Skip to main content

This section of the ISM provides guidance on fax machines and multifunction devices.

Using cryptographic equipment with fax machines and multifunction devices

Specific information regarding the process and procedures for sending classified fax messages using High Assurance Cryptographic Equipment can be requested from the ACSC.

Fax machine and multifunction device usage policy

As fax machines and multifunction devices (MFDs) are a potential source of cyber security incidents, it is important that organisations develop a policy governing their use.

Security Control: 0588; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS
A fax machine and MFD usage policy is developed and implemented.

Sending fax messages

Once a fax machine or MFD has been connected to cryptographic equipment and used to send a fax message, it can no longer be trusted when connected directly to unsecured telecommunications infrastructure or the PSTN. For example, if a fax machine fails to send a classified fax message the device will continue attempting to send the fax message even if it has been disconnected from cryptographic equipment and connected directly to the PSTN. In such cases, the fax machine could send the classified fax message in the clear causing a data spill.

Security Control: 1092; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages.

Security Control: 0241; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure or the PSTN.

Receiving fax messages

While the communications path between fax machines and MFDs may be appropriately protected, personnel should still be aware of who has a need to know of the information being communicated. It is therefore important that fax messages are collected from the receiving fax machine or MFD as soon as possible. Furthermore, if an expected fax message is not received it may indicate that there was a problem with the original transmission or the fax message has been taken by an unauthorised person.

Security Control: 1075; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time.

Connecting multifunction devices to networks

As networked MFDs are considered to be devices that reside on a network, they should have security controls (e.g. authentication and auditing measures) of a similar strength to other devices on the network.

Security Control: 0590; Revision: 5; Updated: Dec-19; Applicability: O, P, S, TS
Security controls for MFDs connected to a network are of a similar strength to those for other devices on the network.

Connecting multifunction devices to both networks and digital telephone systems

When an MFD is connected to both a network and a digital telephone system, the MFD can act as a bridge between the two. The digital telephone system therefore needs to operate at the same sensitivity or classification as the network.

Security Control: 0245; Revision: 5; Updated: Dec-19; Applicability: O, P, S, TS
A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected.

Copying documents on multifunction devices

As networked MFDs are capable of sending scanned or copied documents across a connected network, personnel should be aware that if they scan or copy documents at a level higher than that of the network the device is connected to, it will cause a data spill.

Security Control: 0589; Revision: 5; Updated: Dec-19; Applicability: O, P, S, TS
MFDs connected to networks are not used to copy documents above the sensitivity or classification of the connected network.

Observing fax machine and multifunction device use

Placing fax machines and MFDs in public areas can help reduce the likelihood of any suspicious use going unnoticed.

Security Control: 1036; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Fax machines and MFDs are located in areas where their use can be observed.

Further information

Further information on encryption can be found in the Guidelines for Cryptography.

Further information on MFDs communicating via network gateways can be found in the Guidelines for Gateways.