340
A Practical Guide to Security Assessments
or away from the office. That being said, the impact to the business if a lap-
top is stolen can be significant. For example, a salesperson might have sen-
sitive client information, internal pricing data, or proprietary company
information, which would have a significant impact if lost or stolen. Im-
pact should be thought of in terms of both confidentiality and availability.
•
Confidentiality —
What is the impact if an unauthorized person gains
access to sensitive information? Are there any legal ramifications or
potential damage to the reputation of the company?
•
Availability —
If the information on the laptop was not backed up to
the company network or on some other media, what is the impact
related to recreating the information?
Risk:
Not applicable. The purpose of this question is to determine the im-
pact if a laptop computer is lost or stolen.
Client Response:
CLEAN
DESK AND SCREEN
26. Does the company have a clean desk policy and is it followed and enforced?
Does any security awareness training address a clean desk policy?
Guidance:
A clean desk policy is something that should be ingrained in
companies. Many employees regularly work with sensitive documents,
which if just left out in the open on desks, can present a significant risk.
For example, human resources personnel often deal with sensitive employ-
ee-related matters such as salaries and disciplinary issues. If documents
containing this information are left unattended, unauthorized persons such
as other employees or facilities maintenance people can access this informa-
tion. Similar scenarios are possible in other key areas such as finance,
operations, and executive management. Companies have an obligation to
maintain the confidentiality of this information using a reasonable effort. If
they do not, they are exposed to potential embarrassment, legal trouble, etc.
A clean desk policy that is enforced can go a long way in reducing this risk.
Risk:
Without a clean desk policy, a risk exists of confidential information
being exposed to unauthorized individuals, embarrassment for the company,
and potential legal troubles.
Client Response:
AU1706_book.fm Page 340 Tuesday, August 17, 2004 11:02 AM