Multi-Function Copier/Printer Devices
A Multi-Function Device (MFD) is a device that provides centralized printing, scanning, copying, and faxing functionality; CSU, Chico has a number of these devices in offices around campus. MFDs are both network- and Internet-connected, so in many ways they function in a similar fashion to a computer. For this reason, and because they are multipurpose devices, it's vital that they are appropriately configured and managed to protect the information that passes through them.
It's easy to forget that these devices are much more powerful than the photocopier they most closely resemble, and their very multi-functionality creates a number of potential security risks. Without appropriate security configuration on the device, information may be inadvertently moved across the network or stored in plain text--which offers no protection against hacking and other unauthorized access. If Level 1 or Level 2 data passes through the device, the way that data is handled must comply with the same campus security standards as are applicable to computers that handle protected data. These standards are based on FERPA, HIPAA, CSU Information Security Policies, and CSUC Procedures.
Any individual who handles sensitive data is required to understand and comply with requirements for protecting it. This is covered in the confidentiality agreement you signed when you first became associated with CSU, Chico.
Additionally, Work Area Administrators (department heads) are required to:
- Understand the security risks inherent in the use of MFDs
- Train users in the appropriate use of MFDs
- Ensure that appropriate security procedures for handling sensitive data are followed
- Promptly report any suspected security incidents.
Potential Security Risks for MFDs
- Printing, scanning, copying, and faxing functions, without proper security configuration, may result in the transmission or storage on the hard drive of sensitive information in unencrypted (plain text) form. Processing Level 1 or Level 2 data on an unsecured MFD can leave it vulnerable to hacking and identify theft.
- An MFD has many functions that allow it to be easily used in various business environments. If these services are not secured, they can be exploited by hackers, launch a denial-of-service attack, install malware, or gain unauthorized access to the data on the MFD.
- When the MFD is serviced, traded, transferred or retired, the internal hard drive must be wiped, removed or destroyed following the CSU, Chico Procedure for Transfer and Disposal of Media. If documents and data remain on the MFD, they can fall into the wrong hands, which could have serious legal repercussions for the University.
Minimizing the Risk
- Consider the availability of security options such as encryption or hard drive overwriting before purchasing
- Any areas that process Level 1 or Level 2 data should purchase an MFD with encryption capability
- Devices configured for Level 1 or Level 2 data must conform to CSU and CSU, Chico Security Standards and Procedures.
- Area Administrators should use the Multi-Function Device Checklist for Area Administrators.
- Area Administrators should post a sign above each MFD that indicates: this MFD is approved for Level 1 or Level 2 data or this MFD is not approved for processing Level 1 or Level 2 data.
- For MFDs that process Level 1 or Level 2 data, the Desktop Support Specialist should complete the MFD Hardening Checklist and have it be verified by the Area Administrator.