S 2.398 User guidelines for handling printers, copiers, and all-in-one devices

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, User, Administrator

The secure use of printers, copiers, and all-in-one devices cannot be achieved through technical safeguards alone. In addition, corresponding guidelines for the administrators and users must be specified.

All security mechanisms to be implemented for printers, copiers, and all-in-one devices should be described in the administration guidelines. This document is intended for the technical personnel.

The guidelines for the users relating to the secure use of printers, copiers, and all-in-one devices should be collected in an easy-to-read instruction sheet. This instruction sheet should be hung on the wall at all locations where these devices are installed.

The following aspects must be taken into account:

• Access to the copier and printer rooms: If possible, access to the rooms with the printers and copiers should be restricted (see also S 1.32 Suitable locations for printers and copiers). It is recommended to restrict access to the employees in a given department or to the users on a given floor, for example. The users must be informed of the access restrictions and of the group of authorised personnel.
• Handling documents which have not been picked up: It is often the case that printed documents are not picked up and bad printouts are not disposed of properly. All users must be informed that they must pick up their printouts directly after printing. Documents for which the owner cannot be determined should be collected or, preferably, destroyed immediately using a shredder.
• Handling sensitive documents: Information classified as highly confidential should not be printed on printers or reproduced on copiers accessed by general users or the public. Documents which need to be kept secret (classified materials) must be protected according to the applicable regulations and instructions.
• Authentication on the device: If authentication is to be performed directly on the printer, copier, or all-in-one device (see S 4.299 Authentication for printers, copiers, and all-in-one devices), then the users must be instructed on the authentication procedure.
• Distribution of printouts: If information critical to security is often printed on network printers, then you should consider having trustworthy persons distribute the printouts to the corresponding recipients. This approach is an alternative to authentication on the device and also has the advantage that only these trusted persons need access to the corresponding printers.
• Selection a standard printer: When there is more than one printer available, the users can define a standard printer on their client that usually applies to all applications. This function is convenient for the users because that they can print on their preferred printer without having to enter any additional information. The printout can be redirected to another device by entering additional specifications.
  
  A logical (virtual) device such as a print preview program or a PDF generator should be selected as the standard printer. This offers a certain amount of protection against the accidental (and often unnoticed) printing of information, for example because the print button in an application was pressed accidentally.
• Deleting the copier storage: One advantage of digital copiers is that a document, once it has been scanned in, can be printed out any number of times. In order to make the information inaccessible to unauthorised persons, the temporary storage area used for this purpose must be erased after use. On many copiers, the user can only delete the documents manually, which means the corresponding instructions and information must be placed by the devices.

All users should familiarise themselves with the instruction sheet for the secure use of printers and copiers. For this reason, the instruction sheet should be hung on the wall in every copier and printer room.

Review questions:

• Are there user and administration guidelines for printers, copiers, and similar devices?
• Is there an instruction sheet for the secure use of printers, copiers and all-in-one devices, and are all users familiar with this instruction sheet?