Multifunction devices (MFD’s), network printers and fax machines are used in a secure manner.

]]> This section covers information relating to MFDs, network printers and fax machines connected to either the ISDN, PSTN, HACE or other networks. Further information on MFDs communicating via network gateways can be found in Section 20.2 - Data Import and Export.

]]> MFDs, network printers and fax machines, are capable of communicating classified information, and are a potential source of information security incidents. It is therefore essential that agencies develop a policy governing their use.

]]> Agencies MUST develop a policy governing the use of MFDs, network printers and fax machines,

]]> Once a MFD or fax machine has been connected to cryptographic equipment and used to send a classified fax message it can pose risks if subsequently connected directly to unsecured telecommunications infrastructure or the public switched telephone network (PSTN). For example, if a fax machine fails to send a classified fax message the device will continue attempting to send the fax message even if it has been disconnected from the cryptographic device and connected directly to the public switched telephone network. In such cases the fax machine could then send the classified fax message in the clear causing an information security incident.

]]> Non-encrypted communications may be exposed in transmission and, if incorrectly addressed or an incorrect recipient number is entered, may cause a data breach.

]]> Agencies sending classified messages MUST ensure that the message is encrypted to an appropriate level when communicated over unsecured telecommunications infrastructure or the public switched telephone network.

]]> Agencies MUST have separate MFDs or fax machines for sending classified messages and messages classified RESTRICTED and below.

]]> Whilst the communications path between MFDs and fax machines may be appropriately protected, personnel need to remain cognisant of the need-to-know of the information that is being communicated. As such it is important that fax messages are collected from the receiving MFD or fax machine as soon as possible. Furthermore, if an expected fax message is not received it may indicate that there was a problem with the original transmission or the fax message has been taken by an unauthorised person.

]]> The sender of a fax message SHOULD make arrangements for the receiver to:

collect the fax message as soon as possible after it is received; and
notify the sender immediately if the fax message does not arrive when expected.

]]> When a MFD is connected to a computer network and a telephone network the device can act as a bridge between the networks. As such the telephone network needs to be accredited to the same classification as the computer network the MFD is connected to.

]]> Agencies MUST NOT enable a direct connection from a MFD to a telephone network unless the telephone network is accredited to at least the same classification as the computer network to which the device is connected.

]]> Agencies SHOULD NOT enable a direct connection from a MFD to a telephone network unless the telephone network is accredited to at least the same classification as the computer network to which the device is connected.

]]> As network connected MFDs are considered to be devices that reside on a computer network they need to be able to process the same classification of information that the network is capable of processing.

]]> Where MFDs connected to computer networks have the ability to communicate via a gateway to another network, agencies MUST ensure that:

each MFD applies user identification, authentication and audit functions for all classified information communicated by that device;
these mechanisms are of similar strength to those specified for workstations on that network; and
each gateway can identify and filter the classified information in accordance with the requirements for the export of data through a gateway.

]]> As networked MFDs are capable of sending scanned or copied documents across a connected network, personnel need to be aware that if they scan or copy documents at a classification higher than that of the network the device is connected to they could be causing a data spill onto the connected network.

]]> Agencies MUST NOT permit MFDs connected to computer networks to be used to scan or copy classified documents above the classification of the connected network.

]]> Placing MFDs and fax machines in public areas can help reduce the likelihood of any suspicious use going unnoticed.

]]> Agencies SHOULD ensure that MFDs and fax machines are located in areas where their use can be observed.

]]> Network and MFD printers invariably use hard disk drives, flash drives or other reusable storage which can contain copies of classified information. Any maintenance or servicing should be conducted under supervision or by cleared personnel.

]]> Copiers and laser printers may use electrostatic drums as part of the reproduction and printing process. These drums can retain a “memory” of recent documents which can be recovered. Any storage devices or drums replaced during maintenance should follow the prescribed media disposal and destruction processes (See Chapter 13 – Decommissioning and Disposal).

]]> Toner cartridges and other components may incorporate a memory chip, often used to track pages numbers and estimate print capacity. These chips have read/write capability and may pose a risk to classified systems. Once chips have been removed, the toner cartridges themselves may be disposed of through supplier recycling or other approved disposal channels.

]]> Any maintenance or servicing MUST be conducted under supervision or by cleared personnel.

]]> Any storage devices, drums or cartridges with memory chips removed during maintenance or servicing MUST be disposed of following the processes prescribed in Chapter 13 - Media and IT equipment Management, Decommissioning and Disposal.

]]> Toner cartridges MUST have the memory chip removed before the cartridge is recycled or otherwise disposed of. The memory chip MUST be disposed of following the processes prescribed in Chapter 13 - Media and IT equipment Management, Decommissioning and Disposal.

]]> Any maintenance or servicing SHOULD be conducted under supervision or by cleared personnel.

]]> Any storage devices, drums or cartridges with memory chips removed during maintenance or servicing SHOULD be disposed of following the processes prescribed in Chapter 13 - Media and IT equipment Management, Decommissioning and Disposal.

]]> MFDs may also be equipped with USB ports for maintenance and software updates. It is possible to copy data from installed storage devices to USB devices. Any use of USB capabilities must be carefully managed.

]]> The use of any USB capability MUST be conducted under supervision or by cleared personnel.

]]> The use of any USB capability SHOULD be conducted under supervision or by cleared personnel.

]]> The use of storage media and the characteristics of electrostatic drums allow the recovery of information from such devices and components. To protect the information, prescribed disposal procedures should be followed.

]]> Any storage devices, drums, cartridge memory chips or other components that may contain data or copies of documents MUST be disposed of following the processes prescribed in Chapter 13 - Media and IT equipment Management, Decommissioning and Disposal.

]]> Any storage devices, drums, cartridge memory chips or other components that may contain data or copies of documents SHOULD be disposed of following the processes prescribed in Chapter 13 - Media and IT equipment Management, Decommissioning and Disposal.

]]> Centrally logging and analysing MFD events, which may include metadata and shadow copies of documents printed, scanned or copied by users, can assist in monitoring the security posture of systems, detecting malicious behaviour, and contributing to investigations following cyber security incidents. Logs are stored in a central system, such as a security information and event management tool or central database and can only be accessed or modified by authorised and authenticated users. Logs are stored for a duration informed by risk or regulatory guidelines.

]]> Use of MFDs for printing, scanning, and copying purposes SHOULD be centrally logged.

]]>