Security tips for enforcing a clean/clear desk policy and shredding

Trying to get the ball rolling on this as it is a major problem. People leaving case files with sensitive information on their desk overnight. Some cases are a box or two's worth and spread allover. To top it off, people make their own "shred boxes" and only empty them whenever they feel like or when the shredding service stops by (monthly maybe.) Too lazy to make the small walk to the copier room where the shred bin and shredder exist.

Problem I know I will face with enforcing this is space. People do have locked cabinets, but cubicle space i still very limited and our territory in this building is in between 2 other businesses, so there is no room to expand.

I do expect support from management on this, but it's one of those adjustments that will be hard for everyone else to follow through with. Anyone else have to go through something similar?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

the_Grinch

Unfortunately, your only recourse will be pretty harsh. If you have management on board I think you do the following:

1. C-Level sends a memo to all employees stating the new policy
2. Said memo is posted throughout the offices
3. For a month nightly checks are made and "notes" issued for those not following the policy. For that month nothing other then the note and then a discussion takes place for not following the policy
4. After that month, nightly checks still happen, but now any "notes" get sent to HR and are placed in their file
5. Continue failure to follow the policy results in whatever management decides

Has to be across the board, meaning if a C-Level gets caught doing the same thing they get the same notes etc.

blargoe

I agree with Grinch. This is a liability to the entire company, and needs buy in and support from top management.

Just curious, how did this become an IT problem?

tpatt100

1. Get management on board
2. Get management on board
3. Get management on board
4. If the first three are not possible make sure to document all attempts you have made to emphasize the importance of securing physical documentation or electronic (sensitive documents left open on unlocked desktops). Basically "cyoa" if you know what I mean.

Seriously, without management approval/enforcement it's kinda pointless. I am trying to implement changes to the company I work for, hell I was hired to do this and I keep running into "well we know we should do this but we kinda ...".....

I did push for putting a "tech tips" column in the monthly company newsletter. Using that for reminding employees on ways to improve security in their day to day activities. The clear desk issue bugs me, the help desk sent a print out of some passwords to the door security monitoring software to a printer near my desk. I was wondering what the IP addresses were for and the passwords and non unique accounts...... Got that changed to the obvious "don't send passwords in printed form to printers elsewhere that sit there for hours...". Then changed the accounts to unique user accounts and non shared passwords....

We got some new printers a few months ago and during the training session I was the only person that asked how long the information that was sent to the printer is stored and is there a way to verify if the information is actually deleted. Our security department is not very "security minded". I am not a hard a$$ and don't want to make anybody's job harder and I only push for the really obvious "duh" stuff if you know what I mean.

Essentially security exploits go after the really easy stuff, no sense in trying harder than you have to. Plus when it comes to paperwork, it can destroy your company reputation if you get on the news as the company that gets busted throwing employee and customer information in the dumpster that gets retrieved.

SteveLord

Confidential information/security/me bringing it up in the past/concern of cleaning crew emptying someone's shred box recently. We're a small outfit, so I am often that "goto guy" for a lot of things.

On subject of clean/clear desks, I at least want papers to not be visible to the naked eye if they can't all be locked up. Hiding the hanging fruit would at least prevent some from spending the energy to look for it.

tpatt100

blargoe wrote: »

I agree with Grinch. This is a liability to the entire company, and needs buy in and support from top management.

Just curious, how did this become an IT problem?

Probably because it is security I guess, I got it also.

bobloblaw

tpatt100 wrote: »

Seriously, without management approval/enforcement it's kinda pointless.

That's everything. Without that, you're just a mall security guard that the kids will laugh at.

SteveLord

And I don't even get a badge. :P

paul78

One effective technique that has worked in the past is to have the folks doing rounds to confiscate all unsecured confidential materials including unlocked laptops. The only way to get it back was to have the employees' manager explain in person what he/she was going to do to prevent it from occuring again. Basically, unsecured confidential materials was considered a management failure to enforce policy. Only took a few days before word got around after it happened to a few managers.

SteveLord

Holy thread revival Batman! Was it a bot that decided to make a post on a 12 year old thread?