your information. our solutions. a secure combination ... · your security. our priority. we...

ricoh-europe.com/securitymatters

Secure solutions for secure business.

Your information. Our solutions. A secure combination.

Click here for our security solutions overview

Your security. Our priority.We appreciate that your business information

is a primary asset. If sensitive details end up in

the wrong hands, the risks to your profitability

and image are unacceptable. As much information

exists within paper or electronic documents,

it is vital that this information is protected.

Our solutions are designed to effectively integrate

with your existing security infrastructure, policies

and procedures. These can be tailored to exactly

match your needs. And naturally, all information

is treated with the strictest confidence.

We have identified five key areas that you need

to consider as a priority.

Document Processes & Protection

User Identification & Authorisation

Systems Configuration & Devices

Network Protection

Monitoring & Auditing


Throughout their entire lifecycle documents need protection. From capture, store and manage to output, distribution and even scheduled destruction, the core principles of confidentiality, integrity and accessibility are critical to the management of your information capital. We help keep documents safe and secure throughout every stage of the process – from secure scanning, document management and retention to secure printing, controlled accessibility and sharing of information.


Authentication and Administration work seamlessly together so that only the right people can access the right information. By using options such as passwords, ID cards or biometric identification, unauthorised access can be denied to those who are not permitted, keeping your information capital safe and secure.


Providing a secure environment for storage of information capital and its authorised usage is a key driver in the development of our products and their operating systems. Our latest devices come equipped with proprietary software to protect data against opportunistic or targeted threats. Even at the end of a device’s life, we offer services to protect information.

Network Protection

We offer protection to ensure that information cannot be stolen, modified or falsified and then re-inserted back into your network. Our range of solutions and tools allow you to encrypt network communications, quickly disable all ports that are not used and control ‘safe’ client address lists to prevent hackers and other malicious parties from gaining access.


A range of tools can help manage the security of your environment. Logs of activities such as authentication attempts and setting changes are recorded to enable auditing for security-related events. Management tools with customisable reporting can provide visibility of many actions executed on our devices. These provide a traceable record of print, copy and fax activity by device, user, workgroup or project. This allows more effective security as well as cost management.

ricoh-europe.com/securitymatters



Knowledge and information have a value. At Ricoh,

we call it your Information Capital. It is an essential

driver for all business. It gives competitive

advantage. Yet your business information is

subject to increasing threats in this digital age.

AN OPeN SAfeModern technology has opened up an area of

considerable concern in data security. To give

just one example, since 2002 nearly every digital

copier device in the industry has been built with

hard drives. These are essential for the production

process and efficient operation. However, they can

store a latent image of processing data as well as

address data and documents intentionally stored

for printing on demand.

Without effective management, they can present

a possible weakness – rather like leaving an

office safe open with highly sensitive data such

as personal customer data, employee records,

business plans and strategies inside. This could

be an issue, especially when the copier eventually

leaves your site.

Security Matters


HOw COMPANIeS Are vUlNerAble‘95 pages of pay stubs with names, addresses

and social security numbers. 300 pages of

individual medical records. These are a

fraction of the ten of thousands of documents

downloaded from previously leased copiers’.

As highlighted by the controversial report on CBS

News April 2010, the extraction of data is not only

a great deal easier than many of us may think but

is also an emerging trend throughout the world

which unnecessarily exposes companies

to risk.

Security MattersCoupled with this there are regulatory and legal

requirements to protect sensitive information.

However, independent research* shows that in

some businesses, such data remains unprotected.

Although there is a high awareness of risks

to document security, just 47%^ of European

business leaders are able to confirm that they

have a policy in place to control the printing of

customer information.

This makes companies more vulnerable to security

breaches, whether accidental or intentional,

through people or groups, both internal and

external to the business environment.

“Modern technology has opened

up an area of considerable

concern in data security.

* Coleman Parkes Research Ltd, 2009 – Ricoh Document Governance Survey

^ Average across Financial Services, Professional Services, Public Sector and Telecoms/Utilities/Media


There have been several well publicised examples

across Europe where sensitive information such

as health records, bank details and even classified

government documents have been lost without

any security to protect the data. Besides impacting

a company’s reputation, security breaches can

be costly.

In the motor racing industry, a 780 page

document containing technical information

about ferrari’s f1 car was found in possession

of a Mclaren designer. The sport’s governing

body considered the effect to ferrari’s

competitive advantage was so damaging that

Mclaren was heavily fined and stripped of its

championship points for the season.

In 2011, an employee of York City Council in

england sent out sensitive information wrongly

collected from a shared printer. The Council

has been penalised by the Information

Commissioner’s Office (ICO) for breaching the

Data Protection Act.

Following an investigation the ICO found there

was a lack of quality control and management

supervision. As a result, the Council has had

to sign an undertaking to ensure no personal data

is printed when unnecessary and introduce new

quality control checks when documents are being

sent out as well.

Business Impact


If confidential information is leaked it can impact

your business via:

Intellectual Property rights: Loss of business

investment in Research and Development

Customer Information: Personal information is

protected by legislation. Fines can be imposed

if regulations are not met

Commercial Information: Commercial advantage

can be lost if sensitive or confidential information

is leaked

Third-party information: Information handled

through outsourcing activities. Customers can lose

trust and confidence in the outsourcer and may

resort to financial compensation

Business Impact

“Just 47% of European

business leaders are able to

confirm that they have a policy

in place to control the printing

of customer information.


The issue of security is not a new trend for Ricoh.

We have always taken a consistent and global

approach to secure information - for ourselves as

well as for our customers. In 2004, we gained ISO

27001 worldwide certification for our head office

and manufacturing sites (which over the following

years was extended for all our individual sites).

This is a credential of trust because to us the trust

of our customers is essential to forming long-term

partnerships.

Our thought-leadership is clearly demonstrated

right from the earliest stages of the design of our

hardware and software. In fact in 2002, we were

the first to receive ISO/IEC 15408 certification for

a digital multifunctional product. Now our

latest devices have obtained Common Criteria

certification conforming to IEEE 2600.1, an

international standard for IT security products.

Thought Leadership

“In 2004, we gained ISO 27001

worldwide certification for

Information Security

Management.


DefININg THe MeASUreSWe have developed a portfolio to help

organisations manage and protect Confidentiality,

Integrity and Availability of information.

By implementing security measures, businesses

can monitor office equipment and safeguard

against information leaks and loss.

SAfegUArDINg YOUr INTereSTSOur consultants also work with customers to

identify solutions, services and define policies

which balance security and management with the

need for flexibility and efficiency.

By creating a secure infrastructure that evolves

as technology advances, your business is armed

with a reassuring combination of confidence

and confidentiality.

Thought Leadership

“creating a secure

infrastructure… gives

your business a reassuring

combination of confidence

and confidentiality.


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection



Document Processes & ProtectionKeeping your sensitive information, secure.• Doyouhaveconcernsthatsensitivepaperdocuments

can be mislaid or not easily accessed by those who need them?

• Areyourprintseverpickedupbysomeoneelse by mistake?

• Howdoyouensurethatelectronicdocumentsarenotintercepted and possibly tampered with or information is not mislaid?

Given the potential risks to your information capital, it follows that from paper based to electronic, documents need protection throughout their entire lifecycle. During every stage of the document process, from capture, store and manage to output, distribution and scheduled destruction, the core principles of confidentiality, integrity and accessibility are critical.

Credentials

Security Solutions Overview

glossary

Case Studies

We can provide solutions so that only the right people can access the right information. For example, paper documents can be scanned and converted to secure electronic files and stored in a central database. Here they can be protected with access control but still be easily searchable and accessible to authorised users with powerful search and retrieval tools. To further improve authenticity and integrity, digital signatures can be added to documents before users exchange them electronically. The sharing of information can be controlled by managing distribution destinations – such as the sending of scanned documents to predetermined folders, ‘scan to me’, redaction of sensitive information and secure printing.

Improved processes like these help increase efficiency and well as ensuring that your business has complete control over the management of its documents.


Capture

- Secure Conversion

Store & Manage

Output

Distribution


Authentication

Authorisation

Secure ConversionObjeCTIve: • Protect sensitive information in line with company

security policies/adhere to regulations such as data protection laws

• Merging vulnerable paper documents into secure electronic workflow

• Enabling accessibility of authorised users to paper and electronic documents

rISK: • Problem ensuring all the right people have access

to documents, both paper and electronic

• Difficulty in auditing who has access to paper documents

• ISO 12.5.4 Information leakage (risk clause ISO27002)

• Unauthorised viewing or tampering of sensitive documents

• Paper documents could be mislaid in distribution or duplicate copies exist

SOlUTION:• Our intuitive MFP displays provide simple access to workflows for document scanning and distribution

• Only authorised users can access MFP functions such as scanning, and send to destinations that can be pre-defined by an administrator

• Users can also create password protected PDFs from scanned documents - allows them to set security controls for recipient’s viewing, editing/printing

• To improve document integrity, scanned documents can be previewed on a Ricoh MFP before sending. Plus a digital signature can be added, ensuring information has not been altered since it was sent by confirming that a document scanned on the MFP is intact. Digital signatures also verify the identity of the creator

• Paper documents can be scanned and electronic documents captured to be routed directly into a Document Management System. In the DMS they can be protected with access controls but are also easily searchable and accessible to authorised users

• To help with document classification metadata can be added at Ricoh MFPs or the desktop; for fast retrieval, documents are organised into searchable and well-structured electronic formats; full or zonal Optical Character Recognition (OCR) permits indexing capability for reduced manual administration

• Encryption over SSL (Secure Sockets Layer) – uses a private key to encrypt data scanned from Ricoh MFPs to server using secure connection



MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

- Electronic Document Management Document Integrity PDF/A for File Preservation

Store & Manage

Output

Distribution


Authentication

Authorisation

Electronic Document ManagementObjeCTIve: • To ensure data availability, confidentiality and integrity

• Information made available when needed. Seamless integration of storage and document processing with security controls

rISK:• Documents are mislaid or inaccessible either in manual paper processes or locally stored electronic files

• Unauthorised access to documents and information

• Tampering or undetected modification of documents

SOlUTION:We provide solutions to capture and index paper and electronic documents and route into centralised electronic storage with powerful management capabilities.

AvAILABILITY: • Full integration with Ricoh MFPs enables easy selection and scanning directly into the appropriate business process folder

• Electronic folder structures are created for a trusted archive which stores hundreds of document types. Powerful search capabilities give fast access for finding a file or information within a file within seconds

• Company documents are centrally available and the information capital is protected so should an individual employee leave, it remains accessible

CONFIDENTIALITY:• Safeguards information with role-based access control

• Allows assignment of granular and fully customisable security permissions. Security models can be defined for user roles, groups or individual databases

• Roles can be tightly integrated to an Active Directory/LDAP to simplify the user experience while keeping information secure. (Requires server options)

DATA INTEGRITY:Manages changes and aids compliance by ensuring information accuracy with audit/logging trails and check-in/out version Control with server options.

• Ensures data cannot be modified undetectably

• Shows which document is the latest or published version

• Prevents unauthorised overwriting or changes to documents

• Records management features enable tasks such as an automatic date expiration which allows you to set the

length of time files are to be kept before they are required to be automatically destructed in line with regulations or policies

• Browser-based access can be restricted to read only access



MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Electronic Document Management - Document Integrity PDF/A for File Preservation

Store & Manage

Output

Distribution


Authentication

Authorisation

Assuring Integrity of DocumentsObjeCTIve: • Provide solutions to ensure confidence that a document

has not been tampered with and is as sent originally

rISK: • Information in a file is altered after it was originally sent

• Mistakes can be made when manually Bates Stamping onto paper in this time-consuming process

SOlUTION:• Digital Signature: To improve document authenticity

and integrity, users can add a digital signature to PDF documents. A digital signature can be added to documents at a Ricoh MFP or, for electronic documents, on a desktop

• The signature gives assurance that information hasn’t been altered since sent. It also verifies the signer’s digital identity

• Digital signatures are now accepted by law in many countries

• The document version history lets recipients see when the document was signed and see when any changes were made. This history is encrypted and stored inside the PDF and can be viewed via the signatures pane

• A certificate creation tool is also available – this allows the user to create a digital certificate for digital signature via Ricoh MFPs

• If scanning original documents and applying the digital signature are both done by a Ricoh MFP at the same time, it helps prevent the scanned document being changed unintentionally before signing, or being signed by an unscrupulous person

• bates Stamping: Is a widely respected and often key requirement in legal, medical and business areas

• Users can automatically apply Bates Stamps to electronic documents from their desktop to uniquely label and identify each page of a PDF

• The stamp appears as a header or footer on specified pages and can contain additional information

• Bates Stamps and Page Numbering can be applied in manual or batch mode with flexibility in location, structure and sequencing

• PDf watermarks: These can be added from a desktop even if they didn’t exist in the original - to include ISMS information security level, for example



MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Electronic Document Management Document Integrity - PDF/A for File Preservation

Store & Manage

Output

Distribution


Authentication

Authorisation

PDF/A for File PreservationObjeCTIve: • The long-term preservation of electronic documents for

confidence in archiving and Document Management

• Ensure that those documents will be able to be retrieved and rendered with a consistent and predictable result in the future

rISK: • With different tools and systems used to create, store and

render files, there is a danger files are not displayed in the same way over time

• Need to electronically archive documents in a way that will ensure preservation of their contents over an extended time period

SOlUTION:• ISO 19005-1 defines ‘a file format based on PDF, known

as PDF/A, which provides a mechanism for representing electronic documents in a manner that preserves their visual appearance over time, independent of the tools and systems used for creating, storing or rendering the files’

• The standard ensures documents can be exactly reproduced for years to come

• We provide methods of scanning direct to PDF/A via Ricoh MFPs or converting different electronic file formats to PDF/A on a desktop

• PDF/A is a subset of PDF which leaves out features not suited to long-term archiving. This requires that the PDF/A documents are 100% self-contained with everything necessary for displaying the document the same every time, embedded in the file

• A PDF/A is not reliant on information from other sources such as font programmes and hyperlinks



MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Secure PrintingObjeCTIve: • Maintain confidentiality by suspending document printing

until the authorised user identifies themselves at the device by authenticating

• Secure print data while, in transit, during process and while stored on the device

rISK: • Hard copy documents uncollected by users left in output

trays. Anyone passing by can browse through or remove prints left on the output tray

• Users having to rush across the office to retrieve a sensitive document

• Falls under the following Standard control clauses (ISO27002):

10.7.1 Management of removable media

10.8.1 Information exchange policies and procedures

11.3.3 Clear desk and clear screen policy

• Print data can be intercepted in transit, during process and while stored on the device

SOlUTION:• Access to Ricoh printers and MFPs can be controlled so

that users have to authenticate at the device in order to release their prints

• Ricoh has a number of different authentication methods from a simple PIN, username and password, or with an ID card - even using existing entrance access card infrastructure

• Simplest device based functionality selected in the driver; user authenticates by entering a password or PIN (Personal Identification Number) at the device control panel. Print jobs can be deleted from the server if not collected by a certain time. (Requires a hard drive)

- The password used for locked printing can be encrypted to protect against wiretapping


- Secure Printing Copy Data Security Watermarking Archiving Print Jobs


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies

1 of 2


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Secure PrintingSOlUTION:• For increased flexibility, alongside secure printing, other

server and server-less solutions offer all the benefits of shared centralised MFPs or printers without compromising document security:

- Print jobs can be released by the authorised person from a choice of more than one device, or even any device on the network

- User manages own print queue and can delete unwanted material

- Queue automatically deleted if not collected e.g. after 24 hours

- Documents stored on the printer are encrypted so information cannot be compromised if hard drive leaves the site

• When integrated with card authentication, users simply swipe an ID card instead of remembering a password which may be disclosed to others

For a higher level of security, users may have to swipe a card, in addition to using a password before their print is released

• Mask Print information: Authenticated users can only view their own “Spool Printing” list, printer job history, and error log, other users’ information will be masked using asterisks (“****”)

- When User Authentication is not enabled, it is possible to view the list of Locked Print documents created by all users, however all filenames are displayed as asterisks (“****”)

- When User Authentication is enabled, the user cannot view any information on this list until authenticated. However, even after successfully logging in, the user can only view a list of his or her own Locked Print documents (the filenames for which are displayed as is, without asterisks)

• Print data can be encrypted while in transit using SSL

• Secure print data during processing:

- Only unique Ricoh protocols are used for the exchange of data internally within the device this prevents illegal access to any program or data

- Each MFP function runs as an independent process preventing illegal access to networks and internal programs from an outside line

• Print data can be encrypted while it’s stored in the device using 256 bit Advanced Encryption Standard


- Secure Printing Copy Data Security Watermarking Archiving Print Jobs


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies

2 of 2


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Copy Data SecurityObjeCTIve: • Control unauthorised copying by embedding patterns which

greys the document to prevent duplication on other MFPs

rISK: • An illegal attempt is made to copy a document

SOlUTION:• Unauthorised Copy Control is a unique Ricoh feature. It

embeds patterns and text under printed text, eliminating the risk of unauthorised copying of sensitive documents

• It consists of two functions:

Mask Type for Copying* embeds a masking pattern and message within the original printout. If copies are made on Ricoh or non-Ricoh devices the embedded message appears – the author’s name would, for example, help identify the originator

Data Security for Copying - when printing on a Ricoh MFP, if this feature is selected in the driver, all copies made of the original on a Ricoh MFP+ will be greyed out


Secure Printing - Copy Data Security Watermarking Archiving Print Jobs

*Some digital MFPs may not detect masking patterns+ Requires Copy Data security Unit. Not supported on some fax-enabled configurations. Scanner feature must be deactivated on some scan-enable configurations. Copy reduction ratio less than 50% will be deactivated


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

WatermarkingObjeCTIve: • Add an additional layer of visible security that highlights the

sensitivity of a document

rISK: • Unclear if a distributed document is a draft or confidential

– therefore may not be treated with the right level of sensitivity

SOlUTION:• Watermarking driver setting

• Allows user to simply add a message behind the text of a document

• Words such a ‘draft or ‘confidential’ can be used for example in accordance with the security policies of the company


Secure Printing Copy Data Security - Watermarking Archiving Print Jobs


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Archiving Print JobsObjeCTIve: • Ensure that documents produced are readable for at least

one hundred years

rISK:• Paper documents degrade and become illegible over time

SOlUTION:• Ricoh devices meet the archiving requirement so that

documents produced by these devices are readable for at least one hundred years

• Toner adhesion meets the ISO 11798


Secure Printing Copy Data Security Watermarking - Archiving Print Jobs


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Control Scan/Fax DestinationsObjeCTIve: • Regulate access to scanning functions in order to control

distribution of confidential documents

rISK: • Non-authorised users attempt to scan or fax documents –

for example, trying to send ‘leaked’ documents outside of the company to a competitor

SOlUTION:• Control destinations for documents that are scanned

or faxed. Delivers documents directly into a document workflow from a Ricoh MFP e.g. to pre-set email addresses or folders

• Easy to use interface on the MFP decreases human error with icon-driven ‘select and go’ scanning process

• When used in conjunction with authentication methods administrators can even create workflows and predefine destinations for a user’s documents e.g.:

- ‘Scan to me’ – scanned documents are automatically forwarded per SMTP to the email address of an authenticated user- this address needs to be looked up in LDAP, SMTP server can be configured centrally

- Files are sent as attachment in MIME coded email message

• Reporting and tracking of distribution activities provides an audit trail

• For those organisations in certain environments who must be able to provide evidence of all data processed; there is an optional feature to store and archive all documents processed on the device for audit and accountability purposes


- Control Scan/Fax Destinations Secure PDF Sharing Faxing Security Removal of Confidential Text


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Secure PDF SharingObjeCTIve: • Ensure that only the right people can access certain

information

• Protect PDF documents with password and/or permissions control for secure sharing and archiving

rISK: • Information getting into the wrong hands

• Even documents marked with ISMS security classifications can be ignored by malicious actions or subject to human error

• There are high profile examples of documents marked highly confidential being widely circulated - even appearing in newspapers

SOlUTION:• We can provide software to protect sensitive information

with PDF creation that works alongside any organisations’ security policies

• PDFs are encrypted while in transit using SSL

• Users can also set passwords on PDF files with 128-bit secure encryption – requiring others to know the password in order to view, edit or print them

• Users can set the security level of their PDF files directly from Ricoh MFPs or protect electronic files via their desktop with drag and drop ease

• There are two types of password:

- Open Password restricts document accessibility-can only be opened by supplying the password when prompted

- Permissions Password allows users to define how a document is used or modified-provides options to control/disable printing or editing

• Digitally signing of PDFs to confirm authenticity and integrity

• Users can additionally send multiple files in their original formats in an encrypted ‘PDF envelope’ from their desktops


Control Scan/Fax Destinations - Secure PDF Sharing Faxing Security Removal of Confidential Text


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Faxing SecurityObjeCTIve: • A range of solutions to prevent unauthorised user access or

tapping of phone/fax lines

rISK:• Unauthorised access to a corporate network via fax line

• Illegal tapping of phone lines

• Unauthorised use/abuse of fax

SOlUTION:• If an initial connection is established with a terminal

that does not use G3 or G4 protocols, the MFP will view this as a communication failure and terminate the connection. This prevents access to internal networks via telecommunications lines and ensures that no illegal data can be introduced via these lines

• restricted access: Requires authorised user code - keeps device usage under firm control and deters passers-by from using it

• Can be linked to the Night Timer feature to prevent after-hours access

• Network Authentication limits access to the fax systems, increasing security by monitoring usage

• Access is restricted to users with a Windows domain controller account

• Server Authentication limits access to fax system for scan to email as well as standard faxing, IP faxing and LAN faxing

• Security PIN Code Protection. To prevent exposure of a PIN Code or Personal ID, any character after a certain position in the destination’s dial number is concealed in the display and Communications Report

• Closed Network checks the ID codes of the communicating machines. If they are not identical communication is terminated. This prevents potentially sensitive information being transmitted, intentionally or accidentally to the wrong location. (Requires Ricoh fax systems with closed network capacity)

• Confidential Transmission/reception – enables user to transmit to /receive a passcode-protected mailbox. Messages are only printed after recipient enters correct passcode – providing an enhanced level of security

• Memory lock – retains documents from all or specific senders in the memory. When the Memory Lock ID is entered, the document prints – again this prevents documents sitting on the receive tray for anyone passing to read

• fax to email – a sub-address attached to a fax number allows a fax to be routed direct to recipient’s e-mail on a PC. Maintains confidentiality as only the recipient can view the message


Control Scan/Fax Destinations Secure PDF Sharing - Faxing Security Removal of Confidential Text


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

Removal of Confidential TextObjeCTIve: • The blacking out/redaction of confidential text

• Removal of sensitive information prior to release or publication

• To adhere to industry regulations and Data Protection Policies

rISK: • Documents distributed with sensitive details included

• Time-consuming searching and marking of documents by hand with chance of human error

SOlUTION:In business and law, a document can have certain parts ‘redacted’, involving the removal of sensitive names and details. For example, a court may order that the names of signatories of a petition be redacted to protect their identity. Typically, it has been performed manually however we offer an automated solution.

• Users can redact PDF Normal and Text Searchable PDFs at the desktop using powerful search and redact features. These automatically search documents for specified words then remove information with options to also remove any metadata associated with it

• Redaction codes or text can be placed over the removed information to indicate why the information was redacted

• The redaction workflow can also be directly selected from a Ricoh MFP display. The results are delivered as a searchable PDF file with all the specified information fully redacted

• Images as well as text can be permanently removed from PDF files through redaction


Control Scan/Fax Destinations Secure PDF Sharing Faxing Security - Removal of Confidential Text


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection




Credentials


glossary

Case Studies

Managing authorised access on every level.• Whatcanabusinessimplementtopreventunauthorised

system usage and control circulation of sensitive data?

• Howdoyoucontroldistributiondestinationsandmanageauthorised users’ access to certain functions or prevent them from changing specific settings?

On every level, control of access is the key to minimising risk. With our systems, Authentication and Administration work together in identifying users to establish and verify access rights and prevent unauthorised usage. Administrators authorise access to system functions to suit appropriate levels of rights, and to restrict users from accessing or tampering with system settings. Authentication is also used to enable functionality such as secure printing and ‘scan to me’, as well as enabling tracking and monitoring usage by individual or department.

A choice of options such as passwords, authentication cards or biometric identification methods, can be used to permit and manage access for groups or individuals. An organisation’s existing IT infrastructure can also be used for authentication management by integrating into LDAP (Lightweight Directory Access Protocol) or AD (Active Directory) and staff entry ID cards, for example, can be used to access devices.


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

User AuthenticationObjeCTIve: Identify users to verify permissions to perform certain operations or access specific resources:

• Prevent unauthorised system usage or changing and tampering of machine settings

• Control access of system functions

• Identify users to enable secure printing and distribution control such as ‘scan to me’

rISK: 1. Unauthorised person accessing the device

• Risk and Standard control clauses (ISO27002)

• Unauthorised user of print service – uncontrolled resource

- 6.1.4 Authorisation process for information processing facilities

- 15.1.5 Prevention of misuse of information processing facilities

2. Unauthorised distribution of documents

- E.g. Incorrectly assigned owner of scanned document

- 11.5.2 User identification and authentication

3. Different access levels required to prevent inappropriate viewing/usage

SOlUTION:• Users identify themselves at an MFP or printer by

authentication. This prevents unauthorised access, and allows monitoring and management of device usage by user level

- Administrators can control access to device functions – for example by only giving a user access to print and not copy, or only allowing copying in black and white

- Authentication also allows secure release printing and customised destinations for particular users, such as ‘scan to me’

• There are four methods for user authentication – basic and user code (verified against local databases); existing IT infrastructure can be used for authentication by integrating into LDAP (Lightweight Directory Access Protocol) or Active Directory. For increased user friendliness and also to prevent PIN/password being overseen, users can also use ID cards to authenticate (see card authentication)


- User Authentication Card Authentication


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies

1 of 2


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation

User Authentication SOlUTION:1. windows Authentication: verifies the identity of the user

by comparing login credentials (user name and password) against the Active Directory server database.

- Unlimited user accounts

- Suits multi-machine usage, organisations with large user base and ‘hot desking’, roaming profiles

2. lDAP authentication: validates a user against the LDAP server so only those with a valid user name/password can access the global address book

- Unlimited user accounts

- Suits multi-machine usage, organisations with large user base and ‘hot desking’, roaming profiles

3. basic Authentication: verifies a user against the name/password registered locally in the device’s Address Book to allow access.

- Gives 500 user accounts

- User name & password and alpha numeric fields, usage tracking, export/import data, static network user

- Administration roles: Access, network, machine, user, file and engineer access prevention

4. User Code Authentication: Utilises standard User Code system to authenticate the user. PIN code entered by user is compared to registered data in the address book and validated before access is permitted

• A User Code can be assigned according to desired level of access

• It enables system administrators to monitor and manage usage – generate print counter reports by function and User Code

• Both Basic Authentication and User Code Authentication can be used in Windows and non-Windows office environments

OTHer AUTHeNTICATION MeTHODS:

Integration server authentication

• Integration server authentication is used when there is a need to integrate with a specific authentication system such as RADIUS server authentication


- User Authentication Card Authentication


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies

2 of 2

Card AuthenticationObjeCTIve: • Manage and control user access to printers or

MFP functions

• Avoid information leaks by limiting access to email and fax

• Improve security by providing two forms of authentication

• Extend Public Key Infrastructure (PKI) environment

rISK: 1. Unauthorised person accessing the device

• Risk and Standard control clauses (ISO27002)

• Unauthorised user of print service – uncontrolled resource

- 6.1.4 Authorisation process for information processing facilities


2. Unauthorised distribution of documents

- E.g. Incorrectly assigned owner of scanned document

- 11.5.2 User identification and authentication

3. PIN/password being forgotten or disclosed to unauthorised person

4. Different access levels required to prevent inappropriate viewing/usage

SOlUTION:• Use cards for authentication for: user convenience, or to

improve security by providing two forms of authentication; something a user has (the card), and something they know (the card’s PIN)

• User access to a MFP or printer can be permitted by using ID cards

• Documents can be released and printed securely by a swipe of an ID card

• Access to email and fax functions can be controlled, for example by providing predefined destinations according to the status of the individual, to prevent misuse/leakage of information

• Authorised access can be further controlled by setting ‘scan to’ sender details as the ID card owner to prevent spoofing of the sender

• An organisation’s existing log on and entrance access card infrastructure can be utilised for simpler IT management and easier user access

• The access log and job log function on our Device Monitoring & Management tools allow tracking of exactly who, where and when any confidential information is sent

• Use Public Key Infrastructure (PKI) to improve security. Opportunity to extend PKI by digitally signing documents during scanning, using card authentication


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


User Authentication - Card Authentication


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies

Administrator AuthenticationObjeCTIve: • Control permission level granted to each user to prevent

unauthorised usage of stored information

• Provide authorisation rights and authentication management for administrators

• Identify and delegate management tasks to the administrators based on their username and password

• Reduce workload put on any single administrator

rISK: • Risks and Standard control clauses (ISO27002):

- 6.1.4. Authorisation process for information processing facilities


• Excessive privileges given to any one administrator

SOlUTION:• Up to four administrators can share management of system

settings and user access to devices for separation of duty if required. A separate Supervisor role allows setting/changing of administrator passwords. By sharing the administrative work among different administrators, MFP management workload and responsibilities can be spread evenly and according to areas of expertise

- This provides enhanced security as no one administrator is assigned with excessive privileges


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


- Administrator Authentication User Access Control


MfPs & Printers

Device Management

Network Protection


Credentials


glossary

Case Studies

1 of 2

Administrator AuthenticationSOlUTION:• If Administrator Authentication is enabled, the four types

of Administrator privileges are built-in to the machine. These roles can be combined to suit an organisation’s requirements:

- Machine Administrator: Can configure machine settings

- Network Administrator: Network settings such as IP address and SNMP server

can only be specified or changed by the Network Administrator

- file Administrator: Manages access permissions to stored files. The File

Administrator can set restrictions based on passwords that allow only registered and permitted users to view and edit files stored in the document server

- User Administrator: Manages user accounts in the address book. If a user

forgets their password, the User Administrator can delete it and create a new one

- Supervisor: Can delete any administrator password and specify a

new one. The Supervisor cannot configure machine settings or use functions

• Document Management & Electronic Storage: Central repository secured with integrated Role-Based Access Control (RBAC)

• Assignment of individual rights, profiles and roles

• Assignment of roles to groups

• Easy user and group administration and authentication; integration and synchronisation of users/groups in external Directory Services with support for LDAP and Active Directory Services

• Browser-based access can be restricted to read-only access


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


Credentials


glossary

Case Studies

2 of 2

- Administrator Authentication User Access Control


MfPs & Printers

Device Management

Network Protection


User Access ControlObjeCTIve:• Document owners can control access to their files stored

on the document server

rISK:• Documents stored within the printer/MFP’s document

server can be accessed by PC users on the network

• Risks and Standard control clauses (ISO27002): Prohibiting unauthorised document circulation

SOlUTION:• Password-Protected Files: Document owner can provide

access to files stored on the document server. Files can be password protected, restricting user access. Passwords can be set by using from four to eight digits

• Specify User Access Level: Four types are available

- 1. Read only: User can print and send stored files

- 2. Edit: In addition to the above, user can change print settings for stored files

- 3. Edit/Delete: Also gives user ability to delete stored files

- 4. Full Control: users can utilise all aspects and control other users access permission

• Enhanced Password Protection: Should anyone attempt to break the password-protected code, access is automatically locked by this feature


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


Credentials


glossary

Case Studies

Administrator Authentication - User Access Control


MfPs & Printers

Device Management

Network Protection



Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection




Credentials


glossary

Case Studies

Helping keep data and devices secure.• Howcanyousafeguardconfidentialinformation

processed and stored on MfPs and printers?

• Areyoursystemsanddevicesabletowithstand potential attacks?

Providing a secure environment for the processing of information is a prime driver in the development of our products and their operating systems. That’s why you’ll find that our latest devices come equipped to protect printed and electronic data against opportunistic or targeted threats.

In fact globally, a number of our devices have achieved the Common Criteria certification which conforms to IEEE 2600.1. The latter is an international standard that defines requirement specifications for office use as well as government where a higher security level is required.

In today’s digital age, devices such as printers and MFPs throughout the industry can store latent images of processing data. There’s also address data and documents intentionally stored on the Hard Disk Drive for printing on demand. This can open up an area of considerable concern, especially when devices eventually leave your site.

The protection offered on our devices includes encryption to make intercepted data indecipherable and the ability to overwrite data to prevent it falling into the wrong hands. RAM-based security can provide an alternative to the Hard Disk Drive for some customers. We also offer services to ensure no information remains on a device at the end of its life.

Secure PrintingObjeCTIve: • Maintain confidentiality by suspending document printing

until the authorised user authenticates

• Protect data whilst being processed

rISK: • Hard copy documents left in output trays – anyone passing

by could browse through or remove

• Urgency placed on user to immediately retrieve a sensitive document

• Falls under the following Standard control clauses (ISO27002):

10.7.1 Management of removable media

10.8.1 Information exchange policies and procedures

11.3.3 Clear desk and clear screen policy

• Print data captured whilst in transit

SOlUTION:• Maintain confidentiality by releasing print only when

document owner authenticates at the device. Authentication methods range from a simple PIN to user name and password or an ID card - even using existing entrance access card infrastructure

• In-built device security requires that the authorised user authenticates by entering a password or PIN (Personal Identification Number) at the device control panel

- Available through Ricoh’s advanced print drivers (requires a hard drive which may be optional, depending on model)

- Print jobs can be deleted from the server if not collected by a certain time

- The password used for locked printing can be encrypted to protect against wiretapping

• For further security and added user convenience, we offer a number of solutions that permit single sign-on with existing IT infrastructure or ability to unlock prints by swiping entrance access card for seamless IT management

• To protect data during processing the device functions run as independent processes with specific memory space allocated separately for each module. This makes it impossible to directly access the memory space of any other module. For example, incoming fax data will only be sent to those applications designated for fax operations – this arrangement prevents illegal access to networks and internal programs from an outside line

• Only unique Ricoh protocols are used for the exchange of data internally within applications - this prevents illegal access to any program or data

• Data is encrypted while in transit

• Data is encrypted while waiting for printing


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation



MfPs & Printers

Device Management

Network Protection


- Secure Printing Hard Disk Drive Security Security Certification

Credentials


glossary

Case Studies

Hard Disk Drive SecurityObjeCTIve: • Safeguard confidential information by providing effective

management of data processed by and stored on MFPs and printers

rISK: • Hard Disk Drives are essential for the production process

and efficient operation. However they can store a latent image of processing data as well as address data and documents intentionally stored for printing on demand. Without effective management, they can present a possible weakness

• Unauthorised alteration/deletion of software, hardware, other digital resources such as downloadable fonts and images, email/fax address

SOlUTION:We help safeguard your confidential information in a variety of ways. Data Overwrite Security System (DOSS) protects your latent information and works together with encryption because data that’s not overwritten, such as intentionally stored documents and address books, also needs to be protected.

Data Overwrite Security System (DOSS) is supplied as standard on the latest Ricoh MFPs (and an option on printers)

• It allows you to secure the hard drive and make all confidential data unrecoverable by overwriting latent digital images after all copy, scan and print jobs

• Overwrites with random sequences of ones and noughts – can be set to occur from 1-9 times

• The random data overwrite process makes any effort to access and reconstruct print/copy files virtually impossible-preventing information that could fall into the wrong hands

• A simple display panel icon provide visual feedback on the status of the overwrite process


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation



MfPs & Printers

Device Management

Network Protection


Secure Printing - Hard Disk Drive Security Security Certification

Credentials


glossary

Case Studies

1 of 2

Hard Disk Drive SecuritySOlUTION:Data Overwrite Security System (DOSS)

• Provides two methods for overwriting the data – Event Driven and Overwrite All

- Event Driven destroys copy, print and scan data immediately after every job is processed (if a job comes in while the system is overwriting the previous one, it automatically halts until the job is completed)

- Overwrite All overwrites the device’s entire hard drive, including stored documents (including setting information, e-mail/Fax address book information, counter information, etc.) - recommended if relocating or discarding a machine

• Select DOSS versions have ISO 15408 certification conforming to IEEE 2600.1 standard. This ISO is an international standard for information security that provides verification of IT security features

Data encryption: Operates in conjunction with our Data Overwrite Security System – providing a multi-layered approach to securing sensitive documents

• Encrypt valuable Information: Encrypts data, such as frequently used documents stored for print on demand for secure semi-permanent storage, so information would be inaccessible if the Hard Disk Drive got into the wrong hands. Available with new devices or as an option on older devices

• Frequently used information such as address books and administrator or user passwords can also be encrypted. Eliminates the danger of a company’s employees, customers or vendors being targets for malicious e-mails or PC virus contamination. Also protects user names/passwords used elsewhere on the network-increasing network security

• This helps keep data typically stored on MFP or printer from being viewed-even if data/devices are removed or stolen. Locks data to prevent recovery

• Encrypts device information rather than destroying it – allows only authorised users access


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation



MfPs & Printers

Device Management

Network Protection


Secure Printing - Hard Disk Drive Security Security Certification

Credentials


glossary

Case Studies

2 of 2

Security CertificationAt Ricoh, we have always taken a consistent and global approach to securing information for our customers. Our thought-leadership is clearly demonstrated right from the earliest stages of our hardware and software design for our multifunctional products (MFPs) and printers.

In fact in 2002, we were the first to receive ISO/IEC 15408 Common Criteria certification for a digital MFP device. Then in March 2010, we became the world’s first to obtain Common Criteria certification conforming to IEEE 2600.1 for MFPs for the Japan market. This certification is an international standard for IT security products for office use as well as government, where an even higher level of security is required.

Now our latest devices for the European Middle East and Africa (EMEA) have also achieved this certification. This relates to our MFP products, Aficio MP2851/3351/4001/5001.

Ricoh will continue to obtain Common Criteria certification conforming to IEEE 2600.1 for its MFPs and printers and will pioneer in the development of new security features to help protect printed and electronic data against opportunistic or targeted threats.

SeCUrITY MATTerSAs potential attacks on your information capital increase in sophistication, securing your data environment is even more vital.

Given the importance of this, governing bodies such as the IEEE, the world’s leading professional association for the advancement of technology, are working to implement security guidelines and product standards to help govern the features of printing devices. Ricoh has a lead role in the IEEE working group which analyses the latest security vulnerabilities and prepares methods to combat them.

To date, the group has created the security standard P2600, an international benchmark for the security of MFPs and systems. This helps organisations configure their devices to optimise security specifically for the environment in which they are operating.

Common Criteria (CC) is an international standard for information security. As an international standard, the CC ensures that the security functions are implemented properly and are usable. The Common Criteria certification demonstrates that Ricoh has secure environments (processes from development, manufacturing, delivery, and installation) as a manufacturer that can provide CC-certified products.

The CC certification evaluates whether or not security functions properly work under certain conditions. However the IEEE 2600 includes a document Protection Profile; IEEE specifies the security functions and requirements, which are subject to evaluation according to the CC.


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation



MfPs & Printers

Device Management

Network Protection


Secure Printing Hard Disk Drive Security - Security Certification

Credentials


glossary

Case Studies

Security FeaturesObjeCTIve:• Support key security features whilst simplifying all aspects

of installation, monitoring and management of Ricoh networked output systems

SOlUTION: • Restrict User Access. Allows system administrators to

control user privileges through the user management tool

• It activates a menu for review of the devices authorised for use by User Code and User Name

• A simple click accesses a menu that restricts or enables access for individual users

• Change Community Name: To address SNMP (Simple Network Management Protocol) vulnerability, the system administrator can change the Community Name from ‘Public’ to another more secure name

• If utilised, the Community Name for the software must have the identical name as the connected Ricoh output device

• Support of SNMPv3 which encrypts the community name for improved security


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation



MfPs & Printers

Device Management

Network Protection


- Security Features

Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

Credentials


glossary

Case Studies

Network Protection

Helping keep intruders out.• Couldhackersandothermaliciouspartiesgainwireless

access to your devices?

• Coulddatastreamsandpasswords be intercepted?

• Haveyourunusednetworkportsbeenleftopenandvulnerable?

As potential attacks on your information capital increase in sophistication, securing your data environment is even more vital. That’s why our devices have a range of security specifications that address vulnerabilities in wired and wireless communications.

For example, encryption features work to help prevent hackers and other unauthorised parties from gaining access, by ensuring data is made indecipherable if intercepted. Authorised connections to a device can also be restricted by range of IP addresses via IP filtering.

Additionally, our systems permit the administrator to disable all ports that are not being used. This, in tandem with our other security solutions, works to prevent the theft of passwords or user names and other outside threats, including destruction and falsification of data.

We continuously evaluate all our products during development. We also check for known vulnerability issues as reported by Internet security organisations such as the CERT Coordination Center. Whenever any such issues are found, we provide appropriate countermeasures. Wireless Access Security

Physically Secure Ports Control IP Address Access Communication Protocols Network Authentication Protocol Device Management

Wireless Access SecurityObjeCTIve:• Block intruders from tapping into wireless networks

rISK:• Interception of data streams and passwords. Or using

the wireless connection to a device as an entry point into a data network

SOlUTION:• WPA Support (Wi-Fi Protect Access): Used in conjunction

with the IEEE 802.11a/b/g Wireless LAN option, this is a security specification that addresses vulnerabilities in wireless communications

• It provides a high level of assurance that data will remain protected by allowing only authorised users access

• Authentication and encryption features block intruders with wirelessly enabled laptops from tapping into wireless networks

• It prevents the inception of data streams and passwords or from using the wireless connection as an entry point into the customer data network

• 802.1X Wired Authentication provides Network-port based authentication for point-to-point communication between network devices and a LAN port, communication will terminate if the authentication fails


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

- Wireless Access Security Physically Secure Ports Control IP Address Access Communication Protocols Network Authentication Protocol Device Management

Credentials


glossary

Case Studies

Physically Secure PortsObjeCTIve:• Prevent unauthorised network access

rISK:• Networked-enabled systems are shipped to customers

with all network ports open to make them easy to install. However opened, unused network ports pose a security risk of access by an unauthorised outsider via, for example, a wireless connection

SOlUTION:• The system administrator can enable/disable IP ports to

control the different network services provided by the print controller to an individual user

• To provide enhanced network security, specific protocols such as SNMP or FTP can be disabled using Web Image Monitor or Smart Device Monitor

• Eliminate outside threats including destruction/falsification of stored data, Denial of Service (DoS) attacks and viruses entering the network via an unused printer or MFP port

• This also prevents theft of user names and passwords

• Ports can be enabled or disabled individually or protocols /ports can be closed automatically based on network security levels set


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

Wireless Access Security - Physically Secure Ports Control IP Address Access Communication Protocols Network Authentication Protocol Device Management

Credentials


glossary

Case Studies

Control IP Address AccessObjeCTIve:• IP filtering: authorised connections to the device can be

restricted to ranges of IP addresses

rISK:• Network is accessed by an unauthorised outsider – for

example via a wireless connection

SOlUTION:• IP (Internet Protocol) Address Filtering: Control access

to the device by restricting access to specified IP address ranges. Up to five sets of ranges can be entered

• Additionally, it helps balance output volumes among multiple devices and enhances network security by limiting access to files stored in devices


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

Wireless Access Security Physically Secure Ports - Control IP Address Access Communication Protocols Network Authentication Protocol Device Management

Credentials


glossary

Case Studies

Secure Network Data: Communication ProtocolsObjeCTIve:• Encrypt print data through (SSL) Secure Sockets Layer

technology via IPP (Internet Printing Protocol) to make intercepted data indecipherable

rISK:• vulnerability: Interception of data or tapping machine

settings using communication between PC and output device

SOlUTION:Depending on document data or communication methods for it, the protocols for protection will differ. We offer a range of solutions:

• Data Encryption via IPP: An effective way to achieve data security

- Print data communicated between a network PC and MFP can be encrypted using SSL technology via IPP which secures data between workstations and network printers/MFPs. This stops any attempt to tap print data; intercepted data is indecipherable

- The latest Ricoh devices use a longer key length on SSL certificate for secure encryption level: 1024/2048 bit SHA1 for SSL certificate as standard

- By increasing key length, even if data is stolen, it’s hard to be analysed

- Additional functionality disables SSL-v2 and SSL with encryption key length less than 128 bit

• IPsec Communication (PC-Device Communication): a suite of protocols designed to secure IP communications via authentication and encryption of each IP packet in a data stream

- Also includes protocols for cryptographic key establishment

- Prevents documents being viewed from the internal data carrier by unauthorised people and any outsider being able to connect to the MFP from outside the network

• S/MIME for scan to email: Attaches a digital signature and encrypts message contents when scanning and sending by email for data protection against wiretapping

- S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of email encapsulated in MIME

- It is an Internet Standard that extends the format of e-mail to support text in character sets other than US-ASCII, non-text attachments, multi-part message bodies and header information in non-ASCII character sets


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

Wireless Access Security Physically Secure Ports Control IP Address Access - Communication Protocols Network Authentication Protocol Device Management

Credentials


glossary

Case Studies

Network Authentication ProtocolObjeCTIve:• Provide strong security for users’ passwords

rISK:• Many internet protocols do not provide any password

security

• Hackers employ programs called ‘sniffers’ to extract passwords to access networks

• Sending an unencrypted password over a network is risky and can open it to attack

SOlUTION:• Many Ricoh devices support Kerberos authentication

• Kerberos authentication helps limit risks caused by unencrypted passwords and keeps networks more secure


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

Wireless Access Security Physically Secure Ports Control IP Address Access Communication Protocols - Network Authentication Protocol Device Management

Credentials


glossary

Case Studies

Device ManagementObjeCTIve:• Ensuring that device management is carried out in a secure

environment using SNMP

rISK:• Unauthorised users seeing the password and/or device

information

SOlUTION:• SNMP v3 Encrypted Communication: A network

management standard widely used in TCP/IP environments

• Provides a method of managing network hosts such as printers, scanners, workstation or server computers

• Groups bridges and hubs together into a ‘community’ from a centrally-located computer running network management software

• Allows administrators for example to change device settings from a networked PC with encrypted communications to maintain a secure environment

• Also offers user authentication and data encryption that delivers greater security features to protect customer data and network assets

• Prevents unauthorised users from seeing either the password and/or device information

• Uses SSL to communicate with devices


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Network Protection

Wireless Access Security Physically Secure Ports Control IP Address Access Communication Protocols Network Authentication Protocol - Device Management

Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection



Credentials


glossary

Case Studies


Helping you keep track and in control.• Areyournetworkeddevicesbeingusedinefficiently

or without permission?

• Doyouneedtoensurethatprinteddocumentsareidentifiable or can be attributed?

• Doyourequireaccurateandcomprehensivetrackingforproof of compliance?

We offer a range of tools that help track, monitor and manage device activity.

This brings the considerable benefits as monitoring provides transparency of use for more effective security of printers and MFPs, as well as enhanced cost control and proof of compliance.

Logging of security-related events such as authentication attempts and setting changes are recorded to provide audit trails. A complete listing of every job executed by the device is stored in the memory. When used together with external authentication modes, it can show which device was used and by whom in tracing unauthorised transmission attempts. Customised reporting can provide easy tracking of output print, copy and fax activities by device, individual project or workgroup.

In short, our tools offer better visibility and control of user access as well as accurate and comprehensive tracking for proof of compliance, and provide access logs by users for audit purposes.

Device Log Management Record Security-Related Events

Device Log ManagementObjeCTIve: Audit All Device Activity

• Enable better control of user access and tracking of print, copy and fax activities

• Convenient customised reporting with easy tracking of all document output by user, project or even workgroup (when used with authentication)

• Accurate and comprehensive tracking for proof of compliance and access job log by users for audit purposes

rISK:• Networked devices used inefficiently or without permission

• Printed documents cannot be identified or attributed

(Fundamental ISO27001 clause 4.3.2 Control of documents)

7.2.2. Information labelling and handling

SOlUTION:• Monitoring & Recording via protected logs: Access logs of

registered devices and configure which devices to collect logs from

• A complete listing of every job executed by the device is stored in the memory; enables accurate control of user access and tracking of copy and print information

• Monitor printing/scanning a document/receipt of fax

• When used in conjunction with user authentication modes, allows tracking of device usage by job, user, project or even workgroup. Also enables determination of which specific users may be abusing a device

• Shows which device was used and by whom in tracing unauthorised transmission

• Gives accurate and comprehensive tracking for proof of compliance and access job log by users for audit purposes

• Enables quotas and policies to be created for enhanced management of printers and MFPs for more effective security and greater cost control and sustainability


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection



- Device Log Management Record Security-Related Events

Credentials


glossary

Case Studies

Record Security-Related EventsObjeCTIve: • Monitor and record, via protected logs, any security

relevant events that occur within the MFP or printer

rISK:• Undetected attempts at authenticating or changes made to

security settings

SOlUTION:• Examples of these types of events might include;

successful and unsuccessful authentication attempts, changes in security relevant settings on the device, or changes in the content or state of the device’s internal security or accounting logs

job/Access logsExamples of events/data logged

• Login

• Logout

• Deletion of stored documents

• Log settings changed

• Log data transfer results

• Authentication lock-out

• Firmware update performed

• Change to Time/Date settings

• Authentication password changed

• Change made to Address Book contents

• The log data is encrypted before being saved to the Hard Disk Drive (HDD), which prevents any illegal acquisition or alteration of the data through unauthorised access to the HDD. In addition, the encrypted data is sent to the monitoring tool over an SSL connection

• The MFP or printer does not allow any changes to be made to the log data itself, i.e. the data can only be transferred to the monitoring tool in an unaltered, encrypted state. Therefore, the data cannot be overwritten or modified in any way, even by those with Administrator-level access rights


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection



Device Log Management- Record Security-Related Events

Credentials


glossary

Case Studies

CredentialsRicoh goes further than encouraging businesses to acquire secure devices; it also helps them to carefully examine their actual use. It does this by introducing security solutions whilst securing workflows adhering to existing company policies. Or by introducing new rules to create a secure document environment – protecting against both internal and external threats. This helps by not only reducing the risk of potential security breaches but also maintains trust in your brand.

Ieee2600.1 IT SecurityWithin Ricoh, we treat Information Security as just part of “how we do things”. As evidence of our commitment, we are prominent in the international working party for IEEE2600 which is the functional security standard for print devices.

In 2002, Ricoh were the first to receive ISO/IEC 15408 certification for a digital MFP device. Then in March 2010, we became the world’s first to obtain Common Criteria certification conforming to IEEE 2600.1 for MFPs for the Japan market. This certification is an international standard for IT security products for office use as well as government, where an even higher level of security is required.

Now our latest devices for the European Middle East and Africa (EMEA) market have also achieved this certification. This relates to our MFP products, Aficio MP2851/3351/4001/5001. This is in addition to certification for a number of our Data Overwrite Security System options.

Also certified: Device Management tool: Remote Communication Gate A (technology behind @Remote Office) achieved Common Criteria version 3.1, EAL3 certification in Feb 2011.

Ricoh will continue to obtain Common Criteria certification conforming to IEEE 2600.1 for its MFPs, printers and solutions; and will pioneer in the development of new security features to help protect printed and electronic data against opportunistic or targeted threats.

Device development & on-going monitoring for vulnerabilitiesWe continuously evaluate all our products during development. We also check for known vulnerability issues as reported by Internet security organisations such as the CERT Coordination Center. Whenever any such issues are found, we provide appropriate countermeasures.

best Practice – Our own Information SecurityWe have always taken a consistent and global approach to secure information – for ourselves as well as for our customers. In 2004, we gained ISO 27001 worldwide certification for Information Security management, for our head office and manufacturing sites (which over the following years, was extended for all our individual sites).

This standard covers all aspects of information security and Ricoh is unique in having information security system certified to the standard across all sites.


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Credentials

Credentials


glossary

Case Studies

GlossaryAD - Active Directory

CC - Common Criteria (equivalent to ISO/IEC 15408): is an international standard for information security. The CC certification evaluates whether or not security functions properly work under certain conditions

DOSS - Data Overwrite Security System

HDD – Hard Disk Drive

Ieee 2600: specifies the security functions and requirements (document Protection Profile) which are subject to evaluation according to the CC security standard

IP - Internet Protocol

IPP - Internet Printing Protocol

IPsec - Internet Protocol Security: is a protocol suite for securing Internet Protocol (IP) communications

ISMS – Information Security Management System

Kerberos authentication: computer network authentication protocol

lDAP - lightweight Directory Access Protocol

MfP - Multifunction Product

OCr - Optical Character recognition

PKI - Public Key Infrastructure: is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates

rADIUS - remote Authentication Dial In User Service: is a networking protocol

rbAC - role-based Access Control

SMTP - Simple Mail Transfer Protocol: is an Internet standard for e-mail transmission across Internet Protocol (IP) networks

SSl - Secure Sockets layer: is a cryptographic protocol that provides communication security over the Internet

S/MIMe - Secure/Multipurpose Internet Mail extensions: is a standard for public key encryption and signing of email encapsulated in MIME

SNMP - Simple Network Management Protocol: is an Internet-standard protocol for managing devices on IP networks

TCP - Transmission Control Protocol: is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol (IP), and therefore the entire suite is referred to as TCP/IP

wPA - wi-fi Protect Access


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


glossary

Credentials


glossary

Case Studies


Capture

Store & Manage

Output

Distribution


Authentication

Authorisation


MfPs & Printers

Device Management

Network Protection


Case Studies

Credentials


glossary

Case Studies

Security In ActionRicoh European Headquarters: Triton StreetRicoh has used its own workflow solutions to safeguard its information and ensure security compliance within its new open plan office in London.

IberdrolaIberdrola, a Fortune 500 company, is a world leader in wind energy and one of Europe’s leading energy suppliers. Iberdrola needed a reliable and effective Managed Document Solution that would grant them control of costs, safeguard information security and give the ability to control their print environment.

Click on an Adobe PDf icon to download the Case Study.

Security Solutions OverviewDocument Processes & Protection

Credentials

glossary

Case Studies

Capture

Store & Manage

Electronic Document Management Document Integrity PDF/A for File Preservation

Secure Conversion

Output

Secure Printing Copy Data Security Watermarking Archiving Print Jobs

Distribution

Control Scan/Fax Destinations Secure PDF Sharing Faxing Security Removal of Confidential Text


MfPs & Printers

Secure Printing Hard Disk Drive Security Security Certification

Device Management

Security Features


Authentication

User Authentication Card Authentication

Authorisation

Administrator Authentication User Access Control

Network Protection

Wireless Access Security Physically Secure Ports Control IP Address Access Communication Protocols Network Authentication Protocol Device Management

Device Log Management Record Security-Related Events


www.ricoh-europe.com/securitymatters

Your information. Our solutions. A secure combination.

Ricoh_SecureCombination_Overview_v1.0 October 2011Copyright © 2011 Ricoh Europe PLC. All rights reserved. This brochure, its contents and/or layout may not be modified and/or adapted, copied in part or in whole and/or incorporated into another works without the prior permission of Ricoh Europe PLC.

www.ricoh-europe.com

IT Services Office Solutions Production Printing Managed Document Services