Document ID: CDCS-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________
1. Purpose
The purpose of this Clean Desk / Clear Screen Policy is to establish requirements for protecting organizational information by ensuring that physical workspaces and electronic displays are secured when not actively in use.
Maintaining clean desks and clear screens reduces the risk of unauthorized access, accidental disclosure, theft of information, and loss of confidential or regulated data.
2. Scope
This policy applies to:
- Employees
- Contractors
- Consultants
- Temporary workers
- Interns
- Volunteers
- Board members
- Vendors
- Third-party service providers
- Managed Service Providers (MSPs)
- Any individual authorized to access organizational information
This policy applies to:
- Offices
- Cubicles
- Conference rooms
- Reception areas
- Shared workspaces
- Home offices used for business
- Customer locations
- Temporary workspaces
- Remote work environments
It also applies to:
- Paper documents
- Computers
- Laptops
- Mobile devices
- Tablets
- Whiteboards
- Printed reports
- Portable storage media
- Any physical or electronic media containing organizational information
3. Policy Statement
Users shall secure physical documents, portable media, and electronic displays whenever workspaces are unattended or at the end of the workday.
Workspaces shall be maintained in a manner that minimizes the risk of unauthorized access to organizational information.
4. Guiding Principles
The organization follows these principles:
- Need-to-Know
- Least Privilege
- Protection of Confidential Information
- Security by Default
- Individual Accountability
- Physical Security
- Privacy by Design
5. Clean Desk Requirements
Users shall maintain workspaces free of unnecessary exposure of organizational information.
When leaving a workspace unattended or at the end of the workday, users shall:
- Remove confidential documents from desks.
- Secure documents in approved storage locations.
- Remove printed reports containing sensitive information.
- Secure portable storage media.
- Remove notes containing passwords or authentication information.
- Store sensitive materials in locked cabinets or approved secure locations where appropriate.
Only information actively needed for work should remain on desks.
6. Clear Screen Requirements
Users shall:
- Lock computer screens whenever leaving their workspace.
- Log off shared computers when work is complete.
- Close applications displaying confidential information when no longer needed.
- Minimize the display of sensitive information whenever practical.
Electronic displays shall not remain accessible to unauthorized individuals.
7. Printed Documents
Printed documents containing confidential or regulated information shall:
- Be collected promptly from printers.
- Not be left unattended in shared printer areas.
- Be securely stored when not in use.
- Be securely destroyed when no longer required.
Users shall avoid unnecessary printing of sensitive information.
8. Whiteboards and Meeting Rooms
Users shall:
- Erase confidential information from whiteboards after meetings.
- Remove printed meeting materials.
- Collect notes and handouts.
- Secure presentation materials containing sensitive information.
- Ensure conference rooms do not retain confidential information after use.
9. Portable Storage Media
Portable media, including:
- USB drives
- External hard drives
- Memory cards
- Optical media
shall:
- Be stored securely.
- Not be left unattended.
- Be protected according to the organization’s Media Protection Policy.
- Be removed from workstations when not in use.
10. Remote Work
Users working remotely shall:
- Secure business documents when not in use.
- Prevent family members, visitors, or unauthorized individuals from viewing confidential information.
- Lock devices whenever unattended.
- Secure portable devices during travel.
- Follow organizational remote work security requirements.
11. Shared Workspaces
When using shared workspaces, users shall:
- Remove all business materials upon departure.
- Log off shared computers.
- Remove notes and documents.
- Verify no confidential information remains visible.
- Leave the workspace ready for the next authorized user.
12. Disposal of Information
Information shall be disposed of securely.
Examples include:
- Approved shredding for paper records.
- Secure destruction of portable media.
- Approved electronic media sanitization.
- Compliance with the organization’s Record Retention and Media Sanitization Policies.
Information shall not be discarded in ordinary waste containers if secure disposal is required.
13. Visitors
When visitors are present:
- Confidential documents shall not be left unattended.
- Computer screens displaying sensitive information shall be protected.
- Visitors shall not have unsupervised access to confidential information.
- Meeting materials shall be removed after use.
14. Monitoring
Compliance with this policy may be evaluated through:
- Physical security inspections
- Security walkthroughs
- Internal audits
- Compliance assessments
- Incident investigations
Monitoring shall comply with applicable laws and organizational policies.
15. Reporting Security Concerns
Users shall immediately report:
- Lost confidential documents
- Unauthorized access to physical information
- Information left unattended
- Lost portable media
- Physical security concerns
- Privacy incidents
Security incidents shall be handled according to the Incident Response Policy.
16. Exceptions
Exceptions require:
- Documented business justification
- Risk assessment
- Management approval
- Information Security approval where applicable
- Compensating security controls
- Periodic review
17. Responsibilities
Executive Management
- Support physical information security
- Allocate appropriate resources
- Promote security awareness
Managers
- Ensure employees understand this policy
- Support compliance
- Address policy violations
Facilities Management
- Maintain secure storage areas
- Support physical security controls
- Coordinate secure document disposal where applicable
IT Department
- Configure automatic screen locking
- Support secure endpoint configurations
- Maintain secure printing technologies where applicable
Information Security
- Define clean desk and clear screen standards
- Conduct compliance assessments
- Investigate security incidents
- Provide security awareness training
Users
- Maintain clean workspaces
- Secure confidential information
- Lock devices when unattended
- Dispose of information securely
- Report security concerns promptly
18. Compliance
Compliance with this policy is mandatory.
Violations may result in:
- Removal of system access
- Disciplinary action
- Contract termination
- Legal action where applicable
19. Policy Review
This policy shall be reviewed at least annually or following:
- Significant technology changes
- Security incidents
- Regulatory updates
- Organizational restructuring
- Audit findings
20. Related Policies
- Information Security Policy
- Screen Privacy Policy
- Device Locking Policy
- Physical Security Policy
- Remote Work Security Policy
- Data Classification Policy
- Data Protection Policy
- Media Protection Policy
- Media Sanitization Policy
- Record Retention Policy
- Endpoint Security Policy
- Incident Response Policy
Document Objective
This Clean Desk / Clear Screen Policy establishes the organization’s requirements for protecting physical and electronic information from unauthorized access through proper workspace management and screen security practices. It provides a vendor-neutral framework for securing documents, portable media, workstations, meeting spaces, and electronic displays in office, remote, and hybrid work environments. This policy supports the protection of confidential information and aligns with recognized security frameworks and standards, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.