Much like any technology in the workplace, copiers and multifunction office devices have evolved to include many new features, such as the ability to not only copy, but also to scan, fax and email documents. However, there is a potential security issue surrounding data retention on these devices—specifically, that some models retain a cached digital "copy" on a hard drive of some or all documents printed, scanned, or processed by the machine.
Note: Multifunction device may refer to, but is not limited to: photocopiers, scanners, and fax machines.
Purchasing/Leasing New Equipment
The university's Managed Copier Program leases multifunction devices/copiers to units through a strategic supplier contract. Xerox Corporation is the current strategic supplier. The program eliminates the need to purchase equipment, except in rare circumstances. Contact U-M Procurement Services for more information about the Managed Copier Program.
If you are in the middle of a product's life, you have several options for minimizing risks associated with data retention. First, determine whether your equipment is retaining digital copies on a hard drive, then evaluate the options based on the perceived risk:
- Inquire about a replacement. Contact Procurement Services to inquire about replacement equipment.
- Purchase add-on equipment and/or software. Several vendors and/or manufacturers produce add-ons to their equipment for additional purchase that either regularly destroy or encrypt the cache copies that are stored on the equipment's hard drive. If you have a large, expensive piece of equipment that is inappropriate to replace at this time, this option may be viable.
- Harden the device and develop departmental clean-up policies. Your best option may be to keep your current equipment and attempt to secure the data within the devices. In this case, here are the necessary steps to take:
- Disable every service and feature except those identified as required on an everyday basis, including how accessible the machine is via the network. Revisit the requirements of the device as often as necessary, as offices are often organic environments with changing needs.
- For devices connected to a network, disable Internet access and use private IP addresses (i.e., RFC 1918).
- Change the administrator password from its default value. All Konica devices share the same default password, which opens the device up to anyone with this knowledge. Once the password has been changed, be sure to share it with your repair technician.
- Ensure the Konica technician enables the secure deletion setting for each image/copy processed.
Disposing of, Transferring, or Retiring Old Equipment
Once a machine has reached the end of its lifecycle, its disposal must be handled carefully. If the machine is destined for another department, be sure to reset the NVRAM. If you use the Managed Copier Program, work with them on disposing old equipment. If you have not used the Managed Copier Program, contact Property Disposition for information.
External Resources for Managing Copiers and Multifunction Devices
- SANS Institute InfoSec Reading Room: Auditing and Securing Multifunction Devices
- The University of Texas at Austin: Multifunction Device Hardening Checklist
- Information Security Guide: Eight Steps to Secure Your Copier or Multi-Function Device (MFD)