Clean Desk Policy - Why It is Important
In any organisation, a clean desk policy is important to ensure that confidential information is stored securely when not in use of a desktop when not in use to reduce information security breaches in the workplace. Often at times, organisations do not have a formally coded policy that requires documents securely stored under a key at a user’s desk. As a result, the organisation is opening itself exposed should confidential information be taken from a user’s desk. Policies are often implemented after a security breach has occurred that has led.
Best practices for information security dictates information be stored under lock-and-key when not in use. The practice also extends to ensuring that people do not “piggy-back” when they enter the office under another employee’s pass, rather each swipes their pass when they come. Unauthorized entry into the premise can occur when a person allows another person to enter without identifying themselves via a security pass. On paper, an organisation may have a loose policy with regards to security, but organisations should question why a proper system has not been implemented considering that it can be carried out at low cost to the organisation overall.
A clean desk policy reduces the confidential threat information may occur when the desk is left unattended. All employees and third parties working for the organisation should be subject to this policy. In order reduce the risk of exposure consider scanning documents electronically and storing it on a secure server, not on your workstation prone to compromised, or information lost if a backup is not made. Sensitive information that is required in a paper format should be stored under lock and key.
Consider that fact that many people work in open spaces rather than in closed offices. Many departments no longer have locks within them to lock when no one is around. Think about security in this manner, would you want your personal confidential information lying around for anyone to access, most would answer no. In the same manner, your company’s customers, vendors, and employees have the right to assume that their information managed responsibly.
Also consider the fact that federal privacy laws such as Personal Information Protection and Electronic Documents Act (PIEDA), as well as provincial legislation, may require that information stored responsibly. Customers may also inspect the premises of a vendor to ensure that it has adequate physical internal controls that also includes a clean desk policy. Desks should be locked, or least drawers with highly confidential information locked when left unattended.
Accessories such as laptops should be securely fastened to the desk during the day and locked in the drawer at night. Company RSA Keys, access cards “bops” should be carried at all times as it not only gives access to unauthorised persons, and security breaches traced to employees who left their access cards exposed.
Also consider the fact if such information in the wrong hands, it could result in leaked information that could affect the competitive advantage a company may have or lead to a media leak that could result in negative public relations for the organisation. The strategy of the organisation relies on everyone to safeguard the information.
Although many records are stored electronically, consider the importance of paper documents. Files should not be only filed and locked to clear the desk but lodged in an organised manner. Depending on what is field documents, or batches may require reference numbers, security classification, file storage data, off-site storage date, as well as destruction date. The use of a proper system facilitates not only easy retrieval of information but also an organised process for the disposal of records.
A proper tracking system can involve a spreadsheet or database to track the location of the file as well as if it has been signed out. Any duplicate copies that exist such as an electronic, and paper-based should be logged in the tracking system. Consider where paper-based files are stored in a room with a fire-resistant cabinet room and a sprinkler. The keys should be securely and not be left open and unattended.
As well older files that must be retained, but are not in use should be stored off-site until no longer required, after which time it can be shredded. Boxes should be labelled in order facilitate retrieval, and disposal process by properly established policies and procedures. As part of business continuity, important documents for business continuity must be identified and scanned electronically to allow files to be accessed offsite if necessary.
As I noted in a previous post “The Paperless Office – Electronic Document Storage”, storing information is an essay way assist in complying with a clean desk policy. Relevant documents can be retrieved with ease, but are out of reach from those who should not have access. A properly managed electronic system can allow for information to be maintained concerning international controls, and privacy legislation.
Some have argued that a certain level of clutter can be beneficial. Consider the amount of time sorting through files to find an important document that is not filed correctly, how much time is spent finding the document or backup attachments.
A clean desk policy does not mean the office cannot provide a stimulating environment, nor does not imply personal accessories cannot be kept on your desk. What is implied is that relevant organisational documents are securely stored by planning documents that you will need, and filing all other documents. Consider placing it in a folder labelled work-in-progress, and locking the drawer when leaving desks unattended. Also, keep track of physical documents that you pass to co-workers for review such as on a spreadsheet. At the end of the day ensure that any confidential information locked at the end of the day.
Everyone should be responsible for ensuring adherence to the clean desk policy not just the Internal Audit Department, Security Compliance, or Human Resources. The importance of a clean desk policy should be communicated, as well as the consequences of not following such a policy.
The system needs the buy-in from senior management in order ensure that the policy is enforceable to be effective. To ensure that employees can comply with the policy, inspect the working area of the employee to determine if they can securely store documents at their desks. If not consider installing locks at each desk, or have filing cabinets near the desk where employees can lock their information when not in use.
Routine reminders sent to employees in the weekly newsletter that is emailed to employees, or on a noticeable spot on the intranet site. As well employees should be appointed to a committee to monitor work areas to ensure that the policies are being followed to ensure the filing of sensitive information. For first-time non-compliance reminders could be left on the desk, the consequences for repeat offences would depend on the organisation to determine based on the nature of the information.
Departments that are in one hundred percent compliance could be rewarded recognising them at employee meetings, and providing lunch to the staff. The reward system if any can be creative, and if taken in a positive light can foster team spirit within units of the organisation.
About the author:
Hanif Shamji, MBA, CPA, CGA is a Finance Business Partner / Sr. Financial Analyst with an information technology background, experienced in several industries.
blog comments powered by Disqus