If you’re planning on taking the Security+ exam, you should have a basic understanding of personnel policies such as a policy that reminds users to secure sensitive data.
For example, can you answer this question?
Q. A security manager is reviewing security policies related to data loss. Which of the following is the security administrator MOST likely to be reviewing?
A. Clean desk policy
B. Separation of duties
C. Job rotation
D. Change management
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Personnel Policies
Companies frequently develop policies to specifically define and clarify issues related to personnel. This includes personnel behavior, expectations, and possible consequences. Personnel learn these policies when they are hired and as changes occur. Some of the policies directly related to personnel are acceptable use, mandatory vacations, separation of duties, job rotation, and clean desk policies. This post covers clean desk policies.
Clean Desk Policy
A clean desk policy directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data. More specifically, it helps prevent the possibility of data theft or inadvertent disclosure of information.
Imagine an attacker going into a bank for a bank loan and meeting a loan officer. The loan officer has stacks of paper on his or her desk, including loan applications from various customers. If the loan officer steps out, the attacker can easily grab some of the documents, or simply take pictures of the documents with a mobile phone.
Beyond security, organizations want to present a positive image to customers and clients. Employees with cluttered desks with piles of paper can easily turn off customers.
However, a clean desk policy doesn’t just apply to employees who meet and greet customers. It also applies to employees who don’t interact with customers. Just as dumpster divers can sort through trash to gain valuable information, anyone can sort through papers on a desk to learn information. It’s best to secure all papers to keep them away from prying eyes. Some items left on a desk that can present risks include:
- Keys
- Cell phones
- Access cards
- Sensitive papers
- Logged-on computer
- Printouts left in printer
- Passwords on Post-it notes
- File cabinets left open or unlocked
- Personal items such as mail with Personally Identifiable Information (PII)
Some people want to take a clean desk policy a step further by scrubbing and sanitizing desks with antibacterial cleaners and disinfectants on a daily basis. They are free to do so, but that isn’t part of a security-related clean desk policy.
Remember this
A clean desk policy requires users to organize their areas to reduce the risk of possible data theft. It reminds users to secure sensitive data and may include a statement about not writing down passwords.
Q. A security manager is reviewing security policies related to data loss. Which of the following is the security administrator MOST likely to be reviewing?
A. Clean desk policy
B. Separation of duties
C. Job rotation
D. Change management
Answer is A. A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise.
A separation of duties policy separates individual tasks of an overall function between different people.
Job rotation policies require employees to change roles on a regular basis.
Change management helps reduce intended outages from changes.