Professional Documents
Culture Documents
Clean Desk Policy-Preview
Clean Desk Policy-Preview
This document contains Private or Internal Use Only Information and should not be shared with
third parties.
1
Clean Desk Policy
Revision History
1.1 March 2018 5.g Dave Gwilliam Removed cable lock requirement
1.3 March 2019 5.b, 6 Gina Bruno Replace with 5.n redundant
Private Information, Internal Use Only. Do not share with third parties. 2
Clean Desk Policy
Table of Contents
Revision History....................................................................................................................... 2
1. Overview ............................................................................................................................ 4
2. Purpose.............................................................................................................................. 4
3. Scope ................................................................................................................................. 4
5. Policy ................................................................................................................................. 4
7. Exceptions.......................................................................................................................... 5
8. Enforcement ....................................................................................................................... 5
Private Information, Internal Use Only. Do not share with third parties. 3
Clean Desk Policy
1. Overview
A clean desk policy helps ensure that all sensitive/confidential materials are removed from
an end user workspace and locked away when the items are not in use or an employee
leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the
risk of security incident/breaches in the workplace. Such a policy can also increase
employee’s awareness about protecting sensitive information.
2. Purpose
The purpose for this policy is to establish the minimum requirements for maintaining a
“clean desk” – where sensitive/confidential information about our employees, our intellectual
property, our customers and our vendors as defined in the Data Classification and Handling
Policy is secure in locked areas and out of site. A Clean Desk policy is a standard practice
as per various frameworks such as NIST 800-53, SANS Top 20, ISO 27001/17799
compliant, but it is also part of standard basic privacy controls.
3. Scope
This policy applies to all Verisk Analytics employees (full and part time), contractors and its
member companies regardless of location. This applies in the office or working in a remote
location.
5. Policy
a. Employees are required to ensure that all sensitive/confidential information in
hardcopy or electronic form is secure in their work area at the end of the day and
when they are expected to be gone for an extended period.
b. Clear screen, lock computer when away from your desk.
c. Computer workstations must be shut completely down or lock out at the end of the
work day.
d. Any Sensitive/Confidential information must be removed from the desk and locked in
a drawer when the desk is unoccupied and at the end of the work day.
e. File cabinets containing Sensitive/Confidential information must be kept closed and
locked when not in use or when not attended.
f. Keys used for access to Sensitive/Confidential information must not be left at an
unattended desk.
g. Passwords may not be left on sticky notes posted on or under a computer, nor may
they be left written down in an accessible location.
Private Information, Internal Use Only. Do not share with third parties. 4
Clean Desk Policy
6. Policy Compliance
Managers and or designee will be responsible for the area’s compliance to this policy
through various methods, including but not limited to, periodic walk-thru. Documentation of
the review and any issues identified must be remediated and reported to senior
management (see Section 8).
7. Exceptions
There are no exceptions to this policy. While our intent is to operate in compliance with
enterprise policies, on occasion extenuating circumstances prohibit full compliance. For
these circumstances, policy exceptions and acceptance of high risk conditions require
formal review and approval by the business unit head, and by the Enterprise Risk
Management Committee (ERMC). For the definition and required actions, see section 5.4 -
Policy Exceptions and Risk Acceptance and Appendix B of the Verisk Risk Policy.
8. Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to
and including termination of employment.
Private Information, Internal Use Only. Do not share with third parties. 5
Clean Desk Policy
9. RACI Chart
Roles and Responsibilities corresponding to each key Clean Desk Practice
Clean Desk A R R R R C C
Locking Computer and or other
A R R R R C C
devices
Locking Cabinets containing
A R R R R C C
Sensitive / Confidential Data
Private Information, Internal Use Only. Do not share with third parties. 6
Clean Desk Policy
Prateek Sharma
2022-10-10 12:01 UTC