How does a clean desk policy provide security benefits?

Question

I'm starting to study for Security+ using Darril Gibson's book. I took the pre-exam and one of the questions is “What is the most important security benefit of a clean desk policy?”

The choices are:

Prevent illnesses due to viruses and bacteria
Presents a positive image to customers
Ensures sensitive data and passwords are secured
Increases integrity of data

The bold answer is correct, and the author's explanation is: A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise.

Can someone explain what an organized desk has to do with security? I think this question only applies if the user stores his password in paper format.

What about "Clean walls"? [Prince William's photographer accidentally exposed a RAF password](http://nakedsecurity.sophos.com/2012/11/21/prince-william-photos-password/) — makerofthings7, Mar 06 '13 at 14:58
Thought to link to the [Clean desk policy/No one giving me clear answer when asking about security procedures](http://security.stackexchange.com/questions/31418/clean-desk-policy-no-one-giving-me-clear-answer-when-asking-about-security-proce) thread. I realize it's been closed as too broad, but you might want to read it anyway ;) — TildalWave, Mar 06 '13 at 15:17

score 34 · Accepted Answer · edited May 17 '15 at 10:56

34

Clean desks policies are rather literal in the sense they don't mean that the papers on your desk need to be organized...They mean that you're not allowed to have papers on your desk at all. So, no papers left unlocked on a desk mean no papers with sensitive information for others to trawl through after hours.

Sensitive data doesn't only include password. Engineering designs, sensitive communications, financial information...There is lots of data that could be on paper that a company wouldn't want left around for just anyone to find.

edited May 17 '15 at 10:56

Celeritas

10,039
22
77
144

answered Mar 06 '13 at 14:03

Xander

35,525
27
113
141

@community please check my edit on the first sentence. – Celeritas May 09 '15 at 08:49
@Celeritas it was incorrect. The original was in fact what I intended. I've rolled it back. – Xander May 09 '15 at 12:01
out of curiosity could you explain your thinking? If it were *literally* a clean desk then it would be free of germs etc. For example in this context if an employee left crumbs from a sandwich on their desk, they would not be in violation of the clean desk policy (as it applies to security). – Celeritas May 09 '15 at 21:35
1

@Celeritas Your interpretation is too pedantic. Xander's definition of "clean desk" is more literal than the original question's, so "quite literal" is appropriate, while "not literal" certainly isn't. In any case, edits shouldn't attempt to change the intent of the original post, which yours certainly did. – Lily Chung May 12 '15 at 09:54
I disagree. Clean desk policy actually has nothing to do with a clean or messy desk. I has to do with certain information (usually text classified as confidential or protected) not being left on top of the desk or in plain view. Anyways my point is the first sentence could be better worded. – Celeritas May 13 '15 at 06:59
1

@Celeritas I don't disagree with your conclusion that the first sentence could be better worded. I do disagree with your specific interpretation. I'll have a think about how I can clarify. – Xander May 17 '15 at 02:49

score 32 · Answer 2 · edited May 08 '15 at 16:39

32

Trevor Paglen's book about USA Department of Defense secrecy, Blank Spots on the Map, has an illuminating incident. During the Manhattan Project, a Los Alamos physicist got in trouble for leaving an orange on his desk after lunch. The Manhattan Project security people had a policy against leaving spherical objects out in the open, probably because the atom bomb had a spherical core, but who knows? The anti-spherical object policy arose so that guards did not have to make decisions about what's left out in the open.

A clean desk policy means that you don't have to have policy enforcers that are knowledgeable about whatever you want to keep concealed. Paglen also makes the point that, like paperwork, secrecy expands to fill all available space.

edited May 08 '15 at 16:39

TRiG

609
5
14

answered Mar 06 '13 at 14:54

Bruce Ediger

4,552
2
25
26

8

That Orange anecdote is even more amusing if you've read the section of Surely You're Joking Mr Feynman where he describes the flawed document storage systems used in the project: Initially locking filing cabinets with open backs; later combination lock safes which to be more user friendly only required trying 20 of the 100 values on the dial in an exhaustive search and for which 2 of the 3 values could be found by twiddling with the dial while it was open. – Dan Is Fiddling By Firelight Mar 06 '13 at 18:51
2

+1 for raising the point that, essentially the clean desk policy is to avoid assumptions. It's more secure to leave no clues in the policy itself. This both avoids leaking information in the policy and, in the simplest case, avoids making suggestions for possible insecure ways of storing sensitive information. – m-smith Mar 07 '13 at 13:11
2

+1 This is perhaps the best explanation for many of the corporate Security Theatre policies I've seen. – Steve Sether May 08 '15 at 17:40

score 10 · Answer 3 · edited Mar 06 '13 at 21:44

Sensitive Data does not just mean passwords or other logins. I work for a medical technology company and it is possible for us to have access to privileged patient information. According to HIPAA standards, any identifiable patient information could be a violation. Working with this every day, it's easy enough to leave it sitting out when going to lunch, for coffee, or so forth. Add in an open office floor plan and clients walking through on their way to training, and you've got a HIPAA violation waiting to happen.

score 7 · Answer 4 · answered Mar 06 '13 at 14:08

Because in an office environment, you will often see at least a couple users who will leave documents and notes all over their desk. These documents can contain anything from sensitive customer data to a sticky note with their Windows credentials on them.

This policy describes a best practice.

score 2 · Answer 5 · edited Dec 01 '15 at 18:41

2

The main purpose is to reduce the chance of lowest hanging fruit laying low for a possible compromise.

There is also no more approachable, catchable and doable attack then removing the sticky note from a data entry operator keyboard and reading the password. I've seen this happening so often in an organization I work in.

edited Dec 01 '15 at 18:41

Ohnana

4,737
2
23
39

answered Mar 06 '13 at 15:02

Saladin

1,547
3
14
23

3

This is an extremely generic sentence which could apply to half the security policies out there. Could you explain how this relates to a clean desk policy? – Gilles 'SO- stop being evil' Mar 06 '13 at 16:00
This is mildly amusing, "lowest hanging fruit" following an anecdote about an orange. – Iszi Mar 06 '13 at 16:02
1

Generic indeed so is the threat. – Saladin Mar 06 '13 at 16:05

How does a clean desk policy provide security benefits?

5 Answers5

Linked