Securing Multi-Function Print Devices

Multi-Function Print Device’s (MFPD) are essentially computers that contain hard-drives and memory capable of capturing images. Data is stored on the device whenever someone prints, copies, scans, or faxes. The following information can help in protecting confidential data from unauthorized access.

Acquiring New MFPDs

• Involve the agency IT staff or ITD in the procurement of MFPDs.
• Leverage the mandatory State Contract for Copiers, Multifunctional Devices & Related Services (#131).
• Acquire a data security kit with the ability to overwrite and remove data on all internal storage devices at the point of purchase or lease.

Retrofitting Existing MFPDs

For devices purchased prior to July 1, 2009, either

• Acquire a data security kit with the ability to overwrite and remove data on all internal storage devices from the vendor, or
• Accept agency responsibility for ensuring proper disposal of the internal storage devices. All data should be removed prior to transferring the device to State Surplus Property. If the data cannot be successfully removed, the agency must notify State Surplus Property so that the MFPD is submitted to an E-Waste vendor that can properly dispose of and/or destroy the equipment and all internal storage devices.

For devices leased prior to July 1, 2009

• Accept agency responsibility for ensuring the proper disposal of the data on all internal storage devices prior to returning the MFPD to the lessor.

Maintaining MFPDs

• Involve the agency IT staff or ITD when vendors and administrative professionals are configuring devices.
• Include language in maintenance agreements disallowing vendors from changing or resetting security configurations (or instructing others to do so) without first involving the agency IT staff or ITD.
• Assign responsibility to the agency IT staff for securing MFPDs based on security best practices and network standards.
  • Agencies should ensure that unnecessary communication protocols are disabled.
  • Agencies should ensure that maintenance agreements and contracts include patching and that the agency IT staff or ITD is involved in the patching process.
  • The Enterprise Architecture Operating System Critical Updates Standard states, "All PCs connected to the state network will be kept current with critical updates." This may be amended to include MFPDs in the future.
  • Where possible, agencies must comply with the Enterprise Architecture Access Control Standard which states, “For network–attached devices all default authentication credentials shall be changed.”