Saturday, January 27, 2018

Printers and Copy Machines are Information Systems

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

Contractors depend heavily on reproducing, printing, or otherwise providing hard copy documents as contract deliverables or work products. Printers, copiers, and fax machines now have memory storage and are more information systems by nature than just “copy machines”. The NISPOM has been updated to address how to use and categorize equipment with storage capability.

Question:
Does the equipment used for classified reproduction have any sort of memory capability? If yes, the equipment may require accreditation as an Information System (IS).

Answer: 
The concern is that unless a copier with storage capability is treated as an Information System classified information residing in the storage could be at risk if improperly disposed of. According to the Self-Inspection Handbook for NISP Contractors, any reproduction device that has memory storage may have to be accredited as an Information System.
In many classified environments, hundreds of thousands of pages of reports are printed to meet contractual requirements in the printer's lifetime. Test data, program presentations, critical design reviews, statements of work, period of performance reports, are but a few sensitive documents subject to reproduction. These days, date is commanded to be sent from the drive of one classified computer to the printer, copy machine, or fax machine only to be stored on their drive. Over the years, this information can collate into quite a voluminous library of intimate programmatic details. The good news is that it is protected inside of a classified environment and many facility security officers understand very well how to protect classified information systems.

However, for the uninitiated, a little more training may be required. The understanding that a printer is simply an intellectually dumb machine passively making copies is what the Defense Security Services is attempting to impact. Some are familiar with tales of investigative journalists procuring recycled copy machines and printers only to access the hard drives. Years of sensitive government and personal information were surprisingly revealed as a demonstration of just how foolish it was to recycle these machines without destroying for wiping the hard drives.

Any machine that processes classified information and has storage or memory capability should be considered an information system and therefore accredited prior to use. The accredited system and components will now come under more scrutiny and accountability to prevent improper disposition.


Validation:
Inspect and inventory all printers, copiers, fax machines and other office equipment that process classified and sensitive information.
Review accredited IS against the inventory of office equipment and ensure qualifying systems and components are included in the accreditation.
Develop a plan that identifies and demonstrate future disposition of items no longer required (destruction, recycling, etc.)

Ensure cleared employees understand the information system requirements through training and briefings.

For more security ideas, training, and books, visit www.redbikepublishing.com

Post a Comment