A.7.7 Clear Desk and Clear Screen would include:
-
Policy and Procedures: Documentation of clear desk and clear screen policies and procedures that outline the requirements for employees to maintain a tidy and secure workspace, ensuring that sensitive information is not left unattended on desks or screens.
-
Employee Training: Evidence of security awareness training provided to employees, specifically covering the importance of adhering to clear desk and clear screen policies and the potential risks associated with leaving sensitive information exposed.
-
Workstation Configuration: Physical observations and records of workstation configurations to verify compliance with clear desk and clear screen requirements, such as ensuring that employees lock their computers when not in use or enable screen savers with password protection.
-
Physical Inspections: Regular physical inspections of work areas to confirm that employees are following clear desk practices and not leaving sensitive documents or information visible to unauthorized individuals.
-
Incident Reports: Records of any security incidents related to clear desk and clear screen violations, along with the actions taken to address and prevent such incidents in the future.
-
Monitoring and Reporting: Documentation of monitoring mechanisms in place to track and report on compliance with clear desk and clear screen policies.
-
Disposal Procedures: Procedures for the secure disposal of sensitive information, ensuring that documents are shredded or securely discarded to prevent unauthorized access.
-
Clean Desk Audits: Internal audits or assessments conducted to evaluate the effectiveness of clear desk and clear screen practices within the organization.
-
Management Oversight: Evidence of management oversight and involvement in promoting and enforcing clear desk and clear screen policies.
By reviewing these pieces of evidence, an auditor can assess whether the organization has implemented appropriate measures to maintain a clean and secure working environment, reducing the risk of unauthorized access to sensitive information and enhancing overall information security.
