Ensure Strong Authentication for Multi-Function Devices
Multi-function devices should have security measures as strong as those for computers they connect to.
Plain language
Multi-function devices, like printers that also scan or fax, need the same strong security protections as the computers they connect to. If these devices are not properly secured, hackers could potentially access the network through them, leading to data leaks or other security breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Multifunction devicesOfficial control statement
Authentication measures for MFDs are the same strength as those used for workstations on networks they are connected to.
Why it matters
If MFD authentication is weaker than workstation controls, attackers can access scan shares and admin consoles to pivot, exfiltrate data and disrupt services.
Operational notes
Configure MFD logon to match workstation auth (e.g., AD/LDAP + MFA where used); disable defaults, audit access, and keep credentials/policies aligned.
Implementation tips
- The IT team should ensure that any multi-function device (MFD) on the network requires a strong password for user access. This can be done by configuring the device settings to enforce passwords that are at least eight characters long and include a mix of letters, numbers, and symbols.
- Office managers should work with their IT support to keep the software on MFDs up to date. This involves setting up automatic software updates or regularly checking the manufacturers' websites for the latest updates and manually installing them to close any security loopholes.
- System administrators need to restrict MFDs to only connect to secure, trusted networks. They can do this by configuring the network settings on each device to ensure it connects only to the company's official network, which is secured and monitored.
- Procurement teams should purchase MFDs that support advanced authentication methods. Verify with vendors that new devices can use authentication techniques such as swipe cards or fingerprint scans for high-security environments.
- HR should ensure that all staff are trained on strong password practices and the importance of securing MFD access. Conduct regular training sessions and provide easy-to-follow guides on creating and maintaining secure passwords.
Audit / evidence tips
-
Aska report on current password policies for MFDs: The report should list the password requirements set on each device
Goodwould show a policy that enforces complex passwords with mandatory changes every 90 days
-
Goodincludes a log showing consistent updating practices
-
Aska list of networks MFDs are authorised to connect to: Check the list for any unauthorised networks
Goodwould show each MFD limited to connecting only to the secured company network
-
Goodwould have MFDs that support modern security measures such as biometric access
-
Goodwould show regular training sessions with all relevant staff attending at least annually
Cross-framework mappings
How ISM-0590 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-0590 requires that authentication measures on multi-function devices (MFDs) are as strong as those used for workstations on the conne... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.