It's no secret that we believe data and information security issues are important. Monique Phalen writes about security issues frequently from a network management perspective – read them here.
I've written about copier security issues as well:
- Data Breaches and Your Digital Copier Hard Drive – What You Need to Do
- Copier and Printer Security: Running From the Wolf
I'm sure some of you think some variation of “is it really that much of an issue”?
Well, in a word, yes.
Businesses run on information and documents. Your information needs to be keep secure.
Even the government recognizes the security risks posed by digital copiers and printers. NIST's (National Institute of Standards and Technology) Computer Security Division provided guidance for Federal agences in NISTIR 8023 – Risk Management for Replication Devices.
Once you wade through the stilted government writing, the recommendations are excellent.
How much risk does your printer and copier fleet pose to your business? Ask yourself these questions to find out.
The publication (which is free) includes a table with all of these questions and a number value for each that you can add up for a risk value. The link is included at the end of this post.
Without further ado, the questions.
Planning/Secure Configuration
- Is the device included within a system security plan with applicable controls implemented?
- Does the device or its control software have any relevant security certificatons (e.g., Common Criteria)?
- Does the vendor/manufacturer provide information on a secure configuration for the device?
- If a secure configuration is available, has it been implemented on the device?
Third Parties
- Is the device leased by the organization?
- If leased, does the lease agreement stipulate federal ownership of storage devices internal for the device? (Obviously, this is specific to Federal government.)
- Is the device under a service contract?
- If under a service contract, does the service contract stipulate that hard disk drives (HDD) and solid state/nonvolatile storage must be removed before the device can leave organizational control?
- If under service contract, does the service contract stipulate that service technicians are not permitted to remove information stored within the device in any form?
- If under service contract, does the service contract stipulate that only Original Equipment Manufacturer (OEM) or OEM-approved replacement parts should be used?
- If not under service contract, are policies and procedures in place regarding media sanitization/removal of storage media requirements before the device or storage media can leave organizational control?
Device Storage
- Does the device have a hard disk drive (HDD) or solid state/nonvolatile storage media?
- Is the device storage media easily physically accessible (i.e., no disassembly/tools needed)?
- Can stored information be logically accessed / viewed (either at the device console or via web access)?
- Is the device storage media encrypted using approved encryption standards (i.e., FIPS 140 validation or Common Criteria certification)? FIPS is Federal Information Processing Standards. There is a draft FIPS 140-3, though FIPS 140-2 looks to be the final official document. I don't recommend reading either unless you're EXTREMELY interested in security standards.
- Are the device configuration settings encrypted using approved encryption standards (i.e., FIPS 140 validation or Common Criteria certification)?
- Does the device provide image overwrite capabilities?
- If available, is image overwrite capability enabled? (N/A if not available)
- If available, is immediate data overwrite capability enabled?
- Does the device dump memory of replicated documents/images/objects on reboot?
Network
- Is the device connected to a network?
- Is network communication encrypted using organization-approved network protocols (e.g., IPSec, SSL/TLS, WPA2)?
- Is privileged access from a network encrypted using organization-approved standards (i.e., FIPS 140 validation or Common Criteria certification)?
- Does the device prevent communications to unknown/unwanted addresses? (whitelist/blacklist)
- Does the device prevent communications from unknown/unwanted addresses? (whitelist/blacklist)
- Is the device protected by a firewall?
- Does the device allow remote configuration?
- Does the device allow call-home features?
- Does the device allow remote monitoring?
- Is the device connected via wireless (e.g., Bluetooth, 802.11)?
- Is the wireless identifier broadcasting disabled?
- Does the device allow external access by vendor technicians (for troubleshooting, updates, etc.)?
- Does the device or vendor require external access?
- Does the device have unused, open ports?
- Can the device be patched/updated?
- Must the device be patched by the manufacturer's technicians?
- Can the print server be securely configured?
- Can the print server be patched/updated?
- Must the print server be patched/updated by manufacturer's technicians?
- Is the device included in the organization's patch management program to keep software and firmware up-to-date?
- Is the device scanned for vulnerabilities with the organizationally required frequency?
Physical Security
- Is physical access to the device controlled (e.g., in a locked room)?
- Is physical access to internal device storage media controlled (e.g., using locks)?
- Are materials (e.g., paper, ink, filament) secured within the device?
- Does the device use sensitive or potentially hazardous materials or components (e.g., metal powder, laser, battery)?
- Are the sensitive or potentially hazardous materials or components secured within the device?
Access Control
- Is logical access to the device storage controlled (e.g., using passwords, PINs, user accounts or roles, etc.)?
- Is access to the device settings (configuration) controlled (e.g., using passwords, PINs, etc.)?
- Have all vendor default passwords been changed?
- If available, is privileged access (physical and logical) to the device limited to designated trained and knowledgeable staff?
- Is in-person user verification required to complete a job (i.e., push/pull printing)?
- Does the device provide functionality for controlling authentication and account management in accordance with organizational policy (e.g., password strength requirements, password changes, lockout procedures)?
- Does the device allow identification and authentication synchronization with domain credentials?
- Are logged-in users automatically logged off after a specified amount of time?
Monitoring
- Is usage of the device monitored?
- Does the device notify (e.g., send email) administrators of errors or potential incidents (e.g., multiple account lockouts)?
- Is audit/logging available and enabled on the device?
- Does the device automatically detect and mitigate DOS attacks?
- Does the device enforce time-out of queued jobs?
- Is the device temperature monitored and controlled with automatic shutoff in case of overheating?
I encourage you to think these questions through. If you're concerned about the information risk posed by your copiers, contact your copier dealer for more information.
As President and founder of AIS, I am passionate about growing our business and serving our customers. I'm proud that we are considered one of the fastest-growing companies in America. We have been named by Office Dealer magazine as the elite dealer of the year and, most recently, by ENX Magazine as an elite dealer for 2023. Our partnership with Kyocera is strong, and we have been an elite dealer for them. We're also an authorized dealer of Xerox in their Document Technology Partner Program. Before founding AIS, I was President of Toshiba Business Solutions. I enjoy staying active, both physically and professionally. Charitable endeavors include The Elizabeth Glaser Pediatric AIDS Foundation, Safe House, Christian Children’s Fund, and other faith-based charities.
Topics: