Office of the CIO
Queen's University-
Information Systems Security Office
- IT Security Policies
- Standards
-
Information Security Guidelines
-
Electronic Information Security Guidelines
- A1. Antivirus and Anti-Spyware
- A2. Security Updates and Patches
- A3. File Sharing and Remote Access
- A4. Secure Data Deletion and Destruction
- A5. Encryption
- A6. Physical Computer Locking
- A7. Account Passwords
- A8. Operating System Accounts
- B1. Account Hijacking
- B2. Sharing Your Personal NetID Password
- B3. Password Changes
- C1. Physical Location of Servers
- C2. Active Services and Open Ports
- C3. Backups
- C4. Firewalls
- C5. Remote Access
- C6. Physical Location of Network Devices
- D1. System Assessments
- D2. Permissions
- E1. Queen's Employee Requirements
- E2. Third-Party Requirements
- F1. Actual or Suspected Unauthorised Access
- G1. Multifunction Devices
-
Electronic Information Security Guidelines
- Education & Awareness
- Issues & Incidents
- Services
- Templates
G1. Multifunction Device (MFD) Security Hardening Guidelines
These guidelines document the security requirements for the following networked devices:
- Printers
- Scanners
- Copiers
- Faxes
- MFDs*
* An MFD is sometimes called a multifunction printer (MFP) or all-in-one (AIO) device, and typically incorporates printing, copying, scanning, and faxing capabilities. For the purposes of these guidelines, we will refer to all of the devices listed above as MFDs.
It is assumed that networked campus MFDs are likely to handle some amount of personal, confidential, and/or operationally-sensitive University information. These guidelines are required to protect that information.
The Information Systems Security Office derived this list from government and industry documents, with a particular focus on configuration issues that are unique to the computing environment at Queen's University.
Because management interfaces for MFDs vary, even within the same product line, these guidelines provide general best practices. In order to implement them, consult your MFD’s documentation or the vendor.
Installation/Configuration Guidelines
- Change the factory default password that controls device configuration. (See website page on Creating Strong Passwords for additional information.)
- Assign an IP address. (Contact your ITAdmin Rep for assistance, and be sure to specify it is for a network printer, copier or MFD.)
- If hard disk functionality is enabled, configure the device to remove spooled files, images, and other temporary data using a secure overwrite between jobs.
- Use secure communications (such as HTTPS) to access web-based device configuration pages.
- Disable all protocols other than IP printing, if they are not being utilized.
- Upgrade to patched firmware when it becomes available from the vendor.
Decommissioning Guideline
All Multifunction Devices with hard drives must have their hard drives securely erased when removed from service and when storage components are replaced. A certificate of erasure must be supplied to Strategic Procurement Services (SPS).
- Both Seaway Solutions (Xerox) and the OT Group (Canon) will follow the necessary erasure protocols and provide a certificate of erasure to SPS whenever they decommission a leased device.
- If you own a networked MFD with a hard drive that is not leased through one of the University's enterprise agreements, ITServices offers a Hard Drive Destruction and Disposal service which can assist in the proper disposal of hard drives.
Physical Location
If your device contains a hard drive, you should choose its location carefully:
- Where possible, try to locate it in an area that has little or no public access during business hours, and is locked down during non-business hours.
- If your device is in a public area (e.g. a library), it may be necessary to lock the device to prevent access to the hard drive inside it.
Additional Information
The EDUCAUSE & Internet2 Higher Education Information Security Council (HEISC) has gathered resources on this topic and developed a list of suggested steps to take when securing campus copiers, printers, or other multifunction devices:
https://wiki.internet2.edu/confluence/display/itsg2/Copier+and+MFD+Security
References
- HP LaserJet 4345 MFP Security Checklist
- HP Secure Imaging and Printing
- Canon imagerRUNNER Security Kit
- SANS Institute Gold Paper: Auditing and Securing Multifunction Devices
- Xerox Security Bulletins
Questions?
Please contact the Information Systems Security Office.