20. HealthSafe Clear Desk and Clear Screen Policy


CLEAR DESK AND CLEAR SCREEN POLICY



Document Identification 

HSNZ/POL/20

Document Name

Clear Desk and Clear Screen Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director


 

VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

11 July 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 July 2022 

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023 

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

11 Jul 2021

Reviewed

28 Jul 2022

Reviewed

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope


3 Input


4 Output


5 Interacting Process


6 Abbreviations, Acronyms and Definitions


7 Procedure


8 Monitoring the Process


9 Records





1 PURPOSE

The purpose of this document is to establish and maintain a policy for clear desk and clear screen for HealthSafe NZ.


2 SCOPE

These procedures apply to all aspects of a clear desk and clear screen.


3 ABBREVIATIONS, ACRONYMS AND DEFINITIONS


Abbreviation

Description

FH

Functional Head

IT

Information Technology Department

TL

Team Lead

CISO

Chief Information Security Officer

CIA

Confidentiality Integrity Availability


4 INPUT

To ensure that no data or information is available on a desktop which can be a threat to CIA


5 OUTPUT

To ensure that no data or information are available that can be threat to the CIA


6 INTERACTING PROCESS

Individual Employees and Contractors are responsible for keeping their home desks clear of any sensitive information


7 PROCEDURE

Clear Desks

  • All information classified higher than Public domain must be removed and securely stored where a desk will be unattended for more than 30 minutes.

Clear Screen

  • All screens and other computer displays must be cleared of non-public domain information and logged out when not in use. 
  • Where available, system controls must be used to enforce this policy where a machine has been unattended for 30 minutes or more.

Screen Locking

  • A domain-wide policy for all computer systems must automatically lock the screen, when the system is idle for 30 minutes.  
  • Such screen un-locking must require the logged in users to authenticate to access the system.
  • Screen locking can be done by logging-off when the host will be unattended.
  • Password for screen locking must be applied at every login.

8 MONITORING THE PROCESS

This process is monitored through regular and routine checkups and shall be effectively monitored during the internal audits when applicable


9 RECORDS

NIL