SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cloud Controls Matrix
Browse Cloud Controls...
HRS-03: Clean Desk Policy and Procedures
Clean Desk Policy and Procedures
HRS-03: Are policies and procedures requiring unattended workspaces to conceal confidential data established, documented, approved, communicated, applied, evaluated, and maintained?
The organization should establish and communicate a “clean desk” policy to guide personnel on reducing the risk of unauthorized access to information.

The following guidelines should be considered:
a. Sensitive or critical business information (e.g., on paper or electronic storage media) should be locked away—ideally in a safe, cabinet, or other security furniture—when not required.
b. User endpoint devices should be protected by key locks or other physical security means when not in use.
c. Documents containing sensitive information from multi-function devices (such as printers and other reproduction technologies) should be stored securely. When these documents are no longer required, they should be discarded using secure disposal methods.
d. Whiteboard and other types of displays should be cleared when not required.
e. Computers should be configured to automatically lock the computer screen after an idle period (screen lock timeout).
f. Users should be trained to log out of systems or lock computer screens when not at workstations.

The organization should have procedures to vacate facilities, including conducting a final sweep before leaving to validate the organization's assets are not left behind (e.g., documents fallen behind drawers or furniture)
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data. Review and update the policies and procedures at least annually.

Clean Desk Policy and Procedures
HRS-03: Are policies and procedures requiring unattended workspaces to conceal confidential data reviewed and updated at least annually?
The organization should establish and communicate a “clean desk” policy to guide personnel on reducing the risk of unauthorized access to information.

The following guidelines should be considered:
a. Sensitive or critical business information (e.g., on paper or electronic storage media) should be locked away—ideally in a safe, cabinet, or other security furniture—when not required.
b. User endpoint devices should be protected by key locks or other physical security means when not in use.
c. Documents containing sensitive information from multi-function devices (such as printers and other reproduction technologies) should be stored securely. When these documents are no longer required, they should be discarded using secure disposal methods.
d. Whiteboard and other types of displays should be cleared when not required.
e. Computers should be configured to automatically lock the computer screen after an idle period (screen lock timeout).
f. Users should be trained to log out of systems or lock computer screens when not at workstations.

The organization should have procedures to vacate facilities, including conducting a final sweep before leaving to validate the organization's assets are not left behind (e.g., documents fallen behind drawers or furniture)
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data. Review and update the policies and procedures at least annually.