Threats to information security are appearing more frequently and are of greater magnitude than ever before. They can come both internally and externally and can be online or local, accidental or malicious. A company's most sensitive business information can be exposed to unauthorized use, disclosure, modification or total loss.
Threats to information security are appearing more frequently and are of greater magnitude than ever before. They can come both internally and externally and can be online or local, accidental or malicious. A company's most sensitive business information can be exposed to unauthorized use, disclosure, modification or total loss.
Companies like Xerox are working directly with customers to help them assess where information exists, how it is transferred, where it is stored, and to identify the greatest areas of risk. Since most of an organization's secure information resides in documents, document security is one such area. According to Dan Corsetti, an analyst at market research firm IDC in Framingham, Mass., document security is a pressing concern for organizations in most industries.
"With regulations around privacy, document security is one of the greatest challenges and demands on IT personnel and users in the market today," said Corsetti. "Businesses are looking for security features that allow them to trust their information systems and networks to function as required."
While the need for document security is widely recognized, many companies are unaware of a major threat — the networked hardcopy peripheral. Each time a document is copied, printed, scanned or faxed, an image is left behind on the system's hard drive(s) that's as much at risk of getting hacked as the information on their PCs. With network connectivity rates for these products increasing each year, this security threat grows exponentially.
On the flipside, health care, government, military, legal and financial sectors havestarted to catch on. Recently there has been an increase in regulations surrounding privacy — such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley — which makes document security one of the greatest challenges and demands on IT personnel and users in the market today.
"We've recognized our need to meet document security challenges on several levels," said Dan Bierbrauer, IT Director for Constellation Energy's R.E. Ginna Nuclear Power Plant. "Business units such as finance and human resources regularly process sensitive and confidential information. In addition, we place the highest priority on our plant security responsibilities. The confidentiality of our plant's information management system cannot be compromised."
To help customers make informed decisions around the security of their IT systems, leading-edge vendors are seeking the National Information Assurance Partnership's (NIAP) Common Criteria Certification for their products. This internationally recognized standard for security claims of IT products and systems is earned from NIAP, a U.S government initiative designed to meet the security testing needs of both information technology manufacturers and users. According to NIAP, this impartial assessment, or security evaluation, includes analysis of the IT product and the testing of the product for conformance to a set of security requirements. The U.S. Department of Defense requires all IT products used within the department, all military branches, and installations such as air bases or the Pentagon, to have Common Criteria Certification.
Additionally, other federal agencies and industries — such as financial, insurance and legal — are seeking third-party assurance from NIAP. By adopting the standards that federal government agencies must meet for information security — arguably the toughest standards in existence today — organizations can be confident that they are meeting the security and privacy needs for their most sensitive information. Office devices that have received Common Criteria Certification for use in national security by the federal government can provide the highest level of security available.
In addition to watching for the Common Criteria stamp of approval, buyers can look at the machine's security features, which can be customized to meet an organization's needs. Devices with these features have been shown to effectively resist attack from intruders attempting to gain access to the information stored within the system or to gain access to the customer's network. These features include:
Embedded Fax – While firewalls prevent unauthorized access to a customer's system through the network connection, unprotected fax connections in multifunction devices can be an open back door into the network. Be sure to look for a manufacturer that can offer a Common Criteria certified product that assures complete separation of the fax telephone line and the network connection.
Image Overwrite Option – The Image Overwrite Security option electronically "shreds" information stored on the hard disk(s) of devices as part of routine job processing. The electronic erasing can be performed automatically when each print job is completed, or reset manually as needed.
During normal operation, a multifunction device temporarily stores image data on the hard drive. The image overwrite function eradicates customer data by repeatedly overwriting the disk surface with specific patterns of data. At the end of the procedure it reads a portion of the overwritten area — typically 10 percent — to make sure that only the last pattern written can be read. This ensures that no normal read process can discover the original data.
Internal Auditron – People are required to enter an authorization code to use walk-up copy features of the device. Administrators can also limit the number of copies available for each person, track usage at an account or department level, and download data to a PC to generate audit reports.
Network Authentication – Access to scan, email and fax features can be restricted by verifying network user names and passwords in network directories prior to use of these functions.
Removable Disk Drive Accessory – Administrators can physically remove hard drives from the machines, virtually eliminating the risk of unauthorized access to classified data.
Secure Print – Jobs are safely stored at the device until the owner enters a personal number to release them. This controls unauthorized viewing of documents sent to the printer.
Information security protects companies from a wide variety of threats in order to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities. Knowing the possible risks of networked office equipment and understanding the security options allows customers to focus on their work rather than worry about whether their information is safe. Be sure to look for these features when shopping for new equipment to ensure your information is not susceptible to hackers. And don't forget — your current equipment may have security options of which you're not aware, so check with the manufacturer to learn about what you may already have.
Larry Kovnat is product security manager at Xerox.
