9 January 2020
clean desk policy can be an important tool to ensure that all
sensitive/confidential materials are removed from an end user
locked away when the items are not in use or an employee leaves
workstation. It is one of the top strategies to utilize when trying to
the risk of security breaches in the workplace.
Such a policy can also increase employee’s awareness about
sensitive information. This policy supports compliance with the POPI
Condition 7: Security safeguards, as well as the Information Security
ISO27001 and Quality Standard ISO9001.
The purpose for this policy is to establish the
minimum requirements for maintaining a “clean desk” – where
information about our employees, our intellectual property, our
our vendors is secure in locked areas and out of site.
A Clean Desk policy is not only ISO 27001
compliant, but it is also part of standard basic privacy controls.
This policy applies to all <Company
Name> employees and contractors.
Employees are required to ensure
sensitive/confidential information in hardcopy or electronic form is
their work area at the end of the day and when they are expected to be gone for an extended period.
workstations must be locked
when workspace is unoccupied.
workstations must be shut
completely down at the end of the work day.
information must be
removed from the desk and locked in a drawer when the desk is
unoccupied and at
the end of the work day.
containing Restricted or
Sensitive information must be kept closed and locked when not in use
Keys used for
access to Restricted or
Sensitive information must not be left at an unattended desk.
Laptops must be
either locked with a
locking cable or locked away in a drawer.
Passwords may not
be left on sticky
notes posted on or under a computer, nor may they be left written down
containing Restricted or
Sensitive information should be immediately removed from the printer.
should be shredded in the official shredder bins or placed in the lock
confidential disposal bins.
containing confidential information
should be erased.
away portable computing devices such as laptops and tablets.
mass storage devices such as CDROM, DVD or USB drives as a potential
of loss and secure them in a locked drawer.
printers and fax machines should be cleared of papers as soon as they
printed; this helps ensure that confidential documents are not left in printer trays for the wrong
person to pick up.
The <Company Name> management team will verify compliance to this policy through
including but not limited to, periodic walk-throughs, video
business tool reports, internal and external audits, and feedback to
Any exception to the policy
must be approved by the <Company
Name> management team in
An employee found to have
violated this policy may be subject to disciplinary action, up to and
termination of employment.
document is based on material available at www.sans.org.