A clean desk policy is a managerial control that requires employees to remove or secure sensitive documents, devices, and login credentials from their workstation when unattended, reducing the risk of unauthorized viewing or theft.
A clean desk policy is a rule that tells employees to clear their workstation of anything sensitive whenever they step away. Printed contracts, sticky notes with passwords, unlocked laptops, USB drives, all of it gets locked up or put away. The idea is simple: if it's not sitting out in the open, a passerby, a visitor, or a thief can't read it or grab it.
In AP Cybersecurity terms, this is a managerial control. That means it's a policy or procedure, not a piece of hardware or software. It's a close cousin of the workstation security policy described in EK 2.3.A.2, which spells out how to protect a physical workplace and often requires locking devices before walking away. A clean desk policy targets the human habit side of physical security, the stuff people leave lying around, rather than the lock on the door itself.
This term lives in Unit 2: Securing Spaces, specifically Topic 2.3 Protecting Physical Spaces. It directly supports learning objective AP Cybersecurity 2.3.A, identifying managerial controls related to physical security, and connects to EK 2.3.A.2's workstation security policy. It also ties into AP Cybersecurity 2.3.B, determining mitigation strategies for physical vulnerabilities, because leaving sensitive papers visible is exactly the kind of vulnerability a defender wants to close. The big theme here is that not every security control is technical. Some of the cheapest, most effective defenses are just rules about human behavior.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryWorkstation Security Policy (Unit 2)
A clean desk policy is one piece of a broader workstation security policy. Where the workstation policy says 'lock your device before stepping away,' the clean desk rule says 'and clear your desk too.' They work as a pair to protect a single work area.
Managerial Control (Unit 2)
A clean desk policy is the textbook example of a managerial control: a written rule that shapes behavior. Compare it to a physical control like a door lock or a technical control like encryption. Same goal of protecting data, totally different tool.
Preventative Control (Unit 2)
Think about what the policy does to an attack. It stops the bad thing before it happens, so it's preventative. A shoulder-surfer or a sneaky visitor never gets the chance to read those contracts if the desk is already cleared.
Security Awareness Training (Unit 2)
A policy only works if people follow it, which is why EK 2.3.A.1 pairs employee awareness training with physical security. The training teaches the habit; the clean desk policy is the habit it teaches.
Expect this term in multiple-choice questions in two flavors. First, identification stems give you a scenario and ask you to name the control, like an employee leaving 'sensitive client contracts and financial statements visible on the desk' and asking which managerial control should prevent it. The answer is the clean desk policy. Second, application stems ask you to spot a correct example of implementing a clean desk policy, such as locking documents away or clearing the workspace before leaving. Your job is to recognize this as a managerial control (a rule about behavior) and not confuse it with a physical control like a lock or a technical control like a password. No released FRQ has used this term verbatim, but it fits the kind of mitigation-strategy reasoning AP Cybersecurity rewards: name the vulnerability, then match the right control to it.
A clean desk policy is a managerial control, a written rule about what people do. A physical control is actual hardware like a lock, a fence, or a bollard. Locking documents in a cabinet uses a physical control, but the rule that says you MUST lock them up is the clean desk policy. The policy is the instruction; the lock is the tool.
A clean desk policy requires employees to clear or secure sensitive documents, devices, and credentials when they leave their workstation.
It is a managerial control, meaning it's a written rule about behavior, not a piece of hardware or software.
It lives in Unit 2, Topic 2.3, and supports learning objective AP Cybersecurity 2.3.A on managerial controls for physical security.
It works as a preventative control because it stops unauthorized viewing or theft before it can happen.
It pairs with a workstation security policy and security awareness training, since the rule only works if employees actually follow it.
It's a managerial control that requires employees to remove or lock away sensitive materials like printed contracts, USB drives, and password notes whenever they step away from their desk, so no one can read or steal them.
It's a managerial control. It's a written rule that shapes how people behave, not a physical object. The lock you use to secure the documents is the physical control; the rule telling you to use it is the clean desk policy.
A workstation security policy is the broad set of rules for protecting a work area, including locking your device before walking away. A clean desk policy is the narrower piece focused on clearing sensitive papers and materials off the desk itself. The clean desk rule is part of the bigger workstation policy.
It's a preventative control. It stops an attack before it happens by making sure there's nothing sensitive left out for someone to view or grab, rather than detecting or fixing a breach after the fact.
Clearing sensitive client contracts and financial statements off your desk and locking them in a drawer before you leave the room. On the exam, scenarios where someone leaves confidential papers visible are pointing you straight at this control.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.