Hardcopy security

Most organisations make computer security a priority, but few do the same for their networked printers. A new IEEE standard aims to fix the problem.

Most organisations make computer security a priority, but few do the same for their networked printers and other hardcopy peripherals even though these devices may be vulnerable to attack. In seeking to address this situation, the IEEE Standards Association has begun work on IEEE P2600, ‘Standard for Information Technology: Hardcopy System and Device Security.’

This new standard will define security requirements for those who manufacture, create software for and use printers, copiers, multifunction devices and other hardcopy devices, as well as for the computer systems that support them. It will cover many aspects of security involved in developing, selecting, installing, configuring and using these devices.

These issues encompass authentication, authorisation and the privacy of data sent to and from devices and residing on them, as well as such areas as data integrity and device management. Additionally, the project may include checklists, guidelines and other aids for creating and implementing hardcopy security plans.

‘IEEE P2600 will help manufacturers, system administrators and users rectify the many potential security liabilities associated with hardcopy devices,’ says Don Wright, Chair of the IEEE Hardcopy Security Working Group and Director, Alliances & Standards, Lexmark International.

‘As things stand now, the communications, processing and storage elements in such devices are prone to the misdeeds of others. They can, for instance, let attackers read information sent to printers or open gateways that lead beyond firewalls and expose sensitive and confidential information.’

The IEEE 2600 working group defines hardcopy security as those measures, methods and procedures taken to guard against an attack on, theft of, espionage against or sabotage of the devices, components or systems used to print, scan, copy, transmit, receive or store documents on (or intended to be on) paper or other human-readable media.

‘Few existing standards even touch on hardcopy security, let alone address it broadly,’ says Wright. ‘In correcting this situation, the new standard will raise awareness of hardcopy security issue and help companies become more secure and come into compliance with existing laws.’

These laws include the US Health Insurance Portability and Accountability Act, which requires healthcare organisations to protect the privacy and security of confidential health information, as well as the Safeguards Rule in the US Gramm-Leach-Bliley Act, which calls on financial institutions to have comprehensive security programs that keep customer information secure and confidential. In addition, compliance with certain parts of the US Sarbanes-Oxley Act of 2002 could be adversely affected by a failure to provide adequate hardcopy security.

The standards effort will involve those from hardcopy device manufacturers and users in the commercial and government sectors. The first meeting of the IEEE Hardcopy Security Working Group will be held in early 2004.