Xerox Product Security Frequently Asked Questions

Q. How may I acquire security patches for my Xerox product?
A. Depending on which Xerox product requires a patch, you may be able to download security patches from the Xerox web site at www.xerox.com/security. For other Xerox products, the security patch will be made available as part of a new release version of system software. In the US, contact the Xerox Customer and Technical Support Center at (800) 821-2797 for questions regarding patch support. Outside the US, contact your local Xerox Support Center.

Q. How does Xerox discover and fix security problems?
A. In addition to our own extensive internal testing, Xerox regularly monitors vulnerability clearinghouses made available by such entities and resources as US-CERT, CVE, Sun Microsystems, Microsoft Security Bulletins for various software and operating system vulnerabilities, and bugtraq, for open source vulnerabilities. A robust internal security testing program is also engaged that involves vulnerability analysis and penetration testing to provide fully tested patches. Click this link to read the Xerox Vulnerability Management and Disclosure Policy from the Xerox Security web site.

Q. How does Xerox deploy patches for security vulnerabilities and how quickly does that happen?
A. Depending on the severity of the vulnerability, the size of the patch, and the product, the patch may be deployed separately or take the form of a new release of software for that product. Xerox developers follow a formal security development life cycle that manages security problems through identification, analysis, prioritization, coding, and testing. In all cases, Xerox strives to provide patches as expediently as possible, based on the nature, origin and severity of the vulnerability.

Q. How can someone learn more about the security features of a Xerox product?
A. Visit www.xerox.com web site and connect to the specific Xerox product page for product documentation concerning security for that Xerox product. If this does not provide the required information, contact your Xerox Sales Representative.

Q. Which Xerox products are Common Criteria certified?
A. A complete list of the Xerox products that have achieved Common Criteria Certification and a list of additional Xerox products that are currently under evaluation for Common Criteria Certification are available on the Common Criteria Certified Products page.

Q. What is Xerox doing to protect customer data?
A. Xerox is committed to protecting customer information. Xerox has developed a Disk Overwrite feature which repeatedly writes data patterns over job information on the devices hard drive. Many Xerox devices use encryption to protect the customer data at rest on internal hard disks and during transmission to and from the device. The Secure Print feature enables the user to hold a job until they enter a password at the device to release the job. A Removable Hard Drive kit is available as an option for a number of Xerox products that allows data to be locked away when needed.

Q. How secure is the FAX feature on Xerox Products?
A. The FAX feature on the Xerox production products is frequently controlled by a third party system and the scanned images are passed through the Xerox device to be stored and forwarded by the third party system. The internal FAX feature of office Multi-Function Devices is designed to isolate the FAX subsystem and telephone interface from any network interface.

Q. Can network ports and services be disabled on Xerox devices?
A. Yes. Unnecessary ports and services can be shut off to prevent unauthorized or malicious access. On smaller desktop devices, these options can be adjusted through their control panel or PC-based configuration software. On production devices, tools are provided to set security levels and disable specific ports and services.

Q. Can I contact Xerox with my product security questions?
A. Yes. It is recommended you first review the available information about specific products at the www.xerox.com web site where you can find a wealth of documents and whitepapers about Xerox products. If your question is not answered there, in the US, contact the Xerox Customer and Technical Support Center. Outside the US, contact your local Xerox Support Center. If you still need more information you may submit specific questions through the Contact Information link on the www.xerox.com/security web site.

Q. How does Xerox help me protect my data when in motion across my network? Can the network communication channels be encrypted to and from Xerox devices?
A. Yes. The Secure Sockets Layer (SSL) protocol is used for secure job submission and job status reporting. IPsec protocol may used to protect network channels including DNS, DHCP, FTP, IPP, lpr, Port 9100 printing. Xerox Office products use SNMPv3 for encrypted device management. Xerox Production devices support Secure Shell (ssh) for secure administrative access and secure FTP.

Q. What is Xeroxs policy on helping customers attain regulatory compliance for things such as Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA).
A. Xerox is proactive in providing features on its products that help customers comply with these types of regulation. Specific information about regulatory compliance is available on the www.xerox.com/security web site in the form of Articles and Whitepapers.