The Xerox Response … The Xerox Security Model
Product and IT Outsourcing Security
Xerox is committed to being the leader in multifunction device and printer security. As such, we also are committed to helping customers maintain a secure network environment, particularly as it relates to the use of multifunction products (MFPs) - those that print, copy, fax and scan. Since all MFPs, regardless of vendor, contain hard drives and software, they require security precautions associated with other network peripherals. We introduced the industry's first office MFP in 1995 and are in the forefront in the development of security features for these systems.
We strongly endorse the internationally recognized ISO 15408 Common Criteria for Information Technology Security Evaluation and have validated more than 50 of our office MFPs to this standard. This gives Xerox one of the industry's broadest arrays of printers and copiers certified to meet our customers' strictest security requirements. Our policy and practice is to have an entire multifunction system evaluated - not just individual features or a security kit.
Although we test extensively for security vulnerabilities in our software before we bring a product to market, we recognize that someone with intent and the requisite knowledge may, at times, find a way around security protections. We encourage people to notify us of any network security concerns, and we move immediately to provide a solution. We develop software patches for vulnerabilities and post them here. In addition, we quickly update our manufacturing process to integrate the security fixes.
We manage security throughout the product life cycle, from design to development, manufacturing, deployment and, ultimately, to disposal. Security functionality is completely integrated at the individual device level and extends seamlessly to the fleet. State-of-the-art encryption is used extensively to protect customer information, both while at rest in the device and in motion to and from the device. The authentication and authorization features are unmatched in their ability to control usage; yet, they also are easy to use. We put special emphasis on the care and handling of machines that are returned to us after lease expiration or otherwise. Disks in these devices are destroyed or completely re-mastered to remove any residual customer information before they are reused.
Ensuring the security of the systems and networks supported by ITO for our clients is paramount. Security solutions can be designed to meet the needs of a specific client and utilize a robust suite of solutions and products to meet those needs. Solutions such as application security, vulnerability management, access and identity management, encryption and user provisioning aid clients in managing their risk. Security is integrated into client solutions from the beginning of the engagement and maintained throughout the life cycle of the contract.