|
Briefing ID
#: 8356
URGENT: ALL
SITE ADMINISTRATORS - ITS Hard Drive Vulnerabilities in Copy
Machines
Category:
|
|
|
|
|
Audience: |
All Principals/APs, All
Administrative Offices |
|
|
|
|
Due
Date: |
n/a |
|
Meeting
Date: |
n/a |
|
|
|
The purpose of
this briefing is to inform employees of possible vulnerabilities in copy
machines.
- A circulated video of a
recent CBS NEWS report regarding the storing of copied and printed
document images on copy/printer machine hard drives has focused
attention on this potentially exploitable source of confidential data.
- Most copier equipment now
contains hard drives that, unless purposely configured correctly, will
store all images permanently.
- Anyone with access to the
hard drive can view all documents that were previously copied or printed
on that machine. This is particularly true once the equipment leaves
District premises. These documents may include confidential student and
staff information, as well as other information that is exempt from
public disclosure.
- In addition, many of these
machines have wireless capabilities, which, if not secured, could be
used for unauthorized access to the hard drive.
- The District's Network
Security Standards requires that copier hard drives and wireless
capabilities be secured. The Standards can be found at:
- https://pdfs.dadeschools.net/techsupport/datasecurity/Network%20Security%20Standards%202008.pdf
- ITS is working with
Procurement Management and District copier vendors to review data
security procedures. All Images need to be cleared from the machines
before they are removed from District offices or the machines should be
configured when they are first installed so that they do not retain the
images at all.
- All contracts for purchased
or leased copier must now include the requirement that some form of
image securing process be included.
- All memory must be cleared
before the equipment removal, or configured so the images are deleted as
soon as they are no longer needed.
- Until a new bid is written,
there will be a cost incurred for the extra security. Once a new bid
exists, there will be no additional cost.
- Copier equipment purchased
or leased under the old contracts should have the hard drive cleared and
certification provided by the vendor that this has been done.
Alternatively, the vendor may remove the hard drive from the machine and
give it to the site supervisor until such time as it can be cleaned or
distroyed. This would be done if the cost of the deletion of data would
be too costly or if the equipment is too old to have any other form of
data retrieval performed. This requirement will incur extra charges that
should be negotiated with the vendor.
- In discussions with the four
vendors with the most copiers in the District, they have all indicated a
willingness to work with District staff to secure this data.
- If the site has purchased or
leased a copier, the site supervisor or designee is responsible for
ensuring that one of the above data protection processes is followed. If
ITS has purchased or leased the copier, ITS will be responsible for the
data protection.
- ITS will forward further
information as it becomes available.
|
Contact: |
Support Services (
https://selfservice.dadeschools.net )
|
|
Department: |
Information Technology
Services |
|