By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group

I’m always stunned when I see another statistic confirming the poor deployment of security policies in many organizations.  A recent Harris Interactive survey commissioned by Xerox and McAfee, reveals that a total of more than half (54 percent) of employees say they don’t always follow their company’s IT security policies (33 percent) or aren’t even aware of the policies (21 percent).  Although the survey didn’t drill down this deep, I wonder out of the 21%, which organizations don’t have security policies to begin with.  And to take it a step further, far too many have general information security policies, but don’t have specific policies for proper usage and configuration of single- and multifunction-printers.

So if your company is one of those that is lacking in printer and MFP policy development or enforcement, here are some points to get you started:building a security policy for your business

  • Establish guidelines for use of scanning, email and fax capabilities – keep the emphasis on the data, make sure employees know the difference between confidential and non-confidential information either through markings or by category, and make sure they understand that it is their responsibility to protect confidential information.
  • Enable authentication – set up MFPs to require users to login before using features, so that actions can be tracked.
  • Enable encryption – this should be transparent to employees; set up the machines to use encryption so that it is automatic and can’t be bypassed.
  • Utilize secure printing – educate employees to use secure printing for confidential jobs.
  • Define approved configuration sets – document the device settings desired in your environment to provide the necessary level of security, and continuously monitor that settings are correctly configured.
  • Continuously monitor for security events/incidents – regularly check the audit log to spot suspicious usage patterns.
  • Develop incident response guidelines – proactively define and document the procedures that will be followed if a security event occurs.
  • Establish guidelines for secure decommissioning/disposal – spell out the approvals and the procedures (disk overwrite, return to factory defaults, etc.) that must be followed when a machine is moved to a new location, or returned.
  • Don’t forget about new capabilities such as cloud printing – the same controls of authentication and auditing apply here as well.

Xerox has been working on printer and MFP security for well over a decade.  Our equipment designs are informed by considerations of operational policy and compliance.  Please visit www.xerox.com/security for more information about the security built into our technology and services.

———

Follow @XeroxOffice for the latest security updates during McAfee FOCUS12 Security Conference October 22-24, 2012.

For more information about the Xerox and McAfee partnership visit http://www.xerox.com/mcafeepartnership.