UM Clean Desk Clear Screen Standard
UM Information Security Office - Area: INFORMATION SECURITY POLICY
Document History
| Date | Document Version | Revision Description | Author |
|---|---|---|---|
| 10/24/2023 | 1.0 | New Document | Neff, CISO |
| 12/4/2023 | 1.1 | Major revisions | Neff, CISO |
Approvals
| Approval Date | Approved Version | Approver Role | Approver |
|---|---|---|---|
| 12/4/2023 | 1.1 | CISO | Neff, CISO |
Introduction
This Standard operates under the UM Information Security Policy. The Clean Desk and Clear Screen Standard reduces the risks of unauthorized access, loss of and damage to University Data during and outside normal working hours. Ñý¼§Ö±²¥ and Montana University Systems policies require the protection of unauthorized access to sensitive and protected data. Additionally, much of the University’s data must be protected per legal and contractual requirements.
This Standard applies to all University workforce members and any other person utilizing any form of University information technology or having responsibility for University Data stored in an alternate format, such as paper. This standard covers any papers, removable storage media and any computing devices that contain or display University Data regardless of location.
STANDARD
A clean desk and clear screen standard is an important tool to ensure that sensitive and confidential materials are removed from a user workspace and locked away when the items are not in use or a user leaves their workstation. It is one of the main strategies utilized when attempting to reduce the risk of information exposure in the workplace.
Whenever unattended or not in use, all computing devices must be left logged off or protected with a screen or keyboard locking mechanism controlled by a password or similar user authentication mechanism (this includes laptops, tablets, smartphones and desktops).
When viewing sensitive information on a screen, users should be aware of their surroundings and should ensure that third parties are not permitted to view the sensitive information.
Sensitive or critical business information, e.g., on paper or on electronic storage media, must be secured when not required, especially when the office is vacated at the end of the workday.
The creation of hardcopy material including personally identifiable information should be restricted to the minimum needed to fulfil the identified processing purpose. Paper containing sensitive or classified information must be removed from printers and faxes immediately. Faxes and printers used to print sensitive information should not be in public areas. Any time a document containing sensitive information is being printed the user must make sure they know the proper printer is chosen and go directly to the printer to retrieve the document.
Sensitive information on paper or electronic storage media that is to be shredded must not be left in unattended boxes or bins to be handled later and must be secured until the time that they can be shredded.
Procedures
The UM Information Security Advisory Council will review and, if necessary, revise the UM Acceptable Use of Technology Resources Policy once a year. Even if it is deemed no revision is necessary, it will be re-certified once a year.
References
- UM IT Data Governance Policy
- UM IT Data Classification and Stewardship Standard
- UM IT Security Policy