Control 7.7 : Clear Desk and Clear Screen

Summary

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. This minimizes the risk of unauthorized access to information left unattended on workstations or in physical workspaces.

Applicability

In-Scope: Mandatory for all office environments. It is a key control for preventing the casual theft or viewing of sensitive data by unauthorized visitors or staff members.

Out-of-Scope: Never out-of-scope for physical office locations.

Implementation Guidance

Microsoft 365 / Entra ID

• Screen Locking: Use Microsoft Intune to enforce a 5-minute inactivity timer that automatically locks workstations and mobile devices.

• Cloud Storage: Encourage the use of OneDrive for all working documents to eliminate the need for local file storage or physical paper trails.

• Secure Printing: Implement Microsoft Universal Print with Secure Release to ensure documents are only printed when the user is physically present at the device.

Evidence Checklist

• Clear Desk/Screen Policy: A formally approved document defining the requirements for workstations and physical workspaces.

• Compliance Checks: Records of periodic after-hours spot checks to ensure no sensitive papers or unlocked screens were left behind.

• Awareness Evidence: Emails or posters reminding staff to lock their screens before walking away and maintain a clean workspace.

Practical Audit Advice

Here are some questions the auditor might ask:

• During a walkthrough, are there any visible notes with passwords or sensitive data on monitors?

• How do you ensure that removable media like USB drives are not left unattended on desks?

• What is the process for disposing of sensitive paperwork that is no longer needed, such as cross-cut shredding?

• How is the clear screen policy enforced for employees working in public spaces like cafes or airports?