Clear desk policy

Those "clean your desk" emails that appear from time to time within the office can sometimes fall on deaf ears for some of our colleagues.  Maybe a VIP is due in town, or maybe a pending audit is due to happen.  The clear desk policy (CDP) goes far beyond scrubbing the coffee marks from the tabletop or removing the untidy post-it notes plastered all over the monitor (Google ISO27001 audits). 

The main intention, if you are unaware, is to keep the data you hold locked away in your desk, cupboard or other locked areas.  In my opinion, your work domain should be treated the same as your house.  It's quite an odd thing to say "treat everyone as a potential criminal", but that's not too far from how it should be.  Why take the risk when you don't need to?  I'll speak about the inside job issues which relate to cyber security in a further entry. 

Obviously within this text I am referring to data contained on devices such as USB sticks, CD-ROMs or even your computer itself, which should in reality be locked to the desk, certainly if it is a laptop anyway (see Kensington Locks - as well as USB sticks).  This policy however goes beyond devices, and includes all firm related details such as documents and notes, an Information Security Risk.

Referring to my point on not taking risks,  and considering treating everyone as a potential criminal, thoughts of those in your environment should also run through your mind.  The kitchen porter, the office cleaner, building security.  Again, why take the risk?

A point I would like to mention, which is vitally important is that you might never know that anything has gone from your desk.  That USB stick you left overnight is still there......... but can you be sure that it hasn't been copied or duplicated?  Obviously it couldn't be, because it was password protected, right?!

CDP is there to protect you as an individual, your firm, and your clients data.  Next time you receive the email, don't take it so lightly.