Approved Date – 02/22/2021
Published Date – 02/22/2021
Reviewed Date – 03/13/2023
Specify the requirements for keeping a clean workspace where the District of Columbia Government (“District”) sensitive and confidential data (e.g., employee’s details, clients, vendors, and intellectual property data) is secured.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Office (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District’s government agencies under the authority of the District’s Mayor. This document can be found at https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This Policy also applies to any provider and third-party entity with access to the District’s information, systems, networks, and applications.
4.1. All users are required to secure all sensitive District data in their workspace after the workday or when they are expected to be away from their workspace for an extended period. This includes both electronic and physical hardcopy information.
4.2. IT systems such as computer workstations/phones/laptops must be locked (quiesced, logged out, or shut down) when unattended for an extended period and at the end of the workday. Portable devices like laptops, phones, and tablets must be stored in a way to minimize the risk of physical removal.
4.3. Mass storage devices such as CD, DVD, USB drives, or external hard drives must be treated as sensitive material and locked away when not in use.
4.4. Printed materials must be immediately removed from printers or fax machines. Printing physical copies should be reserved for moments of absolute necessity. Documents should be viewed, shared, and managed electronically whenever possible.
4.5. All sensitive documents and restricted information must be placed in the designated shredder bins for destruction or placed in the locked confidential disposal bins.
4.6. File cabinets and drawers containing sensitive information must be kept closed and locked when unattended and not in use.
4.7. Passwords must not be written down or stored anywhere physically. Please refer to the password policy for further guidance.
4.8. Keys and physical access cards must not be left unattended. All users are required to secure all sensitive District data in their workspace after the workday or when they are expected to be away from their workspace for an extended period. This includes both electronic and physical hardcopy information.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.