Are you doing Clear Desk and Clear Screen?

One security policy that is probably used at most organizations is “clear desk,
clear screen”. Are you aware and doing it?

The simple story

On the surface, “clear desk, clear screen” means you should take care to keep
your desk or work area clean and neat, and to be aware of what is on your
screen, locking your computer with a screensaver or lock screen, to avoid
leaking confidential information.

However the fact is, even this simple directive is sometimes ignored, leading to
information leaks and other issues.

There’s more to it

“Clear desk, clear screen” is an easy-to-remember mnemonic, and the reality is
it covers a lot more areas that you should be aware of, besides just keeping
your desk tidy.

Like what?

• Go paperless where possible
• Lock assets up when they are not in use
• Log off computers and devices when not used, and protect them with an
  automatic screen locking mechanism that is enabled after a specified period,
  that requires a password or PIN to disable
• Restrict copying, printing and scanning to authorized personnel
• Remove printed media immediately, never leaving it on the printer
• Clean up meeting rooms of any printed materials, and clean whiteboards after
  use, properly disposing of unneeded printed materials using a shredder
• Make it clear using software where possible, such as with labels and popups in
  the UI, that the information being accessed is sensitive

While you think about these areas, of course you need to consider culture, laws
and regulations, contractual requirements and identified risks, because they
will all impact the details of your policy.