An IS auditor who is reviewing incident reports discovers that, in one instance, an important
document left on an employee’s desk was removed and put in the garbage by the outsourced
cleaning staff. Which of the following should the IS auditor recommend to management?

A.
Stricter controls should be implemented by both the organization and the cleaning agency.

B.
No action is required since such incidents have not occurred in the past.

C.
A clear desk policy should be implemented and strictly enforced in the organization.

D.
A sound backup policy for all important office documents should be implemented.

Explanation:
An employee leaving an important document on a desk and the cleaning staff removing it may result
in a serious impact on the business. Therefore, the IS auditor should recommend that strict controls
be implemented by both the organization and the outsourced cleaning agency. That such incidents
have not occurred in the past does not reduce the seriousness of their impact. Implementing and
monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality
agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated
on the dos and don’ts of the cleaning process, are also controls that should be implemented. The risk
here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not
address the issue of unauthorized leakage of information.