Related Literature and Studies

A.11.2.8 - Unattended user equipment

Foreign Literatures

1.
Antonio Segovia (2016) created an article on his blog entitled "How to implement equipment
physical protection according to ISO 27001 A.11.2 - Part 2". He states in the part of
Unattend user equipment that "users have to be trained to protect the equipment that they
are using". He gave an example of employees that needs to go to bathroom or go outside to
talk on phone or to smoke weeds. It happends, many times, that they leave an open session
on their systems; i.e., access to the computer is not locked. In reality, many companies
control such situations through a centralized server, forcing the system to log out the
user automatically if he does not interact with the system after a certain time. But he
still suggested to raised awareness, giving information about the risks of unattended user
equipment, which will also create a culture of information securuty.

FROM: https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-
physical-protection-according-to-iso-27001-a-11-2-part-2/

2.
UNC Charlotte (2016), a North Carolina's Urban Research University, created their standard for
physical and environmental security - equipment. On Unattended user equipment part, they
state that "All users should ensure that unattended equipment has appropriate protection by
terminating sessions, logging off from applications when no longer needed, initiating a
screen lock, and securing computers or mobile devices with a pattern, PIN, or password when
not in use".

FROM: https://itservices.uncc.edu/iso/standard-physical-and-environmental-security-equipment

3.
The University of Newcastle Australia (2017) created an information security physical and
environmental
security procedure for their university. The institution guideline for unattended user equipment states
that user must ensure unattended equipment has appropriate protection. User must safeguard
unattended
equipment by terminating the active session when finished; lock it with password protected screen
saver or other approve mechanism; logoff computers, serves, terminals and other devices the session is
finished; enable password protection on mobile devices, printers, kiosks and portable storage devices;
and secure devices with a cable lick when enhanced physical security is justified.

FROM: https://www.newcastle.edu.au/__data/assets/pdf_file/0004/348313/Information-Security-
Physical-
and-Environmental-Security-Procedure.pdf

4.
Altamash Sayed (2013) of King Saud University created an Access Control Policy for their university.
The policy regarding unattended user equipment protection states that screen saver password shall be
enabled on all information assets (e.g. desktop, laptops and servers) to prevent unauthorized access.
The screen saver timers shall be set to 10 minutes of inactivity or less. Each user shall terminate
active sessions when activities are finished. And lastly, each user shall lock his equipment before
leaving his desk.

FROM:
http://etc.ksu.edu.sa/sites/etc.ksu.edu.sa/files/ksu_etc_isms_pol_access_control_policy_v1.1.pdf

A.11.2.9. - Clear desk and clear screen policy

Foreign Literatures

1.
Altamash Sayed (2013) of King Saud University created an Access Control Policy for their university.
The policy regarding clear desk and screen security states that paper and information media shall be
stored in suitable locked cabinets and/or other forms of security furniture when not in use, especially
outside normal working hours. Sensitive or critical business documentation shall be locked away
(ideally in a fireresistant safe or cabinet) when not required, especially when the office is vacated.
Personal computers, computer terminals and printers shall not be left logged on when unattended and
shall
be protected by password protected screen savers. Photocopiers and faxes shall be locked (or protected
from
unauthorized use in some other way) outside normal working hours. And lastly, sensitive information,
when
printed, shall be immediately cleared from printers.

He also wrote that ISMS Manager shall communicate the clear desk and clear screen policy to the
employees in
their own areas and shall periodically monitor their activites to ensure users compliance. Information
Security Officer shall ensure proper awareness training address clear desk and clear screen policy is
delivered
to all employees, contractors, consultants and any external parties.

FROM:
http://etc.ksu.edu.sa/sites/etc.ksu.edu.sa/files/ksu_etc_isms_pol_access_control_policy_v1.1.pdf

2.
Rhand Leal (2016) on his article entitled "Clear desk and clear screen policy - what does ISO 27001
require?",
he defined the what is clear desk and clear screen policy all about. In summary, he suggested practices
that
are low-tech and easy to implement such as: Use of locked areas, protection of devices and information
systems,
restrictions on use of copy and printing technology, adoption of paperless culture and disposal of
information
remaining in meeting rooms.

FROM: https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-
does-iso-27001
-require/?icn=free-blog-27001&ici=bottom-clear-desk-and-clear-screen-policy-what-does-iso-27001-
require-txt
3.
UNC Charlotte (2016), a North Carolina's Urban Research University, created their standard for
physical and environmental security - equipment. On Clear desk and clear screen part, they
added to equipment screen locks that "all work areas should be further secured by clearing those
spaces of all papers and removable devices containing sensitive information and those papers
and devices should be stored in appropriate secured locations".

FROM: https://itservices.uncc.edu/iso/standard-physical-and-environmental-security-equipment

4.
Flavius Plesu (2015), an Information Security Manager, created an guideline entitled:
"Acceptable use of information assets policy" for University of West London. He stated
that all information classified as "internal", "restricted", and "confidential" as
specified in the information classification policy are regarded as sensitive in these item.
In clear desk policy, it stated that if the authorized person is not at his/her workplace, all
paper documents, as well as data storage media labelled as sensitive, must be removed from the
desk or other places to prevent unauthorized access. Documents containing sensitive information
must immediately be removed from printers, fax and copy machines. Such documents and media must
be stored in a secure manner in accordance with the information classification policy. In clear
screen policy, it stated that if the authorized person is not at his/her workplace, all sensitive
information must be removed from the screen, and access must be denied to all system for which the
person has authorization. In the case of short absence, the clear screen polict is implememnted by
logging out of all systems or locking the screen with a password. If the person is absent for a
longer period of time (over 3 hours), the clear screen policy is implemented by logging out of all
systems and turning off the workstation.

FROM: https://www.uwl.ac.uk/sites/default/files/Departments/About-us/Web/PDF/policies/acceptable-
use-of-information-assets.pdf