Clean Desk Policy

VERSION 1.3 June 2019

This document contains Private or Internal Use Only Information and should not be shared with
third parties.

1
 Clean Desk Policy

Revision History

Version Date Section Author Description

1 May 2016 All Gina Bruno Initial Draft

1 August 2016 All ER&C Review

1 March 2017 All Approved by Senior VP ER&C

1.1 March 2018 5.g Dave Gwilliam Removed cable lock requirement

1.2 March 2018 3, 5 Gina Bruno Added to scope applicability to working in

office or working remotely.
Removed duplicate statement regarding
printers and fax documents

1.3 March 2019 5.b, 6 Gina Bruno Replace with 5.n redundant

June 2019 All ERC Annual Review and Approval

Private Information, Internal Use Only. Do not share with third parties. 2
 Clean Desk Policy

Table of Contents
Revision History....................................................................................................................... 2

Table of Contents ..................................................................................................................... 3

1. Overview ............................................................................................................................ 4

2. Purpose.............................................................................................................................. 4

3. Scope ................................................................................................................................. 4

4. Roles and Responsibilities - Security Organization............................................................. 4

5. Policy ................................................................................................................................. 4

6. Policy Compliance .............................................................................................................. 5

7. Exceptions.......................................................................................................................... 5

8. Enforcement ....................................................................................................................... 5

9. RACI Chart ......................................................................................................................... 6

Private Information, Internal Use Only. Do not share with third parties. 3
 Clean Desk Policy

1. Overview
A clean desk policy helps ensure that all sensitive/confidential materials are removed from
an end user workspace and locked away when the items are not in use or an employee
leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the
risk of security incident/breaches in the workplace. Such a policy can also increase
employee’s awareness about protecting sensitive information.

2. Purpose
The purpose for this policy is to establish the minimum requirements for maintaining a
“clean desk” – where sensitive/confidential information about our employees, our intellectual
property, our customers and our vendors as defined in the Data Classification and Handling
Policy is secure in locked areas and out of site. A Clean Desk policy is a standard practice
as per various frameworks such as NIST 800-53, SANS Top 20, ISO 27001/17799
compliant, but it is also part of standard basic privacy controls.

3. Scope
This policy applies to all Verisk Analytics employees (full and part time), contractors and its
member companies regardless of location. This applies in the office or working in a remote
location.

4. Roles and Responsibilities - Security Organization

Verisk Analytics and its member companies shall define roles and objectives to delineate
the responsibilities of the organization with respect to each critical of the key Clean Desk
Practices. See RACI Chart,

5. Policy
a. Employees are required to ensure that all sensitive/confidential information in
hardcopy or electronic form is secure in their work area at the end of the day and
when they are expected to be gone for an extended period.
b. Clear screen, lock computer when away from your desk.
c. Computer workstations must be shut completely down or lock out at the end of the
work day.
d. Any Sensitive/Confidential information must be removed from the desk and locked in
a drawer when the desk is unoccupied and at the end of the work day.
e. File cabinets containing Sensitive/Confidential information must be kept closed and
locked when not in use or when not attended.
f. Keys used for access to Sensitive/Confidential information must not be left at an
unattended desk.
g. Passwords may not be left on sticky notes posted on or under a computer, nor may
they be left written down in an accessible location.

Private Information, Internal Use Only. Do not share with third parties. 4
 Clean Desk Policy

h. Printouts containing Sensitive/Confidential information should be immediately

removed from the printers and facsimiles.
i. Consider installing Print Release on Printers.
ii. Consider scanning your documents and filing them electronically.
i. Upon disposal Sensitive/Confidential documents should be shredded in the official
shredder bins or placed in the lock confidential disposal bins.
j. Whiteboards containing Sensitive/Confidential information should be erased.
k. Lock away portable computing devices such as laptops and tablets.
l. Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and
secure them in a locked drawer.
m. Equipment and media taken off premises should not be left unattended in public
places.
n. Be aware of your surroundings for eavesdropping and shoulder surfing.

6. Policy Compliance
Managers and or designee will be responsible for the area’s compliance to this policy
through various methods, including but not limited to, periodic walk-thru. Documentation of
the review and any issues identified must be remediated and reported to senior
management (see Section 8).

7. Exceptions
There are no exceptions to this policy. While our intent is to operate in compliance with
enterprise policies, on occasion extenuating circumstances prohibit full compliance. For
these circumstances, policy exceptions and acceptance of high risk conditions require
formal review and approval by the business unit head, and by the Enterprise Risk
Management Committee (ERMC). For the definition and required actions, see section 5.4 -
Policy Exceptions and Risk Acceptance and Appendix B of the Verisk Risk Policy.

8. Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to
and including termination of employment.

Private Information, Internal Use Only. Do not share with third parties. 5
 Clean Desk Policy

9. RACI Chart
Roles and Responsibilities corresponding to each key Clean Desk Practice

Task Business Data Applicati System Workforce Global Information

Owner Owner on Owner Security Risk Officer
Owner Services

Clean Desk A R R R R C C
Locking Computer and or other
A R R R R C C
devices
Locking Cabinets containing
A R R R R C C
Sensitive / Confidential Data

Printers and Fax Machines A R R R R C C

Ensuring Compliance with Policy A R R R R C C

Exceptions A R R R R I/C I/C

Legend: R=Responsible, A=Accountable, C=Consulted, I=Informed

Responsible – who is responsible for doing a task or process.

Accountable – who approves the work or process.
Consult With – who provides knowledge, information, or expertise to help complete the work.
Inform – who needs to know the result of the task/process.

Private Information, Internal Use Only. Do not share with third parties. 6
Clean Desk Policy
Prateek Sharma
2022-10-10 12:01 UTC

I understand that my electronic signature will be binding as though I had

physically signed this document by hand. I agree that a printout of this
agreement may be accepted with the same authority as the original.

1. Clean Desk Policy Signed By:

Version: 1 IP Address:
Consent Date: The IP address has been recorded as
part of your electronic signature.