RUL - 70.00.11 Clean Desk Rule
1. Purpose
To improve the security and confidentiality of university data, NCCU has adopted a Clean Desk Rule for workspaces. This rule ensures that all sensitive and confidential information, whether on paper, storage media, or hardware, is appropriately secured and protected from unauthorized view. This rule reduces the risk of unauthorized access, loss, and damage to information during and outside of regular business hours or when workstations are left unattended. A Clean Desk Rule is an important security and privacy control.
2. Scope
Keeping a Clean Desk
When employees leave their desks for extended periods, such as meetings or lunch breaks, documents containing sensitive or private data should be placed in locked drawers or a locked office. At the end of the day, each employee should tidy his or her desk and put away all documents that contain sensitive or private data or lock his or her office.
- Never write your passwords on a sticky note or try to hide them anywhere in your office.
- Always lock your desk and filing cabinets at the end of the day.
- Mobile devices such as laptops or smartphones should be locked in drawers or an office at the end of the day.
- If you are storing any sensitive or private data on external media like CDs or USB drives, secure them in a locked drawer. Don't leave unattended media in your computer.
- Unattended computers should be locked or logged off so that the information displayed on the screens cannot be viewed by anyone other than the user of the computer.
- Computers should be configured to automatically lock or engage a password-protected screensaver after an unattended duration of 15 minutes.
- Always clear your workspace of sensitive or private paperwork before leaving for long periods.
- Employees working in cubicles must turn work papers face down before leaving their cubicles temporarily.
- Printed paper containing sensitive or private information should immediately be removed from the printer
- All employees may not dispose of sensitive information or any document containing personal identifiable information (PII) in the trash. Documents not retrieved by employees must be disposed of in secure shredding bins designated by the department.
- Employees must ensure that no documents containing sensitive information or PII remain in the copy/printer areas overnight.
3. Compliance
- The Information Security department treats misuse of University data seriously and will pursue and address violations.
- Anyone aware of possible violations of these rules should report them immediately to their supervisor, the Information Security department, or department head/chair, etc.).
- All reports will be treated as confidential.