3-54 Secure Configurations Policy- Printers
About CMU's "Protecting CMU-owned printers and other similar networked devices from cyber-security threats policy"
This policy outlines procedures for ensuring that CMU-owned printers and similar networked devices are protected against data breaches and other cyber threats.
NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.
- Effective date of this revision: July 1, 2018
- Contact for more information: Office of Information Technology
BACKGROUND
CMU’s networked printers can contain sensitive data regarding our students, employees, research, and other University matters, and if misconfigured and unsecured, can allow unauthorized access to CMU’s computer network. It is critical that these devices be protected from cyber-security threats, including, but not limited to, attack, unauthorized access, neglect, vulnerability exploit, and compromise. This policy requires basic security controls be implemented as secure configurations on all University networked printers (wired and wireless). This policy is intended to apply to networked printers and other similar networked devices (like multi-function devices that print, scan, and copy, etc.) owned or leased by CMU, even if not specifically called “printers.”
DEFINITIONS
A. Controls are protections or safeguards implemented to protect data. Controls can be administrative, physical, and technical in nature, simple or complicated, and are often implemented in combinations or layers to protect data from simultaneous and ongoing threats.
POLICY
All University networked printers must be secured against cyber-security threats via implementation and maintenance of a set of basic controls defined and managed by the Office of Information Technology (OIT). Controls must be commensurate to the risks and requirements of the data accessed, processed, or stored on the printer. Printers unable to meet these basic controls must be otherwise protected with compensating controls or removed from network access.
PROCEDURE
OIT has designed the guidance below to describe the basic security controls that meet the requirements of this policy, as well as to indicate where additional security controls are required. Additional security controls (including security settings) appropriate to specific printers are detailed in the OIT Knowledge Base (“KB”).
Networked Printer Basic Security Controls:
- Remove from direct-internet access, except where intended
- Secure from anonymous and unauthenticated access
- Change all default, vendor-supplied passwords prior to use
- Disable all default and non-needed services and protocols
- Register the printers to specific, CMU-community individuals for asset tracking and support/response
- Where feasible, configure printer setting to protect (encrypt) or completely delete stored data no longer required or no longer being used. If printer is supported by a 3rd party or vendor, ensure stored data destruction is part of the service agreement or contract.
OIT may require more or different security controls for printers in highly controlled areas - for instance, on printers with access to or printing restricted data. These additional controls may be specified in applicable regulations or data use agreements and may include restricted physical access and continuous departmental-user oversight or supervision, and immediate removal or securing of printed materials.
RELATED POLICIES AND OTHER RESOURCES
- Responsible Use of Computing Policy
- Data Stewardship Policy
- Information Security Policy
- Information Security FAQ
AMENDMENTS AND ADDITIONS
The CIO may approve exceptions to this policy. All amendments and additions to this policy will be drafted by a committee convened by the CIO and will be reviewed and approved by the Provost and the President. Changes in this policy will be appropriately publicized.
Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.