It doesn’t take a rocket scientist to recognize that an access control policy need to be implemented to secure information systems when they are left unattended.
These controls should provide a layer of defense for organizations to decrease the risk of an unauthorized user gaining access to an authorized user’s system or the output from system devices. Unattended information systems are the focus of pitfall #33 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Your organization needs to have controls in place to help ensure that unattended information systems and peripheral devices are appropriately protected. Personnel need to be made aware of these security controls and access control policy requirements and the processes that are in place that they need to follow. Including these requirements in the organization’s Access Control Policy (ACP) is an effective way to communicate these controls without introducing a standalone policy document unnecessarily.
- Clean Desk Policy – Your ACP should contain clean desk control requirements for papers and media. The intent is to ensure that papers or media that are not actively being used are kept in desk drawers or filing cabinets to prevent the unintentional disclosure of potentially sensitive information to unauthorized personnel. Personnel should ensure all working files, papers, and media are securely stored away before leaving their work area for an extended period of time.
- Clear Screen Policy – The ACP should contain clear screen policy control requirements for peripheral devices. Personnel should activate a screen lock when they leave their work area to reduce the opportunity for unauthorized personnel viewing potentially sensitive information displayed on a monitor or other peripheral device.
- Output Devices – Output devices, such as printers or faxes, should be safeguarded to help prevent unauthorized individuals from obtaining the output from these devices. If “tap-to-print,” “follow-me-printing,” or “fax to email” technologies are too costly for immediate implementation, make sure these output devices are physically secured within your facilities.