Printer Configuration Requirements
On this page
1. Storage (non-volatile) and removable devices
1.1. Departments must:
- 1.1.1 Enable hard disk encryption; and
- 1.1.2 Store removable storage devices in approved containers when not in use.
2. Device and network settings
2.1. Departments must:
- 2.1.1 Configure all printers to default black-and-white printing with automatic resetting to black-and-white printing following a colour print job;
- 2.1.2 Change the default administrator password. For guidance on creating a secure password, refer to Password Guidance;
- 2.1.3 Use approved network protocols and ciphers. Refer to the Canadian Centre for Cyber Security (CCCS) Guidance on Securely Configuring Network Protocols (ITSP.40.062);
- 2.1.4 Disable protocols that are not required;
- 2.1.5 Disable Simple Network Management Protocol (SNMP) version 1 and version 2 protocols;
- 2.1.6 Disable Universal Serial Bus (USB) ports by default (only enable USB ports when required);
- 2.1.7 Enable auditing;
- 2.1.8 Enable Transport Layer Security (TLS) 1.2 or TLS 1.3 using CCCS-approved cryptography. Refer to the CCCS Guidance on Securely Configuring Network Protocols (ITSP.40.062);
- 2.1.9 Enable Hypertext Transfer Protocol Secure (HTTPS) or Secure Shell (SSH) Protocol; and
- 2.1.10 Enable SNMP version 3.
3. Usage and device maintenance
3.1. Departments must:
- 3.1.1 Ensure appropriate baseline security configurations by consulting with their departmental information technology (IT) security when printers are installed, updated, or decommissioned;
- 3.1.2 Ensure updates are applied by following departmental patch management processes in accordance with the Patch Management Guidance;
- 3.1.2.1 Use official patches provided by the vendor.
- 3.1.3 Prioritize the use of patching via remote methods, such as printer management software;Footnote 1
- 3.1.4 Apply an update or patch using a removable storage device, such as a USB drive if remote updates are not possible. USB ports must be enabled for the update and disabled after the update has been successfully applied; and
- 3.1.5 Ensure that all physical devices that are to be connected to the multi-function device are approved government assets or are verified vendor devices (laptops, USB drives, removable disks).
4. Communication and networking
4.1. Departments must:
- 4.1.1 Employ TLS 1.2 or TLS 1.3 for all communication between multi-function devices and other devices, such as scanning to laptop or emailing a scanned item to ensure that emails and their contents are not sent in plain text;
- 4.1.2 Use end-to-end encryption for all communication to and from the multi-function device, especially when using cloud or other managed services;
- 4.1.3 Ensure that jobs are not being submitted directly to the multi-function device, but are instead submitted to printer management software;
- 4.1.4 Disable wireless printing to local printers from managed devices by default and only enable wireless printing when required;
- 4.1.5 Ensure the print spooler service is disabled on all operating systems where printing functions are not required;
- 4.1.6 Disable the service set identifier (SSID) or device name broadcasting on multi-function devices that are connected to publicly accessible networks;
- 4.1.7 Ensure that approved cryptographic algorithms are used based on the highest classification of information that is being sent to the multi-function device; and
- 4.1.8 Disable external or non-Government of Canada network access to the multi-function device.
5. Destruction and sanitization
5.1. Departments must ensure that:
- 5.1.1 All media and devices that will be destroyed are sanitized first in accordance with IT Media Sanitization (ITSP.40.006).
6. Media and storage devices (hard drives, solid state)
6.1. Departments must ensure that:
- 6.1.1 Designated departmental security officials have measures in place so that information is securely handled, and multi-function devices are properly disposed of;
- 6.1.2 Non-encrypted media is overwritten using Secure EraseFootnote 2 at least once. If the media device was manufactured before 2001 or is smaller than 15 GB, the overwriting routine should be applied three times. Refer to IT Media Sanitization (ITSP.40.006);
- 6.1.3 All external markings, such as department names, Government of Canada identification, dates, or any other information are removed from the device; and
- 6.1.4 All toner, ink, paper, and other removable parts are removed before disposal.
Page details
- Date modified: