5.5 Clean Desk Policy
I. Purpose
The purpose for this policy is to establish the minimum requirements for maintaining a clean desk where restricted data about the college’s faculty, staff, students, and operations is secured and out of site. A clean desk policy is one of the top strategies utilized when trying to reduce the risk of security breaches in the environment. This policy will also assist in increasing awareness about protecting the college’s restricted data.
II. Scope
This policy applies to employees, agents, students, and representatives of the college that have access to the College’s Information Technology Resources.
This policy covers any papers, documents, removable storage media and any computing devices that contain or display restricted data.
III. General
Definitions
Information Technology Resource(s) – includes but is not limited to the following: computer and networking equipment, workstations, laptops, software, operating systems, storage devices and media, network accounts, email services and email accounts, Internet browsing and related services, voice mail, applications, scanning and fax systems, tablets, and smartphones.
Computing Device - includes but is not limited to all workstations, laptops, tablets, and smartphones.
Restricted Data - include but are not limited to Social Security Number, Student Financial Aid Data, Student Conduct Records, and Bank Account numbers. For a detailed definition, please refer to the Institutional Data Security and Protection Policy
Policy
- Whenever unattended or not in use all computing devices must be logged off or protected with a screen or keyboard locking mechanism that is controlled by a password or biometric technology.
- When viewing restricted data on a screen, users should be aware of their surroundings and should ensure that third parties are not permitted to view the restricted data.
- Whenever unattended, portable media, such as CDs or USB drives that contains restricted data should never be left in drives or attached to a user’s computer.
- Passwords must not be posted on, under a computer device, or in any other accessible location.
- Users are required to ensure that all restricted data in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period of time.
- File cabinets containing restricted data should be kept closed and locked when not in use or when not attended and the keys used to access the file cabinets should not be left at an unattended location.
- Paper containing sensitive or classified information must be removed from printers and faxes immediately.
- Restricted information on paper or electronic storage media that is to be shredded must not be left in unattended boxes or bins. The documents or media that contain the restricted information must be secured until the time that they can be shredded.
- Restricted data written on whiteboards must be erased.
- Any exception to the policy must be approved by the responsible college officer in advance.
- Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
IV. Procedures
Compliance
Information Technology Services (ITS) team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, internal and external audits, and feedback to the responsible college officer.
V. Approval
President – June 5, 2018
VI. Responsibility
Vice President, Technology and CTO