The integration and innovation of copier/scanner/fax technology has created a breed of devices, multifunctional devices (MFD). Certain features associated with these devices pose a serious infrastructure and information security risk. As with all other information resources, MFDs must be managed in a secure manner to assure protection against unauthorized access, disclosure, modification or destruction, whether accidental or deliberate, as well as to assure the availability, integrity, utility, authenticity, and confidentiality of information.

Purpose

The purpose of the Texas Tech University MFD hardening policy document is to describe the requirements for network attachment and operations for maintaining the security integrity of the device.

Audience

The Texas Tech University MFD hardening policy applies to all individuals that are responsible for the installation of MFDs for research and business purposes, the operations of existing information resources, including but not limited to custodians of IRs, and individuals charged with information resource security.

Device hardening policy

Network and physical access

• When a multi-functional device is connected to any portion of the Texas Tech University network, it becomes subject to the network access security policy, which specifies the specific requirements for the secure operation of all information resources connected to Texas Tech University networks.
• The device must reside in a secure area to protect physical access (https://www.depts.ttu.edu/infotech/security/docs/physical_access.php)
• Custodians must register the device with the Network Operations Center (NOC) (https://www.depts.ttu.edu/infotech/security/docs/network_access.php)
• Custodians are responsible for restricting use to authorized users. (https://www.depts.ttu.edu/infotech/security/docs/account_management.php)

Operational standards

• Custodian account shall have a good, strong password. (https://www.depts.ttu.edu/infotech/security/docs/password.php)
• The administrator password must be changed initially and each time a key staff change occurs. To ensure business continuity, device managers should keep a maintenance log of activities. (https://www.depts.ttu.edu/infotech/security/docs/admin_special_access.php)
• Many devices allow local staff to manage the equipment remotely, using network access. If the device includes this feature, all settings must be reviewed and set to ensure that only authorized individuals have access.
• Any default passwords must be changed. (https://www.depts.ttu.edu/infotech/security/docs/password.php)
• Before purchase, the procuring department will ensure that the device can be upgraded and patched if security vulnerabilities are found.
• The custodian must make certain that vendors provide such updates in timely manner.
• Scanning to email, a common feature for MFDs, must be limited to a small group of accountable users. In all cases, sending information via email must conform to all other TTU acceptable use and security requirements. (https://www.depts.ttu.edu/infotech/security/docs/acceptable_use.php)
• FTP, TFTP, and Telnet may not be used. (https://www.depts.ttu.edu/infotech/security/docs/unauthorized_software.php)
• All services and features not being used must be disabled.
• Device must have embedded security on the fax system that will ensure that the fax lines and network connections are kept separate.
• Any data stored in the device memory or disk drives must be electronically shredded or overwritten upon completion of the task. The MFD may not be used for long term storage of images or data.