Conceptually, amid the globalization of information media, the principles of “clean desk and clean screen” have emerged and must be incorporated by companies in order to ensure the security of their sensitive data and that of their employees. These are security practices that must be followed when accessing any information technology so that it is not unprotected in personal or public workspaces. This is because, in times of globalization of information and technologies, it is possible to state that the work environment can also be incorporated away from companies, and this modality is called “Home Office”. This is a modality that aims at remote work at home, and it’s a worldwide trend that is gaining space and market.
Currently, the concept of cyber risk has as a reference the ISO/IEC 27005:2019 standard and is based on the Risk Management Process established in ISO 31000:2018. It should always be remembered that Information Security and communications Risk Management is a set of processes that allow to identify and implement the necessary protective measures to minimize or eliminate (mitigate) the risks to which the information assets are subject, and must counterbalance with the operational and financial costs involved for each corporation. Information security (IS) is directly related to protecting a set of information, in the sense of preserving the value it holds for an individual or an organization. The basic properties of information security are confidentiality, integrity, availability, authenticity, and legality.
Within this scenario, there is a concern with data protection, so companies must have solutions and seek to understand the list of possible threats, namely, their “threat data”, and after comprehending it, they can even use tools to aggregate the “Threat Intelligence”, as a defense mechanism in the universe of cyberspace.
2. THE CLEAN DESK, CLEAN SCREEN, AND CLEAN TRASH POLICY AND ITS RELATION TO CYBERSECURITY
A clean desk policy, including clean screen and clean trash, are security practices based on the ISO 27001 regulation, recommended for the workplace, seeking to ensure and or prevent the exposure of sensitive and or confidential information, so that it is not left unprotected, either in personal or public workspaces and thus reducing risks of unauthorized access, loss, damage, compromise or theft during or outside of working hours and are defined in section A.11.2.9 Clean Desk and Clean Screen Policy ( Brazilian Association of Technical Regulations 2013).
The goal of the policy is to increase employee awareness of protecting confidential information. This policy is also directly associated with the objectives of Cybersecurity which involves protective aspects of the network, and which aim to protect the assets used to transport an organization’s information from theft or attack.
And this protection also requires that detection, prevention, and recovery controls are implemented to protect against malicious code, through a structured user awareness program, in addition to identity management, risk and incident management as the basis for cybersecurity strategies, and the objectives are aligned with the prevention of attacks against critical infrastructures, reduction of vulnerabilities, seeking to minimize damage and post-attack recovery time, and always seeking to protect the pillars of confidentiality, integrity, and availability of technological assets and information.
3. THE THREATS OF REMOTE WORK
A CyberArk survey released in mid-September 2020 regarding corporate device sharing habits, which can put at risk the security of sensitive data and systems that are considered critical to the company’s business, when employees mix work and leisure on their devices, these vulnerabilities provide potential opportunities for attackers to steal credentials and cause organizational risk.
The survey was conducted with 3000,000 remote employees and IT professionals, which aimed to assess the state of security in the remote work environment, and showed that 77% of remote employees were using insecure, unmanaged “BYOD” devices to access corporate systems. In addition, 66% of them have adopted communication and collaboration platforms such as Zoom and Microsoft Teams, which have had several security vulnerabilities exposed and a small number of 37% still save important passwords in the computer browsers they use. For IT professionals 94% demonstrated confidence in protection know-how for remote working, yet only 40% have increased security protocols or made any other significant changes to their systems.
“As more organizations extend work-at-home policies into the long-term,” says CyberArk CMO Marianne Budnik, “it is important to capture the lessons learned in the early stages of remote work and shape future cybersecurity strategies that don’t require employees to make trade-offs that could put their company at risk. ”
Addressing the risks and updating security strategies is of utmost importance, essentially when it comes to protecting the business and utilization of resources considered critical, and through the challenge, employees face of balancing the professional and personal environment for business continuity, as companies are facing increased security threats and breaches as a result of the shift to remote work.
4. CLEAN DESK, CLEAN SCREEN, AND CLEAN TRASH GUIDELINES AID IN INFORMATION SECURITY
The goal of the clean desk, clean screen, and clean trash policy is to set guidelines that reduce the risk of a security breach, fraud, and information theft caused by documents being left unattended on company premises. Inserting this policy into an ongoing information security awareness program is a must since this can reduce the risk of unauthorized access, loss, and damage to information during and outside of business hours. As such, (LEAL,2016, p.4) states that:
“In addition, an organization should also consider periodic training and awareness events to communicate to employees and other individuals involved in the aspects of the policy. Good examples are posters, emails, newsletters, etc. Finally, there should be periodic assessments of employee compliance with the policy practices (let’s say, twice a year).”
According to the previous statement, companies must prioritize the security of their data, and to this end employees must be made aware of how to protect their work area, including sensitive and confidential information, whether present or absent for a short or prolonged period and at the end of the workday. The guidelines used as security criteria include:
- Workstations should be turned off when unoccupied, or locked with a secure password when absent;
- Confidential information should always be removed from desks, meeting rooms, and printers, leaving them safe in locked cabinets after handling. It is also recommended that you erase blackboards at the end of meetings and dispose of the trash properly;
- Passwords cannot be left on notes posted on or under a computer, nor written in places accessible to others;
- Printouts containing sensitive, confidential, or restricted information should be removed immediately from the printer;
- Clean waste requires attention, too, as sensitive, confidential, or restricted documents must be shredded and disposed of properly in designated secure locations;
Thus, to reduce the risks, it’s appropriate to adopt a clean desk policy for papers, removable storage media, and also a clean screen policy, avoiding the danger of having a user logged on and absent, and; for employees who perform the information processing and have measures in place that can support information security, having risk management as an aid, seeking to guide all professionals about unauthorized access, loss or damage to information during and outside of working hours.
So, it’s essential that companies, when applying the Policy, rethink their actions, in order to protect their data, as well as that of their employees, by proposing protective and preventive security measures.
ABNT/CB-21- Comitê Brasileiro de Computadores e Processamento de Dados – PROJETO DE REVISÃO ABNT NBR ISO/IEC 27005:2019: Rio de Janeiro, 2019.
ABNT. Associação Brasileira de Normas Técnicas. NBR ISO/IEC 27001: Tecnologia da informação: Técnicas de segurança – Sistemas de gestão da segurança da informação: Requisitos. Rio de Janeiro. 2013.
ABNT. Associação Brasileira de Normas Técnicas. ABNT NBR ISO/IEC 27002: Tecnologia da informação – Técnicas de Segurança: Código de prática para a gestão da segurança da informação. Rio de Janeiro. 2013.
CyberArk. https://www.cyberark.com/resources/blog Accessed on: July 25, 2021.
CISA. Cybersecurity & Infrastructure Security Agency: https://us-cert.cisa.gov/ncas/tips/ST15-002 Accessed on: July 25, 2021.
CISA. Cybersecurity & Infrastructure Security Agency: https://us-cert.cisa.gov/ncas/tips/ST15-003 Accessed on: July 25, 2021.
ALMEIDA, Matheus. Política de mesa limpa e tela limpa, 2021. Available at: https://www.Matheustech.com.br. Accessed on: August 04, 2021.
BRASIL. Ministério da Defesa. Proteção de dados LGPD, 2020. Available at: https://www.gov.br. Accessed on: August 03, 2021.
LEAL, Rhand. Política de mesa limpa e tela limpa- o que a ISSO 27001 requer? 2016. Available at: https://www.advisera.com. Accessed on: August 04, 2021.
Kaspersky. Available at: https://www.kaspersky.com.br/resource-center/definitions/threat-intelligence. Accessed on: December 18, 2021.