policy question
tedjames
Member Posts: 1,182 ■■■■■■■■□□
Based on the NIST 800-53 controls catalog, where would you place a clean desk policy? MP - Media Protection, perhaps?
Comments
-
paul78
Member Posts: 3,016 ■■■■■■■■■■
I've always treated it as a Physical and Environmental control. -
tedjames
Member Posts: 1,182 ■■■■■■■■□□
Good point. This appears to be one of those grey areas that could apply in several places.
-
soccarplayer29
Member Posts: 230 ■■■□□□□□□□
There isn't a requirement for a clean desk policy.
MP-1: requires policies/procedures related to applicable media protection, storage, destruction, etc.
MP-4: the physical control/protection of system information
It could also be related to rules of behavior (PL-4) or access agreements (PS-6).Certs: CISSP, CISA, PMP -
tedjames
Member Posts: 1,182 ■■■■■■■■□□
Thanks. There may not be a NIST requirement, but my CISO (and likely his boss) wants it. Like I said, it appears to be related to several existing policies.