Control 7.7 : Clear Desk and Clear Screen
Summary
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. This minimizes the risk of unauthorized access to information left unattended on workstations or in physical workspaces.
Applicability
In-Scope: Mandatory for all office environments. It is a key control for preventing the casual theft or viewing of sensitive data by unauthorized visitors or staff members.
Out-of-Scope: Never out-of-scope for physical office locations.
Implementation Guidance
Microsoft 365 / Entra ID
-
Screen Locking: Use Microsoft Intune to enforce a 5-minute inactivity timer that automatically locks workstations and mobile devices.
-
Cloud Storage: Encourage the use of OneDrive for all working documents to eliminate the need for local file storage or physical paper trails.
-
Secure Printing: Implement Microsoft Universal Print with Secure Release to ensure documents are only printed when the user is physically present at the device.
Evidence Checklist
-
Clear Desk/Screen Policy: A formally approved document defining the requirements for workstations and physical workspaces.
-
Compliance Checks: Records of periodic after-hours spot checks to ensure no sensitive papers or unlocked screens were left behind.
-
Awareness Evidence: Emails or posters reminding staff to lock their screens before walking away and maintain a clean workspace.
Practical Audit Advice
Here are some questions the auditor might ask:
-
During a walkthrough, are there any visible notes with passwords or sensitive data on monitors?
-
How do you ensure that removable media like USB drives are not left unattended on desks?
-
What is the process for disposing of sensitive paperwork that is no longer needed, such as cross-cut shredding?
-
How is the clear screen policy enforced for employees working in public spaces like cafes or airports?