ESDC Clean Desk Guidelines: Securing your work environment

Read in conjunction with the Best Security Measures and the Enhanced Security Guidelines

  • 1.  Overview

    A strong, sustained security culture requires that all employees adopt best practices as part of their day-to-day activities to protect the information and assets entrusted to them regardless of their location of work. One of these best practices includes continuously applying the "Clean Desk" principle to prevent the unauthorized disclosure of sensitive information and the loss of departmental assets.

  • 2.  Purpose

    The Clean Desk Guidelines provide a quick reference to clarify responsibilities and help employees ensure that departmental sensitive information, documents and assets are properly stored and safeguarded when employees are away from their workstation or remote work environment. Following these guidelines will help reduce the risk of security incidents involving departmental information and assets and will help sustain a strong security culture at ESDC. The guidelines are also meant to assist in increasing employees' security awareness on protecting sensitive information and departmental assets both in the office and remotely.

    The guidelines are divided up by work environment to ensure that all different work environments are described and that employees are adequately informed on how to be security smart and compliant in the environment they work from.

  • 3.  Scope

    These Guidelines apply to all employees (including indeterminate, determinate, casuals, contractors, and students) who:

    • Use space in Employment and Social Development Canada (ESDC) locations (e.g. General office spaces, Service Canada Centers and Processing/Call Centers);
    • Handle departmental information; and
    • Work with departmental assets (in any work location either in the office or remotely).
  • 4.  Considerations

    These Guidelines are evergreen and reflect the work reality of ESDC employees and the required behaviors to adapt to ensure that maximum efforts are made to keep ESDC's information and assets secure in all work environments:

    • Assigned Office (e.g. Duty to Accommodate): Working from an assigned desk, on the premise of ESDC locations, including Service Canada Centers.
    • Unassigned Office (Shared Seating): Working on the premise of ESDC locations from an office space that was reserved for a specific period of time.
    • Mobile Office:  Working in a public space that is not normally used for work, such as when an employee is working on public transit, in an airport, a hotel room, or a café. Mobile work always requires, at a minimum, the approval of your manager.
    • Home Office: Includes both telework (flexible work arrangement in the Directive on Telework issued by TBS) and remote work (work arrangement whereby the employer has requested the employee to carry out some or all of their work duties away from the designated workplace)

    These Guidelines should be followed in along with the requirements of the Enhanced Clean Desk Guidelines and the security measures highlighted in the Information Categorization Tool.

  • 5.  Guidelines

    ESDC employees are able to request various work locations. Regardless of the environment, maintaining the security of ESDC's information and assets is paramount and additional measures may be required for those working remotely.

    There are four (4) work locations outlined in these guidelines. Please refer to the one that represents the environment you work in.

    • 5.1  If you are working in an assigned workstation within an EDSC Office location, you must:
      • Prevent mess build up on your desk. Keeping a clean desk helps ensure that nothing sensitive is accidentally left exposed.
      • Secure all Protected  A and B information in security approved locking or locker in accordance with the Information Categorization Tool (Protected documents must never be left unsecured at your workstation even when stepping away from your desk for short periods of time).
      • Secure all Protected C and Classified information (Confidential, Secret, Top Secret) in appropriate RCMP approved cabinets in accordance with the ESDC Information Categorization Tool.
      • Be conscious of those working around you and make sure your sensitive information is secure (these could be colleagues without a need-to-know)
      • Ensure that ESDC assets (laptops, tablets, approved USB encrypted drive and computers) are secured and locked in a locker when not in use and at the end of the day (and when away from the desk for an extended period of time). If not possible, the employee must use an approved security cable (whenever possible) to secure the device – even at its docking station.
      • Secure information on your computer (every time you step away from your workstation) by using "Ctrl+Alt+Del, then Enter" or " windows/option key +L".
      • Secure your personal valuables to prevent theft. Keep office and cabinet keys on you or locked away at all times.
      • Keep your workstation and surrounding (whiteboard, etc.) clear of any visible sensitive information including, but not limited to: User IDs or passwords, lock combinations and combination for safe, contracts or financial information, personal/Protected client data, employee information or records, alarm codes.  Remember that user IDs, passwords or lock combinations should never be written on ''sticky notes'' and posted on your computer or under your keyboard.
      • Shred sensitive documents using the RCMP approved shredders (based on the classification of the document following the Information Categorization Tool) or place sensitive waste in secure and approved disposal containers.
      • Use the PIN to Print functionality when printing sensitive documents (mandatory). Ensure that sensitive printed and faxed documents are never left on printers or fax machines.
      • Let your colleagues know about your absence (using an Occupant Away Card) when leaving for an extended period of time.
      • When using boardrooms, erase all whiteboards/smartboards, remove all flip chart pages containing sensitive information & make sure to Log Off from boardroom computers after the meeting.  You must also not take pictures of whiteboard/smartboard meeting notes or any sensitive information with a personal or work mobile phone
    • 5.2  If you are working in an UNASSIGNED workstation (shared seating) within an EDSC Office location, you must:

      Follow the guidelines as indicated above in an ASSIGNED workstation and also:

      • Ensure that ESDC assets (laptop or tablet) and other departmental portable electronic devices are secured at all times by locking them into a locker or with an approved security cable, whenever possible, when away from the desk.
      • Remove everything, including all personal belongings, from the workstation at the end of the day and ensure you follow the Information Categorization Tool for proper transport, handling and storage of departmental information if you are leaving with paper documents.
    • 5.3  If you are working REMOTELY from home or teleworking in Canada, you must:
      • Complete a Remote Work / Telework Security Attestation Form (ADM5019) (PDF, 113 KB) (opens new window) and send the completed form electronically to your Manager or fill it directly in PeopleSoft.
      • Complete the Loan of Departmental Equipment form (ADM 3004) (PDF, 96 KB) (opens new window) to identify all departmental assets, including listing the asset numbers, that are to be used at your remote location. This includes all departmental equipment and assets that have been borrowed from the department (monitors, laptops, etc). Send the completed form to your manager for approval.
      • Apply the best security measures while working remotely
      • Be conscious of those working around you and make sure your sensitive information is secure (these could be visitors, or family or friends).
      • Work Protected A and B information electronically rather than with paper documents. It is strictly forbidden to print Protected work documents at a remote location.
        • If printing of documents at your remote work or telework location is required as an essential part of your duties and the circumstances are such that there are no other alternatives, your manager will need to request an approval from the Chief Security Officer.
      • If you are working with Protected B paper documents, they must be stored into approved lockable cabinets as outlined in the ESDC Information Categorization Tool. Speak to your manager.
      • If you need to shred any Protected paper information in accordance with the Information Categorization Tool, you must bring the documents into an ESDC office (or make the necessary arrangements with your manager) using the proper containers to transport the documents.
      • Use the EDSC's Sensitive Document Collaboration Service (SDCS) when working with highly sensitive information (Protected C, Confidential or Secret).
      • Contact Branch/Regional SDCS Coordinators for access.
      • Obtain the Chief Security Officer and your ADM approval when bringing or storing highly sensitive paper documents (Protected C, Confidential or Secret) to your remote work location. Top Secret documents may not be used to work remotely.
      • Secure all Protected C and Classified information (Confidential, Secret, Top Secret) in appropriate RCMP approved cabinets or containers in accordance with the ESDC Information Categorization Tool.  
        • Seek your manager's approval to acquire an approved RCMP cabinets or container.
        • Shred sensitive documents using the RCMP approved shredders (based on the classification of the document) or place sensitive waste in secure and approved disposal containers; Classified documents must be destroyed in accordance with the Information Categorization Guide.
      • Ensure that any ESDC equipment under your control is stored securely at all times. If possible, choose an enclosed, lockable, designated room to perform work-related activities. Store departmental portable electronic devices (e.g. cellphone, approved USB encrypted drive, tablets, etc.) in locked cabinets when not in use, when possible.
      • Ensure that appropriate door locking mechanisms and window hardware for all access points in your home/remote location are in good working order.
      • Do not allow family members or other unauthorized individuals to use your work devices.
      • Secure information on your computer (every time you step away) by locking your workstation using "Ctrl+Alt+Del, , then Enter" or " windows/option key +L".
      • Ensure that passwords/access codes are not displayed or shared with any other occupants and/or visitors to the remote work or telework location. * Remember that user IDs, passwords or lock combinations should never be written on ''sticky notes'' and posted on your computer or under your keyboard.
      • At the end of the workday, if using VPN, remain connected via VPN and "Log off" your workstation; or, if using AppGate, choose "Log Off" to end your AppGate session.
    • 5.4  If you are working from a MOBILE location (Coffee Lounge, hotel, airport etc), you must:
      • Secure your ESDC equipment and never leave your laptop or any electronic device unattended.
      • Solely work on unclassified information. Working with Protected information (A and above) is forbidden in an open space work environment (this applies to both electronic and paper documents).
      • Beware of shoulder surfing. When possible, hide your screen from individuals nearby to ensure protection of Departmental information.
      • Whenever possible, connect to the network from a secured WIFI connection.
      • Once ready to disconnect, make sure to Sign Out from your VPN connection or AppGate session.
  • 6.  Foreign Teleworking

    The decision to allow Foreign Telework is at the discretion of the Executive Workforce Management Committee (EXWMC) after considering the risks. The review process includes a consultation with Security, Labour Relations and Occupational Health and Safety in the overall assessment of the request.

    All foreign telework agreements must be pre-approved prior to the travel date and start of any telework activities. Employees and managers must follow the Foreign Telework Procedure.

  • 7.  Compliance

    Corporate Security is currently reviewing ESDC'S mechanisms to ensure compliance to these guidelines in a remote working, teleworking or mobile working environment.

    Compliance to these guidelines in an assigned work environment is verified through security inspections after core working hours when employees are away from the workplace.

    In accordance with the ESDC Code of Practice, Managers are also responsible for:

    • Ensuring their employees apply sound security practices, including the Clean Desk Guidelines.
    • Reporting the loss or theft of ESDC information or asset using the Security incident reporting process.
  • 8.  Useful Reference Material

    The following reference material can be used to help you protect ESDC information and assets:

  • 9.  Exempted Work Areas

    Given the operational environment and the nature of the work for some ESDC Programs, application of these Guidelines may not be possible in certain areas due to the large quantity of sensitive information processed on a daily basis. Some examples include:

    • Operations Centres
    • Production Areas
    • Processing Centres (Passports)
    • Mail Rooms
    • File Rooms with workstations

    As the Clean Desk Guidelines are not operationally feasible in these areas, Minimum Security Requirements (Section 10) are required to ensure the protection of sensitive information.

    As part of the oversight role, the Chief Security Officer (CSO) must assess the type of information and security measures in place in areas requesting exemptions to the Guidelines to ensure these meet the Minimum Security Requirements and approve the security measures in place in these areas.

    A Request for Exemption to the Clean Desk Guidelines (PDF, 495 KB) (opens new window) must be completed and sent to the exempt location's Regional Security Office who will review and validate the information and forward the request to the CSO.

    The CSO will then review the request for exemption and approve or refuse (with comments) a location as being exempt from the application of the Clean Desk Guidelines.

  • 10.  Minimum Security Requirement for Exempted Work Areas

    At a minimum, the following security requirements must be in place in all areas exempt from the Clean Desk Guidelines:

    • Access Card control systems and restricted access; and
    • Intrusion Alarm System monitored during silent hours.