MFDs now combine printing, fax, scanning, email, and copy functions and include the ability to store and share large amounts of data over networks. This standard addresses the minimum configuration to meet the University's security requirements.
Adopted by the Information Security Committee - September 1, 2010
Preamble
This Standard sets the minimum acceptable security requirements for any Multi Function Devices (MFDs) attached to the Thompson Rivers University network. These devices generally include printing, scanning, faxing, and copying capabilities. Thompson Rivers University has introduced MFDs throughout the campus as a way of reducing the need for multiple devices, to realize cost savings, increase ease of use, reduce impact on the environment, and provide efficiencies of process. MFDs provide great value to the university, but have also opened TRU to additional risks of a breach of confidential information. This standard has been developed to secure university data while providing for operational efficiency and availability.
Standards
- The MFD administrative console password must be changed from the factory default, and comply with Thompson Rivers University minimum password standards.
- Remote configuration and support must use secure protocols (https and SSL) over port 443.
- An access control list for the administrative console password must be maintained by the Manager of Client Services.
- A firewall rule must be maintained that prevents ingress and egress from the campus perimeter to all MFDs.
- All local drives on the device must be encrypted.
- Scanned or faxed data must not be stored locally on the device.
- Scanned and faxed data may be stored in secure network directories and must meet the University’s Information Classification Standard.
- All MFDs should be secured in areas with restricted access.
- For any MFD that will be permanently removed from the TRU network, all storage media must be re-formatted to meet the University’s Information Classification Standard for disposal, before being removed from the University.
- Any unused ports must be disabled.
- FTP and Telnet services must be disabled.
- The SNMP community string must be changed from the factory default.
- If SNMP version 3 will not be used it must be turned off.
- Incoming SMTP traffic must be disabled by default. If it is to be used by a department, it must be approved by the Information Security Committee.
- All SMTP traffic must use TRU’s mail relays.
- Access controls to the MFD should be IP filtered, MAC filtered, or through the use of network print servers.
Exceptions
Exceptions to this Security Standard can only be granted by the CIO & Associate Vice President Information Technology Services of Thompson Rivers University.