What is UNM IT’s policy when handling non-compliant printers if funds are not available to replace or implement additional security measures?
Has the information in this standard been communicated to UNM vendors? We have called vendors on the current contract to come and update device firmware and they have told us their policy is to not update firmware unless there is a functionality issue with the device. (Ricoh and Xerox specifically) Also, for security requirements related to network attached devices, are UNM print management vendors aware of what will not satisfy the standard for a UNM printer? Are they instructed to follow institutional requirements as part of the contract when quoting a device?
Is there a UNM IT offered printing service? Does it meet all the requirements of this standard? What are the costs associated with this service and where are those published? If UNM is currently offering print services for Managed Workstation customers or for use with the Banner ERP, are those systems compliant with this standard? Are OS X machines supported for the “UNM IT enterprise print server”?
Installation, Warranty and Equipment Maintenance
“Equipment Maintenance. Ensure that equipment is properly and routinely cleaned and maintained”
For leased devices is this the responsibility of the vendor?
Printer Equipment Set up and Security Section:
“Vulnerabilities. Stay current on patches for known vulnerabilities related to installed printers”
What is the scope of vulnerabilities? Firmware, Driver patches, workstation patches, server patches, etc.
Usage Section:
“Publish best practices for users of the printer”
What best practices need to be defined for the printer in terms of compliance with this standard?
Data Security Section:
“Data in Transit. Encrypt documents in transit to and from printers (print jobs and scans) to prevent eavesdropping on printer traffic”
Will best practices be published for how UNM Administration, Internal Audit, or UNM IT will determine if the printing solution implemented will satisfy compliance concerns.
“Physical security. Ensure that output trays are in monitored spaces and that only the authorized user can release sensitive documents sent to the printer”
What classifies as a “sensitive document”? Is print release being set as a requirement for all UNM owned printers? Have the data owners been notified about this requirement and addressed the concerns with printing services through the Banner ERP?
“Use additional anti-counterfeiting solutions on printers that use special paper”
What constitutes an additional anti-counterfeiting solution? How will compliance be determined if enough additional anti-counterfeiting measures are not employed? For UNM official documents what is the minimum requirement to anti a document as genuine?
Trouble-Shooting and Technical Escalation Support Section:
“comply with Service Desk Standard for support of printers”
Where is the service desk standard?
“Ticket and track contacts made regarding printer, training or vendor support issues. Report on and use this information to improve support”
Is there a standard report format to follow for auditing and compliances purposes?