S 2.400 Secure withdrawal from operation of printers, copiers, and all-in-one devices

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

When printers, copiers, all-in-one devices, or individual components of such devices are withdrawn from operation or replaced, all security-related information must be deleted from the devices. This applies especially when the components will be disposed of or given to third parties. Examples include when the device is sold, returned after expiration of the lease, replaced by the manufacturer, or sent to a corresponding service company for repair. However, all information requiring protection must be deleted from the devices even when the devices will be reused internally or scrapped.

Depending on the type of device and what it is used for, the following security-related information may be stored on it, for example:

• "Temporarily" stored information: Digital copiers generally scan in the entire document first before printing it. Even printers store the document temporarily first. For this reason, there are storage components installed in the devices for temporary storage of the data, usually in the form of hard disks. Under certain circumstances, it may be possible to restore the documents which have been deleted from temporary storage. Some devices provide a function to delete the contents of the storage device.
• Configuration settings: On network-enabled devices in particular, the configuration settings such as the IP addresses can provide information on the network structure under some circumstances. The configuration settings should therefore be deleted or reset to the factory default settings. Many devices provide the corresponding functions for this purpose.
• Passwords: Many devices are equipped with password-based or token-based authentication procedures, but on some they are only available for administration access. However, there are also some devices on which authentication can be enabled for all user access. All passwords should be reset to the factory default settings.
• Certificates: Some devices offer the ability to integrate a certificate-based authentication procedure, for example via IEEE 802.1X. All certificates should be reset to the factory default settings.
• Further residual information: Under certain circumstances, the consumable materials such as the toner drums can be used to obtain information on the documents printed with it. If a higher protection level is required, then a risk assessment should be performed to decide whether used consumables need to be destroyed.

Before withdrawing devices from operation or handing them over to third parties, the data on the internal storage device must be deleted. If the hard disk can be removed, then it is recommended to erase the hard disk separately. After the data on the storage device have been deleted, it must be checked to see if deletion was also successful.

The deletion procedure depends greatly on the type and use of the particular device.

If information particularly critical to security is stored on the device and it cannot be guaranteed with sufficient security that the data really were deleted, then it may be necessary to physically destroy the storage device or make it unusable.

Review questions:

• Is all information on printers, copiers and all-in-one devices deleted securely before disposal, return or replacement?
• Is a check performed to see if the storage contents of printers, copiers and all-in-one devices were actually deleted before disposal?