Skip to main content

ClearDeskandClearScreenPolicy

Clear Desk and Clear Screen Policy
Last updated: January 20, 2023

Introduction

  • Encryption is a process in which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps securely protect data that you don't want anyone to have access to. By encrypting our data at rest and in transit, we can better protect private, proprietary and sensitive data and can enhance the security of communication between client applications and servers.

Scope and Applications of the Standard

  • This standard applies to all Organization workforce members and any other person utilizing any form of Organization information technology or having responsibility for Confidential information stored in an alternate format, such as paper. This standard covers any papers, removable storage media and any computing devices that contain or display Organization information regardless of location.

Definitions

  1. “Screen” shall mean the display portion of any computing device.
  2. “Public area” shall mean a location outside of a departmental office where the general public has free and easy access to the area.
  3. “Secured” shall, at the very least, mean the locking of or otherwise preventing access to information, records, and/or physical space.

Clear Desk and Clear Screen Standard

  • The following security measures must be followed:
  1. Whenever unattended or not in use, all computing devices must be left logged off or protected with a screen or keyboard locking mechanism controlled by a password or similar user authentication mechanism (this includes laptops, tablets, smartphones and desktops).
  2. When viewing sensitive information on a screen, users should be aware of their surroundings and should ensure that third parties are not permitted to view the sensitive information.
  3. Sensitive or critical business information, e.g., on paper or on electronic storage media, must be secured when not required, especially when the office is vacated at the end of the workday.
  4. Paper containing sensitive or classified information must be removed from printers and faxes immediately. Faxes and printers used to print sensitive information should not be in public areas. Any time a document containing sensitive information is being printed the user must make sure they know the proper printer is chosen and go directly to the printer to retrieve the document.
  5. Sensitive information on paper or electronic storage media that is to be shredded must not be left in unattended boxes or bins to be handled later, and must be secured until the time that they can be shredded.

Media Disposal Policy

  • Securely disposing of both electronic and physical media adds a layer of protection from the data being disposed of by unauthorized persons. There are several effective, publicly available tools and techniques to recover data from electronic and physical media, including hard drives and shredded paper. This policy aims to reduce the risk of data being recovered by unauthorized persons and shows customers, Zora Communications staff, and other partners that we take measures to protect their data even after it's done being used.

Scope

  • This policy applies to all Zora Communications issued devices or equipment that processes, stores, transmits, or works as an access-point to customer data. Specifically, this applies to company issued laptops/workstations that are being permanently decommissioned.

Cryptographic Keys

  • To permanently dispose company issued laptops/workstations, the following steps can be followed:
  1. Encrypt the entire hard disk, using a strong algorithm and using a lengthy password.
  2. Delete all the information in a secure way, using software solutions (there are a lot of free solutions).
  3. Physically destroy the device (incineration or shredding, etc.).

Physical Security Policy

  • Zora Communications Ltd production infrastructure, including data storage, should be secured and managed by our infrastructure provider. We must rely on the physical security measures taken by our infrastructure provider for ensuring security, availability, and confidentiality of our production systems. Further, no production servers or customer data should be hosted within our premises. As a result, the physical security of our office premises is not critical to ensure security, availability and confidentiality of customer data. Having said that, the physical security of the premises where we work is important to us and we take the following steps to secure the same.
  1. Visitors: Zora Communications staff may invite visitors to the office premises for business reasons or during pre-specified times, for social reasons. In such cases, the staff members are responsible for the visitor's actions and must always escort their visitors. As a general principle, do not invite anyone to the office who you do not trust or know. Zora Communications staff members who spot unauthorized visitors should report to the security personnel on duty to take the necessary measures and refer the issue to management.
  2. Clean desk: Ensure that no customer classified data, or security keys/password etc. are written on whiteboards, or unattended notepads etc.
  3. Printing: Printing of customer classified data, security keys, passwords etc is prohibited.
  4. Removable media: Use of removable media to transfer sensitive customer data is not allowed on laptops used by Zora Communications staff to perform their work.
  5. Shoulder surfing: Zora Communication allows you to work from outside of the office premises. You Should find yourself working from a public place (like a coffee shop or airport), you should be aware of shoulder surfing.
  6. Local laws: We must abide by local laws regarding fire safety, display of licenses etc.
  7. Ensure that the loading/delivery or reception areas are secured with appropriate security measures.

Working Remotely

  • Zora Communications staff who work remotely must follow these rules: When working remotely, the security of the device you use to perform your work is your responsibility. For instance, your equipment should be in your presence, or screen locked, or be stored securely. Please follow the organization's endpoint protection and encryption standards for any equipment (company provided, or otherwise) used to perform your work. Protect the confidentiality, security, and privacy of our customers data by ensuring that unauthorized people may not view, overhear, or otherwise have access to such data. For example, be aware of "shoulder surfing" when working in public places like coffee shops or airports. All remote work must be performed in a manner consistent with Zora Communication's information security policies.

Non compliance

  • Zoracom staff who violate this policy may face repercussions in proportion to the impact of their violation. Zoracom management will determine how serious a staff member's offense is and decide the appropriate penalty. Penalties may include
    1. Reprimand
    2. Demotion
    3. Detraction of benefits for a definite or indefinite time
    4. Suspension or termination for more serious offenses