If your unit has or uses equipment that copies, scans or otherwise reproduces images, you should be aware of the following security risks:
- The University copies, prints and scans thousands of documents each day. These documents may contain information that is sensitive, confidential and/or protected under FERPA, HIPAA or other laws governing data and records confidentiality.
- Many printers, copiers and scanners used today have hard drives that save image copies of all processed documents. If these devices are disposed of as is, documents are retrievable with many free tools.
- Internal, confidential or regulated information obtained by unauthorized individuals is a security breach. A security breach can significantly impact WSU as a whole, as well as individual areas or departments. Consequences can include hefty fines from regulators, reputational damage with granting agencies and potential undermining of public trust in the University’s ability to appropriately manage sensitive information.
To ensure images from copied or scanned documents do not fall into the wrong hands, consider the following:
- Security Controls: Proper configuration of security controls on multi-function devices is critical. At a minimum, administrative access to the device should be configured with a non-default password. If the unit supports drive encryption, this should be enabled.
- Education and Awareness: Educate office personnel on appropriate management of sensitive information and risks associated with equipment used to copy or scan. Remember the greatest security risk is presented when equipment leaves the University. No copy and print equipment should leave University units, whether through disposal, resale or trade-in (for leased equipment), without going through Surplus Stores (see BPPM 20.76, Surplus Property) to ensure proper removal of data.
- Disposal and Resale: While University departments may transfer and sell equipment directly to other units, Surplus Stores (509-335-3089) is the only University department authorized to sell or dispose of equipment outside the University. Surplus Stores will ensure hard drives are properly wiped before equipment is resold. A similar process is used to clean computers when they are sent to Surplus. If you are trading, upgrading or replacing the equipment, contact Surplus Stores.
- Leased Equipment: In addition to Surplus Stores, Purchasing Services (509-335-3541) should be involved in trade-ins of leased equipment.
For questions or additional information, you may contact the Office of Internal Audit at firstname.lastname@example.org.