A bit late on this topic, but a couple points not previously covered...
While the concerns about email and fax are valid, they really do not
add substantially to risks that are not already present in most
businesses unless existing fax machines and email systems (and Internet
connectivity) are already very heavily policed.
One concern that I have is the ability of employees to use these
systems as de facto imaging systems, creating scanned TIFF or PDF
documents that are then maintained in a file system or on a local hard
drive, circumventing any officially sanctioned EDMS or imaging system.
This adds considerable load to networked file servers and risk if local
PC drives are not backed up.
Another issue most folks are not aware of is that most new copiers are
in effect, imaging scanners, and retain a copy of everything that has
been copied on a hard drive inside the device until the hard drive
reaches a factory-set storage limit. At that point, the oldest images
are deleted, but many low-use devices could have many months of images
stored in the copier. This may also be true for MFDs (multi-function
devices) that serve as network printers. They may spool print jobs on
the hard drive as they queue up. It is very important, then, that you
have an understanding with your copier / MFD vendor about the manner in
which MFD hard drives are to be handled upon replacement. We mandate
that the vendors physically destroy the hard drives or otherwise cause
stored files to be completely and irretrievably deleted from the
device.
Some vendors provide the ability to set a "retention period" for files
stored locally on the device, but this appears to be fairly pricey
added-on functionality in many cases.
Patrick Cunningham, CRM
--- Mike Marsh <[log in to unmask]> wrote:
> I believe that multi-functional copiers (combined photo-copier and
> scanner,
> linked to e-mail and fax functionality) may create business and
> records
> management risks.
>
> For example: Ability to send images of paper documents, to multiple
> (internal and external) e-mail addresses and faxes, directly from the
> scanner or copier (with very little audit trail, except about date &
> time
> sent). Open access, and proximity to insecure filing cabinets,
> increase
> risk of intruders copying and sending your confidential stuff to
> external
> addresses. Ability to add and send a 'cover note' (which might
> contain
> additional business information) to an e-fax or e-mail, without
> retaining a
> copy. Free access to the entire company e-mail address, fax & phone
> book,
> via the copier memory. As per computers, images of confidential
> documents
> retained on the hard disk memory; retrievable even after 'deletion'.
>
> There may be other risks I haven't discovered yet? Controls, for
> example
> restricting access via user pin number; and implementing good RM &
> business
> house rules. Has anyone else any experience or advice to share?
>
> Cheers! Mike Marsh.
>
|