A.7.7 — Is a clear-desk and clear-screen policy in place and enforced?
Demonstrate that the organization enforces policies requiring physical documents and sensitive information to be secured when workspaces are unattended, and that computer screens are locked or blanked to prevent unauthorized visual access.
Description
What this control does
A clear-desk and clear-screen policy requires employees to secure physical and digital information when not in active use. Clear-desk mandates removal of sensitive documents from workspaces at end-of-day or when unattended; clear-screen requires locking computer sessions during absences. The policy prevents unauthorized visual access to confidential information, reduces shoulder-surfing risks, and minimizes data exposure from theft or unauthorized physical access to unattended workstations.
Control objective
What auditing this proves
Demonstrate that the organization enforces policies requiring physical documents and sensitive information to be secured when workspaces are unattended, and that computer screens are locked or blanked to prevent unauthorized visual access.
Associated risks
Risks this control addresses
- Unauthorized individuals gaining access to confidential documents left on desks during employee absences or after business hours
- Shoulder-surfing attacks where visitors, contractors, or unauthorized personnel view sensitive information displayed on unlocked screens
- Data theft through photographing or copying documents left unsecured on desks, printers, or shared work surfaces
- Insider threats exploiting unattended workstations to access systems using another employee's active session
- Regulatory non-compliance and breach notification obligations triggered by physical exposure of personal or health information
- Loss of intellectual property or trade secrets through visual reconnaissance during facility tours or maintenance visits
- Social engineering attacks facilitated by information gathered from visible documents, sticky notes with passwords, or unlocked email clients
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's documented clear-desk and clear-screen policy, noting specific requirements for document storage, screen locking timeouts, and enforcement mechanisms
- Interview a sample of employees across different departments to verify awareness of policy requirements and understanding of procedures for securing workspaces and locking screens
- Conduct unannounced physical walkthroughs of work areas at end-of-business hours to observe compliance with clear-desk requirements, documenting instances of unsecured documents, unlocked drawers, or visible sensitive information
- Perform random spot-checks during business hours when employees are away from desks to verify screens are locked and documents are not left accessible on work surfaces
- Review endpoint device configurations to confirm automatic screen lock settings are enforced via Group Policy or Mobile Device Management, including timeout duration (typically 5-15 minutes of inactivity)
- Examine security awareness training materials and attendance records to verify clear-desk and clear-screen requirements are included in onboarding and annual refresher training
- Review incident reports and security audit findings from the past 12 months for violations of clear-desk or clear-screen policy and verify corrective actions were documented and implemented
- Interview facilities and security personnel to understand monitoring procedures, such as security camera footage review or guard patrol checklists used to enforce policy compliance