Copier Security

copier securityIntroduction


Modern copiers and printers use hard drives to facilitate advanced functionality. The default setting on these devices may lead to additional risk as sensitive information may be unknowingly stored on these devices. Security settings must be turned on or, in some cases, additional options or modules must be purchased. OIT will collect as much information as possible for securing these devices.

If your device does not have advanced security options such as disk encryption or immediately overwriting data, the hard drive must be removed and securely wiped or destroyed separately.

Best Practices


OIT recommends the following best practices for multi-function printers and copiers with disk drives:

  • Review vendor security configuration guides
  • Develop a standard configuration and review regularly
  • Enable immediate image overwrite and schedule regular off-hours overwrite (DoD 3 pass)
  • Enable encryption (minimum 128-bit AES)
  • If network-enabled, use network encryption and secure protocols such as IPSec, SSL, SNMPv3
  • Regularly review vendor security bulletins
  • Enable authentication and authorization (if possible, use network credentials)
  • Change admin password regularly
  • Enable audit log and review periodically
  • Treat network-enabled devices like any other computer on the network
  • Purchase a device which has an EAL2 Common Criteria certification

If restricted data is processed on the device, it MUST have encryption and image overwrite.

For devices which are currently in use and process restricted data but do not have the necessary security features:

  • If possible, purchase the necessary security modules and enable the features.
  • If security features cannot be purchased or enabled, replace the device as soon as is appropriate. When the device is replaced, have the hard drive removed and destroyed.


By Vendor


Xerox

Newer Xerox devices come with security features but often must be turned on. 
Xerox Information Security Guides: http://www.xerox.com/information-security/product/enus.html

Directions for Enabling Immediate Image Overwrite on Xerox 7665 WorkCentre:

  1. Press the [Log In / Out] button to access the Tools pathway.
  2. On the keypad enter [admin], then the current administrator password, and touch [Enter].
  3. If necessary, press [Machine Status], then touch the [Tools] tab.
  4. From Tools, select [Security Settings].
  5. Select [Image Overwrite Security], then [Immediate Overwrite].
  6. Select [Enable], then touch [Save]. The change in status will be immediately effective.
  7. Press the [Log In / Out] button to log out of the Tools pathway.

Ricoh

Ricoh security options must be purchased separately.
Guide to Ricoh security features: Ricoh Security Solutions


Canon

Canon security options must be purchased separately.
Guide to Canon security features: Canon Security Solutions


HP
  • All HP multi-function printers (MFPs) have hard drives.
  • There is a disk-wipe utility for all MFPs.
  • This utility is not installed by default and must be downloaded from HP.COM. The utility is protected by an admin account and password.
  • The utility can be configured to perform a printer disk wipe on a daily basis.
  • Some non-MFP HP printers may have hard drives. These printers will have an occupied EIO card (with resident hard drive) in the slot next to the network card. This EIO card should be physically evident by viewing the printer external case.
  • We cannot use a third party disk wipe utility against HP MFP hard drives without removing the drive from the card - which is likely to cause damage to the card and, possibly, the hard drive.
  • Non-MFPs with hard drives are somewhat rare and may be purchased for special purposes.
  • Non-MFPs with hard drives and network connections can be remotely disk wiped. Non-MFPs with a hard drive but without a network connection need to be handled by HP.
  • For leased HP printers, it is suggested that the agreements include a defective media retention provision that permits the lessor to keep the hard drive before releasing the printer.
  • The WebJetAdmin tool, downloadable from HP.COM, can scan a network subnet and identify HP printers (and non-HP printers if the tool has a MIB for the non-HP printer).