Fayetteville Policies and Procedures  912.0 

Highly Sensitive Data Clean Desk and Clear Screen Policy

  1. Overview
    This highly sensitive data clean desk and clear screen policy is designed to establish a culture of data security and trust for all faculty, staff, and students. An effective clean desk and clear screen effort involving the participation and support of University of Arkansas employees can greatly enhance the protection of paper and electronic records that contain “highly sensitive data” as defined in Fayetteville Policies and Procedures 309.4. This effort should also help familiarize staff, faculty, and student workers with the guidelines of this policy.

  2. Purpose
    1. The purposes of this policy include: 
      1. Producing a positive image of trust around the handling of university information.
      2. Reducing the threat of a security incident or misplacement, as highly sensitive data will be secured when left unattended.
      3. Preventing highly sensitive data left in the open—on-screen or on the desktop—where it could be viewed or stolen by an unauthorized party.
  3. Scope
    This policy applies to all university employees who handle university highly sensitive data, including highly sensitive data on paper, screen displays, removable storage media, and any computing devices that contain or display highly sensitive data, regardless of location.

  4. Definitions
    1. Computing devices: Computers, phones, iPads, and tablets.
    2. Locked Print: A setting that requires a username and PIN to print documents at the copier/printer.

  5. Policy
    When employees are away from their desks for any length of time, highly sensitive data should be secured, and computing devices should be placed in a locked screen state. General rules apply:
    1. All hard copy records containing highly sensitive data must be shredded or disposed of in designated confidential waste containers when ready for disposal. Under no circumstances should this information be placed in regular wastepaper bins.
    2. Employees should never leave access cards, office keys, or filing cabinet or drawer keys out and unattended. Keys and access cards should remain with them or secured at all times.
    3. All highly sensitive hard copy records should be removed from the desktop and secured in an appropriate drawer or filing cabinet when left unattended.
    4. All computing devices that contain or can access highly sensitive data must be logged off or protected using screen lock controlled by a password or similar user authentication mechanism.
    5. Removable media with highly sensitive data, such as an optical disk, USB, flash drive or portable hard drive should be secured when unattended.
    6. It is not recommended to store highly sensitive data on removable media devices that are not designed to handle and protect highly sensitive data.
    7. Passwords should be secured in a location that is not visible or otherwise accessible to others.
    8. Laptops, tablets, and other hardware devices containing highly sensitive information should be removed from publicly accessible spaces and secured (such as in a locked drawer or filing cabinet) when left unattended.
    9. Office doors should be locked when unoccupied and highly sensitive data is present and accessible.
    10. Printers and fax machines should be treated with the same care under this policy:
      1. Any print jobs containing highly sensitive paperwork should be retrieved immediately. When using a shared printer and when possible, the “Locked Print” functionality should be used.
      2. All highly sensitive printed materials remaining at the end of the work day should be properly stored or disposed of.
    11. If in doubt or unsure of how to handle highly sensitive data, personnel should check with their supervisor or the Office of the CISO.

  6. Reporting and Addressing Suspected Violations
     Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu) 

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy, or the applicability of this policy to a particular situation, should be referred to the Office of the CISO. Please see the Exemption policy.

June 27, 2022