MRP3515 2DirectiveMRPCybersecurityCleanDeskPolicy
MRP3515 2DirectiveMRPCybersecurityCleanDeskPolicy
TABLE OF CONTENTS
1. PURPOSE................................................................................................................................ 1
2. SPECIAL INSTRUCTIONS AND REPLACEMENT HIGHLIGHTS .................................. 1
3. AUTHORITIES AND REFERENCES ................................................................................... 2
4. DEFINITIONS ........................................................................................................................ 3
5. SCOPE ..................................................................................................................................... 5
6. POLICY ................................................................................................................................... 5
7. ROLES AND RESPONSIBILITIES ....................................................................................... 6
8. RECORDS MANAGEMENT ............................................................................................... 10
9. INQUIRIES AND ADDITIONAL INFORMATION........................................................... 10
1. PURPOSE
The purpose of the Clean Desk Policy is to ensure that all Personally Identifiable
Information (PII), Controlled Unclassified Information (CUI), sensitive, and/or
confidential information is removed from a user’s workspace and locked away when not
in use, when the user leaves his or her workstation, or disposed of if no longer needed.
This policy is intended to reduce the risk of security breaches and the loss of, or damage
to information during and outside of normal business hours.
a. 44 United States Code (U.S.C) Chapter 35, Subchapter II: Information Security,
§3551 (December 2014)
c. Computer Matching and Privacy Protection Act of 1988 , P.L. 100-503 (October
1988)
Page 2
n. USDA Department Regulation (DR) 3080-001, Records Management, August 16,
2016
q. DR 3300-001, Telecommunications & Internet Services and Use, March 18, 2016
4. DEFINITIONS
Page 3
c. Confidential. Information about a person or an entity that, if disclosed, could
reasonably be expected to place the person or the entity at risk of criminal or civil
liability, or to be damaging to financial standing, employment eligibility,
reputation, or other interests.
Page 4
n. Portable Storage Device. Portable device that can be connected to an information
system, computer, or network to provide data storage. An information system
component that can be inserted into and removed from an information system, and
that is used to store data or information (e.g., text, video, audio, and/or image
data). Such components are typically implemented on magnetic, optical, or solid-
state devices (e.g., floppy disks, compact/digital video discs, flash/thumb drives,
external hard disk drives, and flash memory cards/drives that contain non-volatile
memory).
q. System of Records. A group of records under the control of any agency from
which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying information assigned to the
individual.
5. SCOPE
This policy applies to all MRP employees, contractors, partners, affiliates, and volunteers
(including student interns) working on behalf of MRP who handle, control, access
documents, records, or information technology (IT) to include any papers, removable
storage media, and computing devices that store or transmit PII and/or CUI. This policy
applies to both government office and telework/remote settings as well as partner/vendor
locations processing MRP data. The parties are responsible for properly handling,
processing, and safeguarding PII, in accordance with the Privacy Act and USDA Policy.
6. POLICY
Page 5
a. Employees shall ensure that all PII, CUI and sensitive/confidential information in
hardcopy or electronic form is properly secured in a secure unit or location
accessible to only authorized personnel. PII, sensitive/confidential information
must be removed from the desk and locked in a locked drawer whenever
employees are away from their desk and/or the end of the workday. Employees
will work with their individual supervisor to identify secure storage needs.
c. File cabinets containing PII, CUI, sensitive and/or confidential information shall
be kept closed and locked when not in use or when unattended.
d. Keys used for access to PII, CUI, sensitive and/or confidential information shall
not be left at an unattended desk. Keys shall be handled by authorized personnel.
e. Passwords will not be written down at any time (e.g., on sticky notes posted on or
under a computer) and will only be recorded within an approved password
manager (KeePass).
f. Portable media such as thumb drives or compact discs with PII, sensitive and/or
confidential information should immediately have that data removed from those
devices and moved to the appropriate System of Record or destroyed. Employees must
coordinate with Agency Records Officer to ensure proper disposal of portable media
files.
g. All printers and fax machines shall be cleared of papers as soon as they are
printed, and personnel shall not leave the printing area while printing information
that contains PII. This helps ensure that sensitive documents are not left in printer
trays for the wrong person to pick up. Any documents no longer needed should be
properly disposed of in accordance with Agency Records Management policies.
Employees shall consult with Agency Records Officer for guidance.
i. All actual or suspected PII breaches shall be reported to the Information Security
Center (ISC) within 1 hour of discovery.
Page 6
The implementation of the policy and procedures as established by this Directive requires
the responsibilities of the following individuals and/or groups:
(1) Have the overall responsibility and accountability for ensuring the
Agency’s implementation of information privacy protections, including
the Agency’s full compliance with federal laws, regulations, and policies
relating to information privacy, such as the Privacy Act.
(4) Ensure the availability of sample cascading goals and objectives for
inclusion in performance agreements of employees with privacy
responsibilities.
(4) Provide assistance to the supervisory staff and/or employees with barriers
to compliance with the Clean Desk Policy.
(5) Develop, coordinate and implement privacy related activities and response
procedures to be followed in the event of a breach of PII.
(6) Ensure the Agency takes appropriate steps to remedy identified privacy
compliance issues.
(7) Coordinate with the USDA Privacy Office to ensure that all policies,
procedures, and guidance are consistent with respect to securing PII.
Page 7
c. Assistant Chief Information Security Officer (ACISO) will:
(1) Investigate possible violations of the Clean Desk Policy and initiates
corrective action and/or referring to appropriate official/supervisor for
corrective action.
(2) Work with the CPO to develop, coordinate, and implement privacy related
activities and response procedures to be followed in the event of a breach
of PII.
(2) Work with the ISC on all reported incidents for the Mission Area.
(1) Ensure proper application and monitoring of the Clean Desk Policy as it
relates to information security, PII and sensitive information.
(3) Ensure timely reporting of all actual and/or suspected breaches of PII to ISC.
(1) Assure employees are educated regarding the Clean Desk Policy.
(2) Assist employees with barriers in implementing the Clean Desk Policy.
(3) Monitor areas under their supervision for compliance with the Clean Desk
Policy.
Page 8
(4) Report actual and/or suspected breaches of PII to the ISC within 1 hour of
discovery.
(5) Assist employees in identifying the need for secure storage and obtaining
identified storage as required to carry out duties related to handling sensitive
data.
(6) Ensure employees properly dispose of documents that are no longer required
in accordance with Agency Records Management policies and procedures.
(1) Protect all PII and CUI utilized in their daily activities, by complying with all
Federal laws and USDA policies and procedures.
(2) Ensure compliance with the Clean Desk Policy and/or identifying specific
barriers to compliance.
(4) Ensure the security and privacy of the data utilized in their daily activities;
and the data to which the employee has access.
(5) Properly dispose of documents that are no longer required in accordance with
Agency Records Management policies and procedures
(6) Report all actual or suspected breaches of PII to the employee’s supervisor
and ISC within 1 hour of discovery.
Page 9
a. A Loss/Stolen/Website/System
defacement/exposure
b. Paper Documents, Electronic /Portable Media
(Laptop, USB Drives, CDs)
8. RECORDS MANAGEMENT
Federal records created by this Directive must be maintained in accordance with the
established General Records Schedule (GRS) and/or the AMS /APHIS records schedules.
You can consult with your records liaison for details on disposition of certain records. If
employees are named in an active litigation hold, Freedom of Information Act (FOIA)
request, and/or other action, those records, regardless of media, must be preserved and
maintained in their native format until otherwise notified by your Agency Records
Officer and/or the Office of General Counsel.
a. General inquiries concerning this Directive may be directed to the Cyber Security
Services Directorate via email to [email protected].
d. Persons with disabilities who require alternative means for communication of this
policy (Braille, large print, audiotape, etc.), should contact the United States
Department of Agriculture’s TARGET Center at (202) 720-2600 (voice and TDD)
for assistance.
e. This Directive can be accessed online via the AMS/APHIS Issuance Web page(s).
Page 10
/s/
Sergio McKenzie
MRP Assistant Chief Information Officer
Page 11