Protect data in copiers and multifunction devices

On this page:


Overview

Use the information below to help you make appropriate and informed risk-based decisions for handling information contained on office, unit, or departmental copiers and multifunction office devices.

Purchase or lease new equipment

When beginning the search for new equipment, engage and work closely with IU Purchasing. They have negotiated contracts with vendors to ensure the university receives the best prices on equipment, as well as additional protection for data processed by the machine, whether by keeping the cache encrypted, securely deleting the cache periodically, or (ideally) not keeping a cache at all.

If you have specific questions about purchasing this type of equipment, contact IU Purchasing.

Maintain and protect existing equipment

If your existing copier or multifunction device does not yet need to be replaced, you have several options for maintaining and protecting its data. UISO recommends you carefully evaluate the options and choose one commensurate with your perceived risk.

Determine whether your equipment retains digital data

Before you do anything else, determine whether your equipment is actually retaining digital copies on a hard drive. To do this, you may want to contact your sales/leasing vendor, review the manufacturer's website, or consult IU Purchasing.

Inquire about a replacement

Contact either IU Purchasing or your vendor directly to inquire about replacement equipment. All equipment contracts are different, and you may be able to replace your equipment at no cost to you.

Purchase add-on equipment and/or software

Some vendors or manufacturers produce add-ons to their equipment for additional purchase that either regularly destroy or encrypt the cache copies stored on the equipment's hard drive. This option may be viable if you have a large, expensive piece of equipment that can't be replaced at this time.

Note:
It has been speculated that several manufacturers have contributed to the media frenzy on this subject in an attempt to sell these add-ons. Though discussing options with a vendor is not discouraged, you should consult with IU Purchasing before making any final purchasing decisions.

Harden the device and develop departmental cleanup policies

Your best option may be to keep your current equipment and attempt to secure the data within the devices as you go. UISO recommends you take the following steps:

  • Review all the functionality of the device, decide how it is to be used (or receive that information from others), and harden the configurations. Disable every service and feature except those identified as required on an everyday basis, including how accessible the machine is via the network. Revisit the requirements of the device as often as necessary, because offices are often organic environments with changing needs.
  • Determine if your make and model of equipment offers a "disable" option with respect to maintaining digital cache copies. If so, disable that option.
  • If you can't disable the option to maintain digital cache copies, determine whether your equipment allows periodic deletion of this data. Automatic deletion at specific intervals is preferable, but manual deletion will suffice.
  • If your equipment only allows for manual deletion, determine which person in your office will be responsible for this task. Copiers and related devices have not traditionally been considered IT equipment, so an office manager or other administrative personnel may oversee your equipment.
  • If a department head wants to learn more before assigning staff hours to this task, see:

Dispose of, transfer, or retire old equipment

Since it has become public knowledge that copiers and multifunction office devices may contain sensitive personal information, you must handle their disposal carefully. IU already has the following existing resources related to the disposal of hard drives and the secure removal of data, and you should apply the same standards to this type of equipment:

Learn more

For more, see Auditing and Securing Multifunction Devices from the SANS Institute Information Security Reading Room.

This is document bglz in the Knowledge Base.
Last modified on 2023-02-15 12:56:55.