Clear Desk and Clear Screen Policy

A “clear desk and clear screen policy” is one of those requirements that looks simple, then fails in practice because it crosses three domains: physical security, endpoint configuration, and daily staff behavior. HITRUST CSF v11 01.h requires you to adopt both policies and make them real: sensitive business information must be locked away, and computer screens must be locked when workstations are unattended. (HITRUST CSF v11 Control Reference)

For a Compliance Officer, CCO, or GRC lead, the goal is operational clarity: what “sensitive business information” means in your environment, which areas and roles are high-risk, what configurations you must enforce centrally, and what evidence you can produce on demand. A good program is not a poster on a wall; it’s a mix of enforceable standards (MDM/GPO screen lock settings), secure storage (lockable cabinets, badge-controlled rooms), and lightweight verification (walkthroughs, manager attestations, and exception handling).

This page translates the requirement into an implementable checklist with artifacts that stand up in a HITRUST-aligned assessment and reduces the most common failure modes: unclear scope, weak enforcement for remote work, and “policy-only” compliance.

Regulatory text

Requirement (verbatim): “A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. Sensitive business information shall be locked away, and computer screens shall be locked when workstations are unattended.” (HITRUST CSF v11 Control Reference)

Operator meaning: You must (1) define rules for how paper and removable media are handled in work areas, (2) define rules for keeping screens from displaying sensitive information when unattended, and (3) implement controls so sensitive information is actually secured and screens are actually locked. (HITRUST CSF v11 Control Reference)

Plain-English interpretation (what the requirement is really asking)

A clear desk policy prevents “casual exposure” and “easy removal” of sensitive information. That includes papers left on desks, documents abandoned on printers, and removable storage media (USB drives, external disks, backup media) left unsecured. A clear screen policy prevents shoulder-surfing and opportunistic access by requiring users to lock their workstation when stepping away and by enforcing automatic locking.

In audits, this control is assessed as a blend of:

• Policy and communication: staff know the rules and can repeat them.
• Physical safeguards: lockable storage and secure disposal exist where needed.
• Technical safeguards: endpoint settings enforce screen lock behavior.
• Verification: you can show the control is followed and exceptions are managed.

Who it applies to (entity and operational context)

Entity scope: All organizations implementing HITRUST CSF controls, across all business units and sites. (HITRUST CSF v11 Control Reference)

Operational scope (where it must work):

• Corporate offices, clinics, call centers, and any facility where sensitive information is handled.
• Shared workstations (nursing stations, front desks, reception, lab intake, warehouse terminals).
• Remote and hybrid work locations where staff handle sensitive information at home or in co-working spaces.
• Third-party locations where your staff operate on-site, and internal areas where third-party staff may have access.

People scope (who must follow it):

• All workforce members (employees, contractors, temps) who access sensitive business information.
• High-risk roles: clinical operations, revenue cycle/billing, customer support, IT admins, HR, legal, finance.

What you actually need to do (step-by-step)

1) Define “sensitive business information” for this policy

Write a short scoping statement that aligns to how your organization classifies information. Keep it practical:

• Examples: patient records, claim data, customer lists, HR files, incident reports, credentials, security diagrams, contracts, financial reports.
• Include physical and digital forms: printed emails, screenshots, handwritten notes with identifiers, removable media.

Deliverable: Clear Desk & Clear Screen Policy with explicit in-scope data examples. (HITRUST CSF v11 Control Reference)

2) Set clear desk rules people can follow without debate

Minimum rules to include:

• End-of-day standard: desks and shared surfaces must be cleared of sensitive papers; store in locked drawers/cabinets or secure rooms.
• “Step away” standard: if you leave a workspace where paper is visible to others, secure it (cover sheet, lock drawer, or take it with you).
• Printer and fax hygiene: no sensitive documents left in output trays; use secure print if available; retrieve immediately.
• Removable media handling: store removable media in locked storage when not in use; label and track if your environment requires it; never leave it unattended.

Operational add-ons that reduce real-world friction:

• Provide lockable storage where you expect compliance.
• Put shred bins (or other approved secure disposal) near printers and high-volume areas.

Deliverable: Work area standards (one-page quick reference) plus facility readiness checklist (storage, shredding, printer placement).

3) Set clear screen rules and make them enforceable

Your policy should require:

• Manual lock: users lock screens when leaving a workstation unattended.
• Auto-lock: devices automatically lock after inactivity.

Then enforce with IT configuration:

• Use your endpoint management tooling (GPO/MDM) to require password-protected screen lock and inactivity timeout across laptops, desktops, and shared workstations where feasible.
• For shared workstations, design a workflow that supports frequent lock/unlock (badge tap, SSO, fast user switching) so users do not bypass the control.

Deliverable: Endpoint configuration standard mapped to clear screen requirements, plus screenshots/exports showing settings are deployed. (HITRUST CSF v11 Control Reference)

4) Cover remote work explicitly (this is where many programs fail)

Add remote-specific rules:

• No sensitive paper left visible at home; store in a locked drawer/cabinet.
• Avoid printing sensitive data at home unless authorized and disposal is secure.
• Lock screen whenever stepping away, even at home.
• Prevent family/roommates/visitors from viewing screens; use privacy filters where risk warrants.

Deliverable: Remote work addendum to the policy and remote workforce acknowledgment.

5) Train, then reinforce with lightweight monitoring

Training does not need to be long. It must be memorable and tied to actual work patterns:

• Short training module plus manager talking points for teams with heavy paper use.
• Visual reminders in printer areas and shared workstations.
• A cadence of walkthrough spot-checks by site leads or department managers.

Deliverable: Training completion records, spot-check logs, and remediation follow-ups.

6) Implement exceptions and compensating controls

You will have edge cases: active patient charts, manufacturing floor runbooks, large-format printing, emergency operations. Handle them explicitly:

• Require a documented exception with owner, rationale, scope, compensating control, and review cadence.
• Compensating controls can include restricted-access rooms, visitor escort rules, or privacy screens.

Deliverable: Exception register and approved exception memos.

Required evidence and artifacts to retain

Auditors usually want proof across policy, technical enforcement, and operations. Keep:

• Approved Clear Desk and Clear Screen Policy and revision history. (HITRUST CSF v11 Control Reference)
• Workforce acknowledgments (new hire + periodic re-acknowledgment where your program requires it).
• Endpoint configuration evidence (GPO/MDM settings, device compliance reports, screenshots/exports).
• Physical security evidence: photos of lockable storage, shred bins, secure printer configurations, badge access to secure rooms.
• Training records and role-based materials for high-risk teams.
• Spot-check/audit logs: date, area checked, findings, corrective actions, closure evidence.
• Exception register with compensating controls and approvals.

Tip for speed: in Daydream, teams often centralize these artifacts in a single control record so your assessor sees policy + configs + monitoring in one place instead of scattered folders.

Common exam/audit questions and hangups

Expect these questions and prepare crisp evidence:

• “Show me the policy and where it states screens must lock when unattended.” (HITRUST CSF v11 Control Reference)
• “How do you enforce screen lock across endpoints? Is it configurable per device type?”
• “How do you handle shared workstations and clinical areas where staff step away frequently?”
• “What about printers, faxes, and intake desks? Who checks those areas?”
• “How do remote workers comply with clear desk expectations?”
• “Show me exceptions and compensating controls for areas that can’t comply fully.”

Hangup to avoid: saying “it’s in the policy” without showing technical enforcement and monitoring. HITRUST assessors tend to look for both.

Frequent implementation mistakes (and how to avoid them)

1. Policy-only compliance

• Fix: pair policy with MDM/GPO enforcement and recurring spot checks.

2. Ignoring printers and shared spaces

• Fix: make printer areas a named control location, add secure print where feasible, and assign local ownership (office manager, unit lead).

3. No lockable storage where paper exists

• Fix: do a quick facilities readiness pass before rolling out strict rules; otherwise you train people into noncompliance.

4. Shared workstation workarounds

• Fix: design for fast re-authentication so staff don’t disable locking. If lock settings are relaxed for workflow reasons, document the compensating controls.

5. Remote work not addressed

• Fix: include remote rules and require acknowledgment; treat home printing and paper storage as controlled activities.

Enforcement context and risk implications

Even without a specific public enforcement case to cite here, the risk is straightforward: exposed paper and unattended screens are a common cause of privacy incidents, credential compromise, and unauthorized disclosure. Operationally, failures show up as walk-through findings, complaint-driven investigations, and incident tickets after someone spots sensitive data in a shared space. The control reduces both probability (less exposure opportunity) and impact (less data visible or removable).

Practical 30/60/90-day execution plan

First 30 days: establish the control baseline

• Publish/refresh the clear desk and clear screen policy with concrete examples of sensitive information. (HITRUST CSF v11 Control Reference)
• Identify high-risk areas (printers, reception, nursing stations, HR/finance) and assign owners.
• Confirm lockable storage and secure disposal exist where needed; open facilities tickets for gaps.
• Set or validate endpoint screen-lock standards in MDM/GPO; document current state and gaps.

Days 31–60: implement enforcement and prove coverage

• Roll out enforced screen lock settings to managed devices; document deployment evidence.
• Implement secure print or procedural controls in high-risk printer areas.
• Run targeted training for teams that handle paper daily.
• Start spot-checks with a simple checklist and corrective action tracking.

Days 61–90: harden, measure, and operationalize

• Address repeat spot-check findings with manager escalation and process fixes.
• Formalize exception handling and compensating controls for problem areas.
• Add the control to internal audit or compliance monitoring routines.
• Consolidate evidence into a single assessment-ready package (policy, configs, training, spot checks, exceptions). Daydream is typically where teams standardize this evidence set to reduce scramble during assessment.

Frequently Asked Questions

Does “clear desk” mean no paper is allowed on desks during the workday?

No. It means sensitive papers can’t be left exposed when not actively in use, and must be secured when a workspace is unattended or at end of day. Your policy should define what “secured” means in each area. (HITRUST CSF v11 Control Reference)

What counts as “unattended” for clear screen purposes?

Treat “unattended” as any time the user is not in a position to prevent someone else from viewing or using the session. Write it plainly: if you step away, lock the screen. (HITRUST CSF v11 Control Reference)

Do we need automatic screen lock if employees are trained to lock manually?

The requirement states screens shall be locked when workstations are unattended; training alone is hard to prove and easy to bypass. Most programs meet this by enforcing auto-lock and still training manual lock for immediate step-away scenarios. (HITRUST CSF v11 Control Reference)

How do we handle shared workstations where frequent locking slows down operations?

Keep the lock requirement, then make re-authentication fast (SSO, badge tap, fast user switching) and restrict the area physically. If you must tune timeouts for workflow, document the rationale and compensating controls as an exception.

Are removable media controls really part of “clear desk”?

Yes. The text explicitly includes “removable storage media,” so your policy should cover secure storage, not leaving drives unattended, and handling rules for high-risk data. (HITRUST CSF v11 Control Reference)

What evidence is most persuasive in an assessment?

A signed policy, enforced endpoint settings, and recurring spot-check results with documented fixes are usually the fastest way to show the control operates as written. (HITRUST CSF v11 Control Reference)