PURPOSE:
This Secure Desk Policy outlines the standards and procedures for maintaining secure and organized workspaces at all Idaho College of Osteopathic Medicine (ICOM) facilities. The purpose of this policy is to support the Physical Security Policy by minimizing the risk of unauthorized access to sensitive information, protecting valuable assets, and fostering a secure and professional working environment.
SCOPE:
This policy applies to all employees, faculty, staff, students (where applicable, e.g., in administrative or research roles), contractors, and any other individuals who utilize workspaces within ICOM-owned, leased, or operated facilities. This policy covers all physical workspaces, including but not limited to offices, desks, workstations, laboratories, classrooms (when used for administrative tasks or storage of sensitive materials), and common areas.
DEFINITIONS:
- Institutional Data: Refers to all data and information created, received, maintained, or transmitted by ICOM in support of its mission and operations, as further defined in the Data Classification Policy.
- Restricted Data: Data classified as requiring the highest level of protection due to legal, contractual, or regulatory requirements.
- Confidential Data: Data classified as requiring a high level of protection because unauthorized disclosure, alteration, or destruction could cause significant risk or harm to ICOM or its affiliates.
- Sensitive Information: Encompasses both Restricted and Confidential Data, as well as any other information that, if exposed, could negatively impact ICOM, its students, faculty, staff, or affiliates.
POLICY:
End of Workday Requirement: All employees, faculty, staff, and applicable students are expected to secure any sensitive information at the end of each workday or whenever leaving their workspace unattended for an extended period (typically, more than 5 minutes).
Sensitive Information: All documents, media, and devices containing sensitive Institutional Data (as defined in the Data Classification Policy) must be properly secured when a workspace is unattended. This includes, but is not limited to:
- Paper Documents: Documents containing Restricted or Confidential data (e.g., student records, financial information, personnel files, patient information if applicable) must be filed away in locked drawers, cabinets, or offices. Documents in offices need to be kept out of plain sight.
- Electronic Media: Laptops, tablets, smartphones, USB drives, external hard drives, etc. containing sensitive data must be locked away in drawers, cabinets, secured storage containers, or in a secured office. Laptops or other computers should be logged out at night or when left unattended for an extended period.
- Whiteboards and Visual Displays: Whiteboards, flip charts, or other visual displays containing sensitive information should be erased or covered when the workspace is unattended.
Non-Sensitive Information: While the primary focus is on sensitive data, all workspaces should be kept tidy and free of unnecessary clutter to promote a professional environment and reduce the risk of accidental loss or unauthorized viewing of any Institutional Records.
Disposal of Information: All documents and media containing Institutional Records that are no longer needed and have met their retention period according to the Data Retention and Destruction Policy must be disposed of securely. This includes:
- Paper Documents: Shredding using a cross-cut shredder.
- Electronic Media: Securely erasing or physically destroying according to the Data Retention and Destruction Policy.
Common Areas: Individuals utilizing common areas such as shared workspaces, meeting rooms, and break rooms are responsible for ensuring these areas are left clean and free of any sensitive materials or confidential information when they are finished using them.
Visitors: Employees and faculty hosting visitors are responsible for ensuring that any sensitive information within the visitor's view is secured during the visit and that the visitor is not left unattended in areas containing sensitive materials.
ENFORCEMENT:
Failure to comply with this Secure Desk Policy may result in reminders from supervisors, and repeated or significant violations may be subject to disciplinary action as outlined in other ICOM policies.
RESPONSIBILITIES:
- All Employees, Faculty, Staff, and Applicable Students: Responsible for adhering to the requirements of this Secure Desk Policy and maintaining a clean and secure workspace.
- Supervisors and Department Heads: Responsible for promoting awareness of this policy within their departments and ensuring compliance.
- Campus Security and Facilities Management: May periodically conduct visual checks to ensure general compliance with this policy and report any significant or repeated violations to the appropriate department heads.
- Information Technology Office: Responsible for providing guidance on identifying sensitive information and best practices for securing workspaces.
POLICY REVIEW AND UPDATES:
This Secure Desk Policy will be reviewed and updated at least annually, or as needed to reflect changes in ICOM’s physical environment, security needs, or best practices. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 07/08/2025
Last Reviewed: 07/08/2025
Review Requirement: Annual