S 4.303 Use of network-enabled document scanners

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Using a document scanner, analogue information can be digitised to copy, archive, or edit a paper document on an IT system, for example. Instead of installing a local scanner on every workstation PC, it is usually more economical, especially when such devices are not used very often, to provide one or more central scanners for use. To select suitable security measures, you must differentiate between scan PCs and network-enabled document scanners.

A scan PC is a standard PC which is generally linked to a LAN and connected to a local scanner. Scan PCs are often operated in rooms similar to those where network printers are operated and can be used by a number of users whenever needed. In addition, the software needed to process the scanned information, for example OCR or image editor programs, is installed on the scan PC.

Network-enabled document scanners ("office scanners") are compact devices used to read in paper documents and similar items easily, which can then be transmitted to the users over a LAN for further processing, for example via email. This function is often integrated into fax machines as well. The range of functions provided by network-enabled document scanners is usually much smaller than that offered on scan PCs. In general, only simple paper documents in standard formats can be read in, and editing directly on the device is normally not possible.

Scan PC

If a standard PC is used for scanning, then the recommendations from the applicable client modules in Layer 3 of the IT Grundschutz Catalogues must be implemented.

Scan PCs can be operated in a live network, in a test network, or as a stand-alone system without a network connection. They should be configured so that the users need to provide authentication. The scanned data can be transferred to the workstation PCs over the network or using portable data media.

The analogue documents to be scanned (paper, transparencies, etc.) should not be left unattended on the device. The digital scan results should also be deleted from all universally accessible directories after transmission to the desired target system, for example the workstation PC of the corresponding user.

Network-enabled document scanner

Documents can be scanned with these compact devices without requiring a connection to a PC. In this case, the documents are converted to image files and stored in common file formats.

To edit the documents after scanning, the devices must send the scanned documents to other IT systems in the network. The following transmission and storage methods are supported as a rule:

• File services on network drives.
  
  The scanned documents are transmitted directly to a file server using a network protocol. In general, NFS and SMB shares or transmission using FTP are supported. It must be ensured that the group of people with access to the destination directory with the scanned data is kept as small as possible. If a higher protection level is required, then it may be necessary under certain circumstances to only allow the user who scanned the information access to the scan results. Not all scanners allow you to store the files created in user-specific areas of the server. If only a universally accessible directory can be selected for storage, then the documents must be deleted as quickly as possible from this public directory. The users must be informed accordingly. In addition, the files in this directory should be deleted automatically once per day. The users must be informed of the time these files will be deleted, and the time of deletion should be selected so that no users will be working with the scanners at that time.
• Scan-to-Mail:
  
  In this case, the user can specify an email address or a user ID with an assigned email address when scanning. The file created is then sent to this email address over a predefined SMTP server. Since confidential information could leave the network anonymously, it must be ensured that no external email addresses can be entered. It is better to configure the SMTP server so that no emails can be sent to external email addresses by the network-enabled document scanners.
• Scan-to-Print:
  
  In this case, the document is sent directly to a printer, i.e. the scanner-printer combination is used as a digital copier. If both devices are located in separate rooms, then there is a risk of the documents being taken from the printer without authorisation during scanning. For this reason, the systems should be configured in this case so that the pages are only printed out after all pages of the particular document have been completely scanned. Otherwise too much time could pass under some circumstances between the time the first page is scanned and the time the document is picked up at the printer.
• Scan-to-Fax:
  
  The scan-to-fax method allows you to send scanned documents directly via fax. In this case, a fax number is specified when scanning. The document created is then sent using an integrated modem or the scanner establishes a connection to a fax server over the LAN.
  
  When using scanners equipped with built-in fax, modem, or remote data transmission interfaces, special security precautions must be taken so that unwanted communication connections to external networks cannot be established over these interfaces. Corresponding recommendations are described in safeguard S 5.146 Network separation when using all-in-one devices.
  
  If possible, a central fax server should act as an interface between the scanners and the telephone network. In this case, the safeguard recommendations listed in module 5.6 Fax servers in particular should be implemented.

If the components used support encryption, then communication connections should be encrypted whenever possible to prevent someone from eavesdropping and obtaining the information transmitted. Instructions on how to protect transmissions can be found in safeguard S 4.300 Information security for printers, copiers, and all-in-one devices, as well as in other safeguards.

Scanners should also be protected against attacks from the network. To accomplish this, implementation of the general ideas in safeguard S 4.301 Restrictions on access to printers, copiers, and all-in-one devices should be taken into account.

After scanning, no hidden data should remain on the system. The documents should be deleted automatically, if possible, from the storage device used in the scanner when the scanning procedure is complete. If this is not possible, then the users must be informed that they need to manually delete the documents from the document storage device of the scanner after use so that subsequent users cannot read the information scanned. Corresponding security precautions must also be implemented for the other storage areas used in conjunction with the scanning procedure, for example for the network drives used for this purpose.

Review questions:

• Are only authorised persons able to access the digitised documents?
• Is it ensured that the information scanned will be securely transmitted to the workstation PC?
• Will all storage areas on the scanners be deleted after use?