Skip to main content

12-09-2015 - 15-104 - Performance Audit - Printer/Copier Security - Citywide

DTI should take additional steps to increase security on networked printer/copiers and other multifunction devices. DTI should also take steps to increase awareness of information technology security policies and specific risks posed by networked printer/copiers. Enhancements should be made to processes for departmental purchasing, leasing, and maintenance of printer/copiers. Going forward, printer/copiers should not be connected to the network unless accompanied by a DTI Service Now request. All devices on the network should be documented in a master list, which identifies any devices with hard drives. Procedures should be enhanced to ensure that hard drives on leased printer/copiers are properly erased before being sent back to the vendor or being replaced.

Read full report

Executive Summary

Printers and copiers are standard office equipment in all City departments. Today’s printer/copiers are sophisticated multifunction devices that can send emails, scan and save documents, and send faxes. To manage these tasks, the devices have onboard computer operating systems and hard drives, and are connected to the City’s network to process multiuser requests.

While enhancing productivity, these devices introduce risks to a networked computing environment. Documents processed by the devices are saved on the hard drive. If not programmed to erase these files, there is a risk that documents containing sensitive data can be retrieved and reprinted by an unauthorized party at a later time.

DTI has issued a procedure for securing networked printer/copiers, but awareness of the procedure has not been communicated effectively to City departments. Many Citywide printer/copiers have security features that have not been activated, increasing the risk of unauthorized use or release of confidential information. No evidence of any data breach related to printer/copiers came to our attention during the audit.

Recommendations & Benefits

By following the recommendations in this report, DTI will:

  • Enhance security of networked printer/copiers against misuse,
  • Improve management of printer/copiers with a master listing of devices,
  • Enhance consistency in purchases, leases, and maintenance contracts for printer/copiers,
  • Improve communication of IT security policies, and
  • Enhance security of networked printer/copiers and other multifunction devices.

DTI agrees with the recommendations and will work with City Departments to enhance security of Citywide printer/copiers, develop an inventory of networked printers/copiers, and to strengthen communication of IT security standards.