tracker

TQMC

TQMC has acquired wide Domain Knowledge and Experience. You can FREELY access it here and here

DISCLAIMER: This matter here is a guide only. For authentic and up-to-date information, please contact TQMC.

The DIRECTIVES and STANDARDS listed here may have been subsequently REVISED . You must refer to the CURRENT REVISION and AMENDMENTS if any.

Tuesday, June 15, 2010

Clear desk and clear screen policy


Clear desk and clear screen policy

Please note that as this policy is periodically reviewed and updated, if you print it from the website, its accuracy cannot be guaranteed for more than a 24 hour period following printing.

HFRS staff shall comply with the Clear Desk and Clear Screen Policy:

  • Lock away all sensitive and valuable documents (paper and magnetic) in cabinets or desk drawers (as appropriate) when the desk is unattended for an extended period - for example when away for meetings, at lunch times, or overnight.
  • Log off computers and windows terminals when unattended by pressing ctrl alt del. At cease of work close down all the applications and log off/shutdown the workstation.
  • Hampshire Fire and Rescue Service employs a screensaver policy that secures computers with a 15-minute lockout policy.  The policy activates a password protected screensaver whenever a workstation is not used for 15 minutes.  When a user returns to their computer after that time, they must enter the workstation’s password in order to unlock the console.
In addition when in Hantsfirenet a policy activates a password protected screensaver whenever a session is not used for 15 minutes.  
  • If, in an emergency, you need to leave the office quickly, e.g. a fire alarm or emergency call invoke the password-protected screensaver, only if it is safe to do so, so that unauthorised personnel cannot use it.
  • Ensure that any documents or magnetic media, or other removable media such as CDs, DVDs etc are safely stored away.
  • Remember that it is a fundamental principle that knowledge or possession of sensitive information is to be strictly limited to those Users that have a need to know and appropriate privileges.  HFRS users are to adhere to this principle.
  • Be aware of positioning your screen so that sensitive information cannot be read by others.
  • Be aware of leaving your access badge or HFRS issued security keys on your desk.

For Laptops:

  • Log off laptops when left unattended for an extended period of time. and at cease of work close down all the applications and log off/shutdown the laptop and lock the laptop away.
  • If, in an emergency, you need to leave the office quickly, e.g. a fire alarm or emergency call invoke the password-protected screensaver, only if it is safe to do so, so that unauthorised personnel cannot use it.


Source

Dejan has rightly put the first step first. You need to evaluate the
risk associated with open and unattended desktops and tables with many
critical documents scattered on it.If it is required, based on
business function, you should opt for such policy. Any security policy
should not be an additional burden on employees. However, in critical
business processes policies are not burden but necessity.

Once you have identified critical business processes which needs these
two policies, its operational staff should be trained. Make them aware
about the need, their importance to adhere to the policy, impact of
policy breach on themselves as well as on the organization as a whole.
Once you make them aware about how critical role they play in
processing critical information, they will feel empowered and vital
part of the process. At the same time, make them aware about other
detective controls which will capture unsolicited activities from them
and relevant punitive measures. This will help in preventing
inculcation of fraudulent behavior because of empowerment.

In Sanskrit, these processes are known as Saam, Daam, Dand and Bhed,
defined as follows:

Saam (convince) - convince them about the importance of such policy
Daam (Money) - Announce monetary rewords for adhering to the policies
and eliminating fraud
Dand (fine/penalties) - Announce the punitive measures very discreetly
Bhed (Differentiation) - Make them aware about the management's
approach of differentiation of policy abiding employees from others
which will help them in hierarchy progression

Hope this helps.

Regards.

Kishore

No comments:

Post a Comment