richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-7.7-Clear-desk-and-clear-screen.md

2.6 KiB
Raw Blame History

7.7 Clear desk and clear screen

| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |

|------------------|------------------------------------|---------------------------|-----------------------------|----------------------|

| #Preventive | #Confidentiality | #Protect | #Physical_security | #Protection |

Control

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

Purpose

To reduce the risks of unauthorized access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.

Guidance

The organization should establish and communicate a topic-specific policy on clear desk and clear screen to all relevant interested parties.

The following guidelines should be considered:

a) locking away sensitive or critical business information (e.g. on paper or on electronic storage media) (ideally in a safe, cabinet or other form of security furniture) when not required, especially when the office is vacated;

b) protecting user endpoint devices by key locks or other security means when not in use or unattended;

c) leaving user endpoint devices logged off or protected with a screen and keyboard locking mechanism controlled by a user authentication mechanism when unattended. All computers and systems should be configured with a timeout or automatic logout feature ;

d) making the originator collect outputs from printers or multi-function devices immediately. The use of printers with an authent ication function, so the originators are the only ones who can get their printouts and only when standing next to the printer;

e) securely storing documents and removable storage media containing sensitive information and, when no longer required, discarding them using secure disposal mechanisms;

f) establishing and communicating rules and guidance for the configuration of pop-ups on screens (e.g. turning off the new email and messaging pop-ups, if possible, during presentations, screen sharing or in a public area);

g) clearing sensitive or critical information on whiteboards and other types of display when no longer required.

The organization should have procedures in place when vacating facilities including conducting a final sweep prior to leaving to ensure the organizations assets are not left behind (e.g. documents fallen behind drawers or furniture).

Other information

No other information.