desk and screen Policy

Policy summary

Protecting information in AADF main office and home offices, mobile workplaces etc. is largely a matter of common sense.  Simple controls such as clearing desks of information and screen-locking or logging-off computers before walking away, help secure information created maintained and processed by AADF.

Applicability

This policy applies throughout the AADF as part of the corporate governance framework.  It applies in AADF offices and other workplaces, including home and temporary locations, while traveling etc.  This policy also applies to third-party employees working for the organisation whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behaviour) to uphold our information security policies.

Policy detail

Background

While we are working, it is necessary to have information readily to hand on paper and/or on the computer screen, notice boards etc.  However, if we leave the workplace unattended in that state, the information may be accessed by other people in the area. 

Paperwork, diaries, computer disks, USB memory sticks, external hard drives, smartphones, tablet devices, backup disks etc. left on desks and other work areas are vulnerable to unauthorised access by passers-by, particularly while workers are elsewhere or distracted. 

Logged-on but unattended computers are similarly vulnerable to unauthorised access and mischief. 

Valuable information assets may be compromised (e.g. stolen, copied or damaged), causing costs, penalties and other adverse business impacts.  Sensitive/confidential company or personal details may be disclosed inappropriately, valuable business information, equipment and storage media may be harmed, and networked computer systems may be compromised. 

Policy axioms (guiding principles)

  1. Desks and similar work areas should be cleared of sensitive/valuable materials before being left unattended, particularly at the end of the working day.
  2. Logged-in computer systems and devices must not be left unattended unless they are locked with suitable user authentication and access control mechanisms.

Detailed policy requirements

  1. Consider the information risks if IT systems/devices or media (including paperwork) are left unattended, protecting them appropriately against physical threats such as inappropriate access, theft, damage, fire etc. Be extra careful to secure particularly sensitive or valuable information and vulnerable equipment or media, such as private files, security tokens and keys.  The risks are different if you are working way from a conventional corporate office (g. working from home or ‘on the road’, maybe in a hotel, at a conference, in an airport departure lounge or on public transport).  Generally speaking, the threats of deliberate theft and interference with materials are higher, and we are more vulnerable to accidents and neglect.
  2. Clear desk: avoid leaving non-public paperwork, computer storage media and portable electronic devices on desks when unattended, especially outside working hours and especially those containing highly sensitive or valuable information. Where practicable, such materials should be locked away in safes, filing cabinets, desk drawers or similar office furniture when not in use.  If suitable storage facilities are unavailable or of inadequate capacity, offices or rooms containing the materials must be locked shut when unattended.  This applies equally in home offices, hotels etc.
  3. Clear screen: do not leave logged-in IT devices unattended while in use unless they are secured by a password-protected screensaver configured to activate after five to fifteen minutes’ inactivity and to require the user’s password, PIN code or some other form of authentication (depending on the situation) to unlock.
  4. Avoid working on sensitive matters in public areas or where others can see/hear what you are doing, including on public transport. Be discreet.  Where possible, leave sensitive or valuable media (such as paperwork or USB sticks) locked safely in the office. 
  5. Sensitive/valuable printouts should be collected from printers, scanners, photocopiers etc. immediately. Stronger access and user authentication controls (such as proximity cards or fingerprint readers) may be required for privileged users and/or high-risk IT systems (as specified by the corresponding Information Asset Owners). 
  6. Wipe whiteboards and notice boards of sensitive information after use, and clear away meeting agendas, minutes, notes etc. before vacating shared spaces.
  7. Review your surroundings before using videoconferencing facilities, including home offices. Clear sensitive or inappropriate materials from view, use a screen or blur the background.  Reduce interruptions by closing the door, silencing phones, muting the microphone when not needed   Be careful when repositioning the video camera or unmuting.
  8. Dispose of media or devices containing sensitive content properly: don’t just discard them in the ordinary waste bins.
  9. Look after each other: if you notice a colleague’s untidy desk, unattended and unlocked screen, forgotten papers/devices etc., a gentle reminder about this policy may be warranted. If you spot someone acting suspiciously in working areas, either politely challenge them or call Site Security.  If you are the last person to leave the office (g. at lunchtime or going home time), look around to make sure it is all clear.  Please report repeated issues and serious concerns to your manager or Help Desk.

Responsibilities

  • Compliance & Control Officer owns this policy, and is responsible for maintaining it and advising generally on information security controls. Working in conjunction with other corporate functions, it is also responsible for running educational activities to raise awareness and understanding of the obligations identified in this policy.
  • Compliance & Control Officer is authorised to tour and inspect various corporate facilities for physical security issues, including unattended information, papers and other removable/portable storage media and devices.
  • Information Owners are personally accountable for the protection and legitimate exploitation of ‘their’ information, using suitable logical, physical and procedural controls. They may insist on specific controls such as not removing materials from the office, file encryption etc.  In some cases, there are legal compliance obligations (g. protecting personal or government classified information).
  • Workers are personally accountable for compliance with applicable legal, regulatory and contractual obligations, and conformity with policies at all times.
  • Internal Audit is authorised to assess conformity with this and other corporate policies at any time.

 

Change history record

Issue

Description of change

Approval

Date of change

1.0

Initial issue

<Job Title>

dd/mm/yyyy