August 14, 2015
GCN reported on the Federal Trade Commission’s study, “Copier Data Security: A Guide for Businesses”, which detailed 10 steps that agencies “must consider” in setting up adequate security measure, based on “common scenarios”. The first is to require user authentication, which “enables the auditing, reporting and tracking of user activity”, as well as other features.
Secondly, access ought to be restricted according to user authorisation, preventing users accessing resources on the network “that they normally do[n’t]”. The third step is to “centrally audit all network activity”, with most organisations being required to regularly review information system activity records by compliance security standards. These include “audit logs, access reports and security incident tracking reports”, and the report said that “centrally building an audit trail of all copy, print, scan, email and fax activity” for every networked MFP will ensure compliance.
Fourthly, users are advised to “encrypt data” coming and going from the MFP, which requires “all data[…] to be encrypted”, while government departments must “leverage encryption technology” to meet with specific security guidelines. Implementing pull printing is the fifth step, involving the printer user “authenticat[ing] at the device before documents are released”. Only documents associated with the authenticated user may be printed, and the print job “must not be stored on the device prior to printing”.
Sixthly, rules-based printing is recommended to control output by “analysing print jobs before release, based on a set of established rules, to determine how they are printed”. Examples are given of groups with “established print policies”, including the US Army Directive 2013-26 “Armywide Management of Printing and Copying Devices” and the General Services Administration’s PrintWise programme, who can enact these policies “with the implementation of rules-based printing functionality”.
The seventh step is to “enforce trusted destinations” by configuring devices to “properly prevent documents from being scanned or faxed to any destinations that may risk sensitive data exposure”. Networked MFPs configured for scan-to-email are “high risk”, as is outbound analogue faxing “without controls in place” for validating the email address of the recipient’s fax number.
Eighthly, monitoring and controlling personally identifiable information (PII) is encouraged, which most US government organisations already have a policy to protect. The Department of Homeland Security has issued a “Handbook for Safeguarding Sensitive Personally Identifiable Information”, which details guidelines that all employees must follow to protect PII within and external to the organisation. Similarly, the US Navy published a “Users Guide to PII” with compliance standards and protective measures for the Navy and Marine Corps.
The report advises agencies to “leverage software to systematically enforce the PII policies they have enacted”, and while there is no solution in place, “organizations must rely on employees manually following protocol, leaving no room for user error”. Standardising and integrating network scanning is the ninth point, as a “common problem” for traditional MFPs is that none of the devices have the same set up for document scanning. Typically, each MFP is “manually mapped to a network file share” and there is no standardised process for the organisation.
Unifying the set up methods into one technique allows administrators central control of the network folder scanning with a single configuration. Integration support is also needed “for all of the major commercial off-the-shelf document systems” so that direct and secure scanning can take place. The final step is to secure print processes, ensuring protection of “both the physical and electronic access points on their MFPs”.
The report points out that the costs in terms of penalties and settlements of failing to safeguard sensitive information are growing, while there are already too many “touch points that create risk” when sharing information. For the most point, these involve technologies that organisations rely on – in particular networked MFPs with copy, print, scan, fax and email functions.
Categories : Special Report