1. Purpose, scope, and users
The purpose of this policy is to define rules to prevent unauthorized access to information in workspaces, in order to maintain a “clean office” – where sensitive or critical information about our employees, our intellectual property and trade secrets, our customers, and our vendors is secured in locked areas, cleaned from whiteboards, or securely disposed of.
To improve the security, privacy and confidentiality of information, Resolver has adopted a Clean Office Policy for all employee workspaces, meeting rooms, and common areas. This ensures that all sensitive, private, and confidential information, whether it be on paper, a storage device, a whiteboard, or a PC is properly locked away, cleared, or disposed of when a workstation, meeting room, or common area is not in use.
This policy will increase employee’s awareness about protecting sensitive information and will reduce the risk of unauthorized access, loss of, and damage to, information during and outside of normal business hours or when workstations, meeting rooms, and common areas are left unattended.
This policy applies to all Resolver employees and contractors.
2. Reference documents
- ISO/IEC 27001 standard:2013, controls A.11.2.8 and A.11.2.9
- ISO/IEC 27701:2019 standard, clause 6.8.2.9
- EU GDPR Article 32
- Information Security Policy
- Corporate Data Handling Policy
3. Resources
To help employees comply with this policy, Resolver will provide these necessary tools:
- Locking file cabinets for storage.
- Locking cabinet for documents to be shredded.
- Secure virtual storage via Box, DocuSign, and network shares.
- Hardware cable locks to secure computers.
- Whiteboard cleaning supplies, nightly whiteboard cleaning in meeting rooms.
4. Definitions
Confidential Data is any information pertaining to our customers, our employees, our software, our company, our intellectual property, trade secrets, or know-how (including source code, design documents, processing algorithms, and methodologies), financial information, business plans, and product plans not available in the public domain through Resolver’s willful dissemination.
In terms of information, privacy is the right of an individual to have some control over how his or her personal information (or personal health information) is collected, used, and/or disclosed.
Privacy concerns people, whereas confidentiality concerns data.
5. Clear desk and clear screen policy
All information classified as “Resolver Internal,” “Resolver Confidential,” and “Customer Confidential” as specified in the Resolver Corporate Data Handling Policy is regarded as sensitive in this Policy document.
5.1 Workplace protection
5.1.1 Clear desk policy
- Employees are required to ensure that all classified data in hardcopy or electronic form, including paper notebooks and printed sheets, and mass storage devices such as CDs, DVDs, and USB drives, must be removed from their desks or other places (printers, fax machines, photocopiers, etc.) to prevent unauthorized access in their work area.
- This must be done at the end of the day and anytime an employee expects to be gone from their desk for an extended period (greater than 60 minutes) and when they vacate a meeting room or common area.
- Equipment is to be stored in the Personal Effects Drawer (PED) to protect it from unauthorized access. Employees must have their PED key with them at all times.
- Alternatively, IT can supply a Kensington Laptop Lock for employees to lock their laptops to their workstations. This is primarily for employees who leave their laptops at the office overnight.
- Such documents and media must be stored in a secure manner in accordance with the Resolver Corporate Data Handling Policy.
5.1.2 Clear screen policy
- If the authorized user is not at his/her workplace, all sensitive information must be removed from the screen, and access must be denied to all systems for which the person has authorization.
- PCs and tablets must be screen-locked when a workspace is unoccupied.
- PCs and tablets must be physically locked to the desk or removed from the desk and locked in a drawer or filing cabinet when a workspace is unoccupied for an extended period (greater than 60 minutes).
- File cabinets containing Confidential Data including Personally Identifiable Information (PII) must be kept closed and locked when not in use or unattended.
- Keys for accessing drawers or filing cabinets should not be left on a desk.
- Passwords should never be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
5.2 Protection of shared facilities and equipment
- All whiteboards must be cleaned at the end of a meeting; Resolver cleaning staff will clean all whiteboards nightly.
- All waste paper that contains Confidential Data including Personally Identifiable Information (PII) must be placed in the designated confidential waste bins. Under no circumstances should this information be placed in regular waste paper bins.
- Printers and fax machines should be treated with the same care under this policy:
- Documents containing sensitive information must immediately be removed from printers, faxes, and copy machines.
- When possible, the “Locked Print” functionality should be used.
- All paperwork left over at the end of the workday will be properly disposed off.
6. Compliance
This policy will be officially monitored for compliance by your direct manager, IT, InfoSec, and HR team members and may include inspections. The InfoSec team will verify compliance with this policy through various methods, including but not limited to, random inspections, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to this policy must be approved in advance by the InfoSec team.
7. Non-Conformance
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
8. Validity and document management
This document is valid as of August 2023.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
- The number of incidents arising from the unclear definition of the ISMS scope.
- The number of corrective actions taken due to an inadequately defined ISMS scope.
- Time put in by employees implementing the ISMS to resolve dilemmas concerning the unclear scope.
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed