Digital copiers a security threat
Until recently CIOs and CSOs focused on external threats and developed strategies to address them. Now they are aware of internal threats and are focused on locking down IT systems even further to keep insiders and trusted vendors from taking data and/or compromising or inhibiting IT resources from proper operation. One area that often is overlooked is that potentially every digital copy machine and every digital fax machine is at risk for data leakage and/or data theft.
Digital copy machines can create and save digital versions of the documents they scan onto the copier's own internal hard drive. These copiers are often leased by office supply firms to the organizations mentioned above and, when the copiers are turned back over to the leasing agency at the end of the lease period, the data stored on the hard drive goes out the door with the copier; to unknown destinations all around the world. Once the copiers reach these destinations identity thieves, terrorists or others can pull out the drives and extract sensitive and damaging information: such as identity data, or intellectual property.
In order to properly address this threat the people within the organization who are charged with information security need to have a thorough understanding of the technical operation of all copiers, copy systems, fax machines, fax systems and print queuing systems involved in the business operation.
Enterprises need a comprehensive equipment inventory in order to understand the size of the risk and to properly protect their critical information and data.
When considering the lease or purchase of a copier, seriously consider technological safeguards. Many companies offer disk override or disk erase systems. These systems insure that each new document copied overrides the previous one, eliminating any potential threat. For a price, many copiers provide software to encrypt data being copied and stored and/or software to erase after each copy or an internal button to erase the drive upon completion of the lease.
Every leasing contract needs to be reviewed before it is signed to insure that before the copier or fax is returned to the lessor the hard drive can be removed and destroyed or wiped clean using a DOD type of erasing software provided as part of the copier's internals.
What can you do to minimize the risk? Make sure that each and every employee understands the risk associated with copying and faxing of documents. Make sure that they know what they need to do to guard against giving away your organization's proprietary or employee personal data.
Due diligence and trust
Recently in the news there have been many stories about inadequacies in security that could have led to disastrous impacts on the enterprises where they were found. At a health care firm, trusted employees were found to be using their system access privileges to gain entry into systems to obtain personal and financial information they would later use for financial gain. At a manufacturing firm a valued employee was found selling intellectual property to a competing firm for money and a job. And, at a bank in the south-west video cameras were placed at ATM machines by a thief to take pictures of credit cards and the keystrokes used to enter a personal pin so that later he could compromise the personal accounts of a series of unsuspecting bank customers. Now the very tools that make our operations more productive, that we use almost every day can also be the source of our largest information security compromise.
In the security business we learn that trust is very important. We also learn the mantra: 'trust but verify'. Trust but verify is the foundation of due diligence. Due diligence needs to become the essence and the watchword of both physical and information security programs at all enterprises in all market segments, financial, pharmaceutical, manufacturing, government, etc. Especially those that want to remain out of the press as one that has experienced a data breach.
Due diligence implies that oversight is always in place. That means that a continuous review of security controls is used to insure that they are applied correctly, functioning as desired, and continue to be utilized appropriately day-in and day-out. Security does not work in a 'set it and forget it' type of environment. We need to be ever vigilant and prepared to adjust, adapt, and make changes and to understand new technology where possible to aid in the protection of mission critical data.
As corporate or governmental IT security or business continuity experts need to make sure that they are ever vigilant and that we continue to communicate with our organizational leaders so that they have the necessary information to make informed choices for the protection of critical and sensitive information. Only then will we have given them the tools they need to make an informed decision on whether they want to act now to implement adequate controls and safeguards to protect against risks or to possibly pay later in reparations and lost confidence to those whose data they have been entrusted to protect and use which has been subsequently breached.
Security Policies are Comprehensive, Detailed and Customizable for Your Business
The IT Security Manual Template provides CIOs, CSOs, and IT Managers all of the essential materials with real live usable text for a complete security manual. Detailed language addressing more than a dozen security topics is included in a 230 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:
- Risk analysis
- Staff member roles
- Physical security
- Electronic Communication (email / Smartphones)
- Blogs and Personal Web Sites
- Facility design, construction and operations
- Media and documentation
- Data and software security
- Network security
- Internet and IT contingency planning
- Outsourced services
- Waiver procedures
- Employee Termination Procedures and Forms
- Incident reporting procedures
- Access control guidelines
- PCI DSS Audit Program as a separate document
- Massachusetts Compliance Check List
- Security Compliance Check List
The Security Manual Template can be acquired as a stand alone item (Standard) or in the Premium or Gold sets:
Security Manual Template - Standard Edition
- Business and IT Impact Questionnaire
- Threat and Vulnerability Assessment Toolkit
- Security Management Checklist
- Full Detail Policies for
- Blog and Personal Website Policy
- Mobile Device Policy
- Physical and Virtural File Server Policy
- Sensitive Information Policy
- Travel and Off-Site Meeting Policy
- HIPAA Audit Program
- GDPR Compliance Checklist to meet EU Requirements
- California Consumer Privacy Act requirements definition
- Consumer Bill of Rights
- Sarbanes Oxley Section 404 Checklist
- Security Audit Program- fully editable -- Comes in MS EXCEL and PDF formats -- Meets GDPR, ISO 28000, 27001, 27002, Sarbanes-Oxley, PCI-DSS, HIPAA FIPS 199, and NIS SP 800-53 requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings
- Electronic forms that can be Emailed, completed via a computer or tablet, and stored electronically including: Blog Policy Compliance, BYOD Access and Use, Company Asset Employee Control Log, Email - Employee Acknowledgment, Employee Termination Checklist, FIPS 199 Assessment Electronic Form, Internet Access Request, Internet Use Approval, Internet & Electronic Communication - Employee Acknowledgment, Mobile Device Access and Use Agreement, Employee Security Acknowledgement Release, Preliminary Security Audit Checklist, Risk Assessment, Security Access Application, Security Audit Report, Security Violation Reporting, Sensitive Information Policy Compliance Agreement, Server Registration, and Threat and Vulnerability Assessment
- eReader version of the Security Manual Template
Security Manual Template - Premium Edition
- Security Team Job Descriptions MS Word Format
- Chief Compliance Officer (CCO); Chief Security Officer (CSO); VP Strategy and Architecture; Data Protection Officer (DPO); Director e-Commerce; Database Administrator; Data Security Administrator; Manager Data Security; Manager Facilities and Equipment; Manager Network and Computing Services; Manager Network Services; Manager Training and Documentation; Manager Voice and Data Communication; Manager Wireless Systems; Identity Management Protection Analyst, Information Security Analyst, Network Security Analyst; System Administrator - Linux, System Administrator - Unix; and System Administrator - Windows
Security Manual Template - Gold Edition
- IT Job Descriptions MS Word Format - Updated to meet all mandated security requirements
- 310 Job Descriptions from the Internet and IT Job Descriptions HandiGuide in MS Word Format including all of the job descriptions in the Premium Edition. Each job description is at least 2 pages long and some of the more senior positions are up to 8 pages in length.