Printer Configuration Requirements

On this page

1. Storage (non-volatile) and removable devices

1.1. Departments must:

  • 1.1.1 Enable hard disk encryption; and
  • 1.1.2 Store removable storage devices in approved containers when not in use.

2. Device and network settings

2.1. Departments must:

  • 2.1.1 Configure all printers to default black-and-white printing with automatic resetting to black-and-white printing following a colour print job;
  • 2.1.2 Change the default administrator password. For guidance on creating a secure password, refer to Password Guidance;
  • 2.1.3 Use approved network protocols and ciphers. Refer to the Canadian Centre for Cyber Security (CCCS) Guidance on Securely Configuring Network Protocols (ITSP.40.062);
  • 2.1.4 Disable protocols that are not required;
  • 2.1.5 Disable Simple Network Management Protocol (SNMP) version 1 and version 2 protocols;
  • 2.1.6 Disable Universal Serial Bus (USB) ports by default (only enable USB ports when required);
  • 2.1.7 Enable auditing;
  • 2.1.8 Enable Transport Layer Security (TLS) 1.2 or TLS 1.3 using CCCS-approved cryptography. Refer to the CCCS Guidance on Securely Configuring Network Protocols (ITSP.40.062);
  • 2.1.9 Enable Hypertext Transfer Protocol Secure (HTTPS) or Secure Shell (SSH) Protocol; and
  • 2.1.10 Enable SNMP version 3.

3. Usage and device maintenance

3.1. Departments must:

  • 3.1.1 Ensure appropriate baseline security configurations by consulting with their departmental information technology (IT) security when printers are installed, updated, or decommissioned;
  • 3.1.2 Ensure updates are applied by following departmental patch management processes in accordance with the Patch Management Guidance;
    • 3.1.2.1 Use official patches provided by the vendor.
  • 3.1.3 Prioritize the use of patching via remote methods, such as printer management software;Footnote 1
  • 3.1.4 Apply an update or patch using a removable storage device, such as a USB drive if remote updates are not possible. USB ports must be enabled for the update and disabled after the update has been successfully applied; and
  • 3.1.5 Ensure that all physical devices that are to be connected to the multi-function device are approved government assets or are verified vendor devices (laptops, USB drives, removable disks).

4. Communication and networking

4.1. Departments must:

  • 4.1.1 Employ TLS 1.2 or TLS 1.3 for all communication between multi-function devices and other devices, such as scanning to laptop or emailing a scanned item to ensure that emails and their contents are not sent in plain text;
  • 4.1.2 Use end-to-end encryption for all communication to and from the multi-function device, especially when using cloud or other managed services;
  • 4.1.3 Ensure that jobs are not being submitted directly to the multi-function device, but are instead submitted to printer management software;
  • 4.1.4 Disable wireless printing to local printers from managed devices by default and only enable wireless printing when required;
  • 4.1.5 Ensure the print spooler service is disabled on all operating systems where printing functions are not required;
  • 4.1.6 Disable the service set identifier (SSID) or device name broadcasting on multi-function devices that are connected to publicly accessible networks;
  • 4.1.7 Ensure that approved cryptographic algorithms are used based on the highest classification of information that is being sent to the multi-function device; and
  • 4.1.8 Disable external or non-Government of Canada network access to the multi-function device.

5. Destruction and sanitization

5.1. Departments must ensure that:

6. Media and storage devices (hard drives, solid state)

6.1. Departments must ensure that:

  • 6.1.1 Designated departmental security officials have measures in place so that information is securely handled, and multi-function devices are properly disposed of;
  • 6.1.2 Non-encrypted media is overwritten using Secure EraseFootnote 2 at least once. If the media device was manufactured before 2001 or is smaller than 15 GB, the overwriting routine should be applied three times. Refer to IT Media Sanitization (ITSP.40.006);
  • 6.1.3 All external markings, such as department names, Government of Canada identification, dates, or any other information are removed from the device; and
  • 6.1.4 All toner, ink, paper, and other removable parts are removed before disposal.

Page details

Date modified: