June 25, 2014

How to Implement a Clean Desk Policy

Over the years, there have been different arguments made for and against a clean desk policy in the workplace.

Some people say it stifles creativity, and de-personalizes the workplace.

Others say it relays an air of competence to outsiders, and helps make all employees feel more organized.

But the most important reason today for a clean desk policy is information security – and there’s no argument there.

What is a Clean Desk Policy?

By definition, a clean desk policy specifies how employees should leave their working space when they aren't there. Sensitive information must be protected at all times from anyone who may pass by including other employees, cleaners, and office visitors.

Desks should be cleared of all papers including post-it notes, paper with sensitive information such as account numbers, and non-essential documents. The policy also pertains to sensitive information on computers.

In effect, a clean desk policy is one of the simplest ways to protect sensitive information and to reduce the risk of a data breach and identity theft.

A clean desk policy also complies with information security regulations. In the U.S., federal privacy laws include FACTA, HIPAA/HITECH, Gramm Leach Bliley and Sarbanes Oxley.

Who Benefits From This Policy?

Security: A Clean Desk Policy protects confidential information from being seen and taken by insider fraudsters and other criminals in the office. That reduces the risk of information theft, fraud, and a security breach. The policy complies with basic privacy principles too.

Human Resources: Clearing clutter is an information management strategy that increases productivity. According to an Adeliarisk.com post, an average desk worker keeps 36 hours of work at the workspace at any one time. That’s distracting, and employees can spend up to about 2.5 hours a day searching for information.

Creative Thinkers: A Clean Desk Policy is part of an evolving workplace that includes a growing mobile workforce, less defined physical boundaries, and flex-time options. ‘Hot desking’, a new way of organizing the office, relies on a Clean Desk Policy. Instead of everyone having their own desk, there’s an open workspace with empty desks and employees sit where they like. Creative thinkers who want a less orderly work space can choose flex-time hours – and work in their home office.

Management: Clearing desks at five o’clock is the key to this policy, but employees are also encouraged to be conscious of information security all day long. If they wander away from their desk for a meeting, they’re instructed to remove confidential information from sight. This helps to increase employees’ awareness of security, according to the education organization SANS Institute.

Environment: A Clean Desk Policy aligns with green office strategies. It encourages digital versions of documents, which reduces paper use. Digital documents are easier to find and not physically accessible to insider fraudsters and other information thieves.

For a Successful Implementation, Here is a Clean Desk Policy Checklist:

• Put the Clean Desk Policy in writing and make it part of the culture of security in the workplace. Be sure it is communicated to all new employees.
• Provide a list of items that are allowed at work stations
• Support paperless strategies in the office. For example, don’t print emails unnecessarily.
• Educate employees about visual hacking, which is a low-tech method of stealing confidential information. Emphasize clear computer screens when employees are away from the desk.
• Provide physical security, and advise employees to protect access cards and keys at all times. Reconsider open floor plans, which pose a greater threat to visual privacy.
• The policy should stipulate that when an item is lost or stolen, security is immediately notified. The 2014 IT Security Risks Survey by Kaspersky showed that only half of employees reported the loss or theft of a mobile device within one day. But if the device wasn’t locked, whoever had it might be able to access information. Security personnel can’t take any steps to protect sensitive data until they know the device has been compromised.

How to go About Implementing a Clean Desk Policy?

• Make it official: Put the policy in writing and distribute it to all employees. This information should be part of on-going security awareness training. For the mobile workforce, emphasize the importance of protecting information at all times.
• Explain exactly what is expected of employees. For example, when away from the desk, all sensitive information must be removed from the desk surface and filed or locked up; also, switch on the computer’s password-protected screen saver.
• Be sure there is buy-in at the executive level. The senior team must follow and advocate the policy. The policy must be adopted by the C-suite and shared throughout the organization. Some workplaces ask employees to read and sign copies of the Clean Desk Policy document.
• Provide friendly reminders. Use employee communications such as newsletters, e-alerts and posters to remind everyone to protect confidential information. For example, add a tagline to email signatures such as ‘Please consider the environment before printing this email’. Hang up reminder signage in key areas of the office.
• Provide support: The workplace should provide clean desk tools. Equip desks with lockable drawers, or provide small lockable storage boxes so employees can lock up printed documents that may contain confidential data. Install privacy filters on computers.
• Encourage electronic over paper documents when possible. Have a routine back-up system in place for secure electronic document management.
• Embed information security: Partner with a professional document destruction company that provides a secure chain of custody and document shredding services for both paper documents and hard drives and e-media. The company should replace recycling bins with locked containers so that when documents are no longer needed, they are securely stored until security-trained professionals retrieve them for secure destruction.
• Introduce a Shred-it all Policy too so that all documents are destroyed when they are no longer needed – and employees do not have to decide what is or isn’t confidential.
• Make it easy for employees to keep their desks free of paper by partnering with a document shredding company for document disposal. Locked consoles should be placed in convenient places in the office and documents should be shredded on a regular basis. Remind employees that sensitive documents should never be put into the garbage or recycling bin.
• Make it part of the workday. Suggest employees start the day by planning and organizing documents needed for their immediate work. If an employee has to leave to attend a meeting or take a break, do a quick check first to see if there is sensitive information on the desk – and secure it. Always leave a clean, clear desk at the end of the day.
• Appoint one or more employees to monitor office areas. There should be consequences for policy non-compliance.

Benefits of a Clean Desk Policy

Here are all the benefits of a Clean Desk Policy:

• Information security: At the top of the list, a Clean Desk Policy helps protect sensitive information and reduces the risk of a data breach and identity theft. Desks and computer screens are cleared of confidential information.
• Compliance: A Clean Desk Policy helps an organization improve compliance of privacy laws. There are different privacy laws in the U.S. and Canada, and the General Data Protection Regulation (GDPR) will replace the Data Protection Act in Europe and the U.K. next year.
• Tidy Workspace Appearances: The policy helps to tidy and organize an office overall sending a stronger message of efficiency and professionalism. This is important for both visitors and employees.
• Productivity: A de-cluttered office is more productive than a messy one, according to the National Association of Professional Organizations. The average person wastes over 4 hours a week searching for papers; the average executive loses 1 hour of productivity per day searching for missing information.
• Flexible Working: The policy supports ‘hot desking’, which is an office design system where employees do not have assigned desks, aiding flexibility in the workplace. All desks are left empty every evening, and employees sit where they want as they arrive in the morning.
• Embedded security: A Clean Desk Policy helps create security-driven work habits. The goal is for employees to start their day by planning and organizing documents needed for their immediate work.
• Supports a Culture of Security, which all organizations are encouraged to implement. A Clean Desk Policy also promotes a positive company reputation. Visitors to the workplace see that everything is tidy, which sends the message that the company is organized and good at what it does too.

Learn more about how to increase the security of information in your office with a clean desk policy.