Back

Establish, implement, and maintain a clean desk policy.


CONTROL ID
06534
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization is recommended to implement a clean desk policy in all office areas, especially open or shared office areas. if a full clean desk policy cannot be implemented, the organization should use a risk-based approach and the decision should be recorded in the risk register. (Security Policy No. 5 ¶ 7, HMG Security Policy Framework, Version 6.0 May 2011)
  • Security awareness messages should cover details about required activity, including the need to comply with policies such as those for 'clear desk' initiatives and logging off or locking systems when leaving a computing device unattended. (CF.02.03.03d, The Standard of Good Practice for Information Security)
  • Security awareness messages should cover details about required activity, including the need to comply with policies such as those for 'clear desk' initiatives and logging off or locking systems when leaving a computing device unattended. (CF.02.03.03d, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established to require that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documents and user computing sessions had been disabled after an established period of inactivity. (HRS-12, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data. Review and update the policies and procedures at least annually. (HRS-03, Cloud Controls Matrix, v4.0)
  • Policies and procedures shall be established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity. (IS-17, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (A.11.2.9 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. (§ 11.2.9 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. (§ 7.7 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Does the information security policy contain a physical clean desk policy? (§ B.1.11, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view. (§ 5.9.2 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Position information system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view. (§ 5.9.2 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)