ÌÇÐÄVlog¹Ù·½

Multi-Function Devices (MFD) & Internet of Things (IoT) Devices — Minimum Security Standards

Last Updated 2023-02-06

Modern printers, copiers, scanners and fax machines generally utilize digital storage and communications capabilities that can present security vulnerabilities when not properly configured and actively managed. These devices are commonly referred to as Multi-Function Devices (MFD).

Internet-of-Things (IoT) devices are any object or device that sends and receives data automatically through the internet. This can include tags, sensors, and devices that interact with people and share information from machine to machine.

Please refer to the Implementation Guides for assistance with implementing the minimum security standard for your device.

Key

Item	Description
	Implementation required
	Implementation recommended
	Recurring task

When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.

The standards listed below are adapted from a subset of the Center for Internet Security's (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The subset of CIS Controls were chosen based on their applicability to the University of Hawaiʻi.

Quick Reference

• 1.0 - Patching
• 2.0 - Firewall Configuration
• 3.0 - Password Security
• 4.0 - Data Management
• 5.0 - Encryption
• 6.0 - Asset Management
• 7.0 - Data Inventory
• 14.0 - Secure Access
• 15.0 - Secure Configuration
• 16.0 - Event Logging
• 17.0 - Network Security
• 18.0 - Access Control
• 19.0 - Account Management
• 20.0 - Vulnerability Scanning

#	Standards		Institutional Data Category
1.0	Patching	Recurring Task	Public	Restricted	Sensitive	Regulated
1.1	Enable automatic firmware and software updates if possible.
1.2	Install standard firmware and software security patches on a monthly basis for MFDs and IoT devices.
2.0	Firewall Configuration	Recurring Task	Public	Restricted	Sensitive	Regulated
2.1	Configure and manage a network-based firewall with a default deny all policy. Only the minimum number of services should be allowed through the firewall.
3.0	Password Security	Recurring Task	Public	Restricted	Sensitive	Regulated
3.1	Ensure that all university owned MFDs & IoT devices have strong and unique password protected individual logins for all local and remote accounts.
3.2	Ensure that all administrative web application interfaces used to manage MFDs or IoT devices have strong and unique password protected logins for administrative accounts.
4.0	Data Management	Recurring Task	Public	Restricted	Sensitive	Regulated
4.1	Utilize the University's records management process for .
4.2	Securely dispose of Institutional Data following our Disposal Guidelines.
5.0	Encryption	Recurring Task	Public	Restricted	Sensitive	Regulated
5.1	Ensure that data is encrypted with a secure encryption algorithm while in transit.
5.2	Ensure that files containing Sensitive and Regulated data are encrypted or stored in an encrypted file container such as Veracrypt.
6.0	Asset Management	Recurring Task	Public	Restricted	Sensitive	Regulated
6.2	Maintain an updated inventory of all software and hardware assets.
6.3	Ensure that hardware and software assets are fully supported by their vendors.
6.4	Review asset lists on a monthly basis. Remove or replace unauthorized and end-of-life assets if possible.
7.0	Data Inventory	Recurring Task	Public	Restricted	Sensitive	Regulated
7.1	Complete the annual Personal Information Survey (PIS).
14.0	Secure Access	Recurring Task	Public	Restricted	Sensitive	Regulated
14.1	Access applications and manage software over a secure encrypted connection (SSH, HTTPS, etc.).
14.2	Limit access to devices by authorized IPs if possible.
15.0	Secure Configuration	Recurring Task	Public	Restricted	Sensitive	Regulated
15.1	Ensure that MFDs and IoT devices are configured following industry security best practices. Refer to the MSS Implementation Guides for specific configuration recommendations
15.2	Uninstall or disable unnecessary and unused services.
16.0	Event Logging	Recurring Task	Public	Restricted	Sensitive	Regulated
16.1	Enable logging of system, security, and application events.
16.2	Retain logs for at least 90 days. Adequate log storage must be accounted for.
16.3	Review audit logs on a weekly basis.
17.0	Network Security	Recurring Task	Public	Restricted	Sensitive	Regulated
17.1	Utilize network segmentation to address least privilege by isolating MFDs & IoT devices from critical services.
17.2	Maintain network architecture diagrams.
17.3	Utilize Wi-Fi Protected Access 2 (WPA2) with AES-128 or greater and a strong password for wireless networks.
18.0	Access Control	Recurring Task	Public	Restricted	Sensitive	Regulated
18.1	Maintain an updated access control list of user roles, accounts and permissions for local/remote file systems, databases, and applications.
18.2	Grant access and apply access privileges to systems and services on a need to know basis.
18.3	Revoke privileges to systems and services upon employee termination, rights revocation, or role change.
19.0	Account Management	Recurring Task	Public	Restricted	Sensitive	Regulated
19.1	Restrict administrator privileges to individually dedicated administrator accounts.
19.2	Remove dormant accounts (45 days of inactivity).
19.3	Disable default system and software accounts or make them unusable.
19.4	Review account privileges and permissions quarterly.
20.0	Vulnerability Scanning	Recurring Task	Public	Restricted	Sensitive	Regulated
20.1	ÌÇÐÄVlog¹Ù·½ Vulnerability Scan Site Perform vulnerability scans using ScanÌÇÐÄVlog¹Ù·½ on a monthly basis.
20.2	Remediate all High and Critical severity vulnerabilities within 7 days.