Peak Support Clear Desk Clear Screen Policy
1.0 Policy Objectives
- The purpose of this document is to define rules to prevent unauthorized access to information in workplaces, as well as to shared facilities and equipment.
2.0 Policy Scope
- This document is applied to the entire Information Security Management System (ISMS) scope, i.e., to all workplaces, facilities and equipment located within the ISMS scope.
- Users of this document are all employees of Peak Support.
3.0 Policy Statements
- All information classified as “Internal Use” and “Confidential” as specified in the Information Classification and Handling Guide are regarded as sensitive in this Clear Desk and Clear Screen Policy.
3.1 Workplace protection
- Clear Desk Policy: All authorized person is required to keep their desks and/or workspace free of any items or artifacts not necessary in the performance of their tasks which may include electronic, writing instruments, and/or recording media/devices.
- Work-related documents and/or media must be stored in a secure manner in accordance with the Information Classification and Handling Guide.
- Clear Screen Policy: If the authorized person is not at his/her workplace, all sensitive information must be removed from the screen, and access must be denied to all systems for which the person has authorization.
- In the case of short absence (up to 15 minutes), the clear screen policy is implemented by logging out of all systems or locking the screen with a password.
- Mobile Device Policy: Personal mobile devices are not allowed to be used in the workspace without completion and approval of a Business Risk Acceptance memo, or as required by client contractual agreement.
3.2 Protection of shared facilities and equipment
- Documents containing sensitive information must immediately be removed from printers, fax and copy machines.
- Facilities for dispatch and reception of mail are protected by lock and key.
- The Chief Information Officer shall be responsible for managing and reviewing this Clear Desk Clear Screen Policy, and ensuring that it complies with Company strategy, acceptable and emerging best practice, and affords appropriate protection to the Company.
- All individuals specified within the scope of this Clear Desk Clear Screen Policy (see Section 2.0) shall have individual responsibility for complying with each and every aspect of this policy at all times. Any failure to adhere to the requirements of this Policy may result in disciplinary action being taken.
5.0 Document Control
This Policy needs to be formally reviewed on an annual basis, at a minimum, or if required changes are identified to address one or more of the following:
- A change in business activities, which will or could possibly affect the current operation of the Company Information Security Management System, and the relevance of this document.
- A change in the manner in which the Company manages or operates its information assets and/or their supporting assets, which may affect the accuracy of this document.
- An identified shortcoming in the effectiveness of this Policy, for example as a result of a reported information security incident, formal review or an audit finding.