The U.S. Commerce Department’s National Institute of Standards for Technology (NIST) has released for free download “Risk Management for Replication Devices” (NISTIR 8023) as guidance for protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on printers, scanners, copiers, and other replication devices.
As has been noted in this newsletter before, these office machines may store documents, images, and other information that must be removed before being sold or traded to prevent exposing sensitive information to whomever subsequently gets possession of them.
The NIST publication identifies risks in three general categories:
- General threats and vulnerabilities. Examples include manufacturer default passwords that could be used to gain unauthorized access to information, unencrypted data transmission or storage, and outdated or unpatched operating systems.
- Network connectivity threats and vulnerabilities. Examples include open ports or protocols, unencrypted wireless connectivity, or access to other organizational assets through unprotected hop/relay points provided by the device.
- Nonvolatile storage threats and vulnerabilities. Examples include failure to sanitize the devices before they are repurposed, unencrypted storage of information, or access to the device by third parties who could download data from memory while performing device maintenance.
The publication provides a series of countermeasures that can be implemented in the context of the system development life cycle to prevent and/or mitigate the impact of these risks. The system development life cycle has six key areas of focus: initiation, development/acquisition, implementation, operation/maintenance, disposal, and service contracts/lease agreements.
Of particular value in this publication are a security risk assessment template in table and flowchart format and a number of questions for assessing your organization’s use of copiers and scanners.