The Brown University Community has identified a need to utilize Multi-Function Network Devices (MFND) throughout the campus as a way of reducing the need of multiple devices, realizing cost savings on toner, ease of use, less impact on the environment, and efficiencies of process. MFNDs can provide great value to the university, but can also open up the risk to Brown when not configured in a secure manner. This ISG Standard sets the minimum acceptable security standards that are required for any MFND, or any similar device that has the ability to store information, in order to be attached to the Brown network. It has been developed to secure the university and its data while also providing for maximum efficiency and availability.
The ISG Security Standard found in this document applies to all MFD that are to be connected to the Brown network as well as any digital copying devices that may store information, such as copiers, printers and fax machines, whether singular or bundled in one machine, on or off-line. Henceforth, this document will refer to all such devices as MFNDs.
It is strongly recommended that all currently operating MFNDs at Brown, installed prior to the most recent update of this policy, be examined for their compliance to these standards. In some cases, this may mean they have their hard drives removed and reformatted, and a hard-drive data erase kit and new hard drive installed. Please reach out to ISG with any questions.
3.0 ISG Standards
- All MFND must have current software.
- For those devices with an OS, they should maintain current patch levels for security standards and appropriate anti-virus software.
- The firmware in use on any MFND must never be more than two revisions old.
- All unused ports, protocols, services, and features must be disabled.
- Insecure services, i.e. FTP and telnet, must be disabled.
- Access controls to the MFND should be IP filtered, MAC filtered, or through the use of network print servers.
- If remote configuration and support is to be utilized, connections must utilize secure protocols such as HTTPS (HTTP over SSL) and/or SSH. HTTPS must be no less than TLS 1.0 and must also include TLS 1.1 and TLS 1.2 with a public certificate.
- A password must be used to protect the configuration interface. This password must be changed from the factory default, and comply with the Brown University password standards and requirements for complexity, or to an agreed upon naming convention for group password.
- DHCP must be turned on for all MFNDs.
- SNMP should only be enabled if needed for management of the MFND on Brown University’s network otherwise it should be disabled.
- Regardless of whether SNMP will be used, the community string must be changed from the factory default, and comply with the Brown University password standards and requirements for complexity.
- If it is enabled, then SNMP must use version 3.
- Incoming SMTP traffic must be disabled by default. If it is to be used by a department, it must be approved by ISG. All inbound SMTP traffic must use Brown University mail relays.
- Outbound SMTP (Scan to email) should support secure mail relay compatible with Gmail. If it is not compatible with Gmail, its use must be approved by ISG and must use Brown University mail relays.
- Scanning to a file utilizing network file share must support SMB. Legacy NetBIOS protocols (i.e., TCP 135 & 139, and UDP 135, 137, & 138) are no longer supported.
- In areas that have access to sensitive Brown University data, automatic overwrite of data must be included.
- If data is to be stored, it must not be able to be read by any other device, i.e. encrypted. When encryption is used, it must deploy a state of the art encryption algorithms, including 3DES, AES, or better.
- For all new MFND or digital printing devices purchased after the effective date of this standard, a hard-drive data erase kit (or similar ability) must be included.
- All MFND permanently taken out of service at Brown University must be re-formatted to University standards and security requirements before being removed. (See Data Removal Recommendations).
- Exceptions to this ISG Security Standard can only be granted by the Director of Information Technology Security of Brown University.
- Exceptions will need to be submitted in writing, and reviewed on a yearly basis.
- All MFNDs that were installed and connected to the Brown network prior to the date this standard took effect will be exempted from only those standards that cannot be met, and may require additional security safeguards for continued use after a review by ISG.
Questions or comments to: firstname.lastname@example.org
Policy Published: April, 2009
Last Revised: November, 2016
Next Scheduled Review: November, 2018