Briefing ID #: 8356

URGENT: ALL SITE ADMINISTRATORS - ITS Hard Drive Vulnerabilities in Copy Machines
Category:

 

 

Audience: 

All Principals/APs, All Administrative Offices

 

 

Due Date:

n/a

Meeting Date:

n/a

 

 


The purpose of this briefing is to inform employees of possible vulnerabilities in copy machines.


  • A circulated video of a recent CBS NEWS report regarding the storing of copied and printed document images on copy/printer machine hard drives has focused attention on this potentially exploitable source of confidential data.
  • Most copier equipment now contains hard drives that, unless purposely configured correctly, will store all images permanently.
  • Anyone with access to the hard drive can view all documents that were previously copied or printed on that machine. This is particularly true once the equipment leaves District premises. These documents may include confidential student and staff information, as well as other information that is exempt from public disclosure.
  • In addition, many of these machines have wireless capabilities, which, if not secured, could be used for unauthorized access to the hard drive.
  • The District's Network Security Standards requires that copier hard drives and wireless capabilities be secured. The Standards can be found at:
  • http://pdfs.dadeschools.net/techsupport/datasecurity/Network%20Security%20Standards%202008.pdf
  • ITS is working with Procurement Management and District copier vendors to review data security procedures. All Images need to be cleared from the machines before they are removed from District offices or the machines should be configured when they are first installed so that they do not retain the images at all.
  • All contracts for purchased or leased copier must now include the requirement that some form of image securing process be included.
  • All memory must be cleared before the equipment removal, or configured so the images are deleted as soon as they are no longer needed.
  • Until a new bid is written, there will be a cost incurred for the extra security. Once a new bid exists, there will be no additional cost.
  • Copier equipment purchased or leased under the old contracts should have the hard drive cleared and certification provided by the vendor that this has been done. Alternatively, the vendor may remove the hard drive from the machine and give it to the site supervisor until such time as it can be cleaned or distroyed. This would be done if the cost of the deletion of data would be too costly or if the equipment is too old to have any other form of data retrieval performed. This requirement will incur extra charges that should be negotiated with the vendor.
  • In discussions with the four vendors with the most copiers in the District, they have all indicated a willingness to work with District staff to secure this data.
  • If the site has purchased or leased a copier, the site supervisor or designee is responsible for ensuring that one of the above data protection processes is followed. If ITS has purchased or leased the copier, ITS will be responsible for the data protection.
  • ITS will forward further information as it becomes available.

 

Contact:

Support Services ( http://selfservice.dadeschools.net )

Department:

Information Technology Services