Kyocera ECOSYS M2540dw Kyocera Fleet Services KFS Security White Paper - Page 24

KYOCERA Fleet Services Security White Paper Password Settings When a user account is initially created in KFS Manager, KFS Manager sends a notification to that user via an email. The email contains an automatically-generated user ID, a temporary password and a link to the service URL. The temporary password is valid for 7 days. When a user initially logs in with the User ID, he/she will be prompted to change the password. When the user changes the password, the URL (previously sent to the user) will no longer be valid. This stringent security setting prevents password from being stolen. Identification and Authentication When accessing KFS, a user must log in with their registered User ID and password; an unauthorized user cannot access KFS. Access information is recorded and logged, thus available for auditing. The following login security features are supported: • Account Lockout Policy To protect KFS against password cracking attacks, if a user fails to login after three continuous attempts, the account is locked. The account will automatically unlock after 30 minutes. • Auto-Logout Policy To prevent unauthorized operation of KFS, or a user fails to log out (account is idle), that user is automatically logged out after 30 minutes. • Password Policy To prevent simple passwords from being set by users, and guard against unauthorized access by a third party, a user must employ a strong password. Specifically, the password length must be a least eight (8) characters, as well as include one or more numbers (0-9), upper case letters, lower case letters and special symbols. A password that does not meet the KFS Password Policy is prohibited. Task Restriction Tasks are performed by a service provider through KFS Manager, some of which require prior customer approval. Specifically, Panel Screenshot and Data Capture cannot take place without customer approval. A confirmation request displays on the device panel, which must be accepted in order to execute the operation. Note: Tasks and related data are encrypted using HTTPS protocol. KFS Manager can also terminate a task by sending a stop command to KFS Device through a secure XMPP communication channel. Regulatory Compliance HIPAA regulations include security standards for the protection of electronic health information. KFS is compliant with these standards, as KFS does not collect, store or transmit patient information. In addition... • Access to KFS is strictly controlled by the User ID and Access Code linked to the user's group • Users must log in with a registered User ID • A strong Password Policy is in place, so unauthorized users cannot access KFS • Access to the KFS system is recorded and available for auditing • KFS communication data is encrypted • KFS components are mutually authenticated In short, KFS sends device information in a secure manner for the purpose of device management or maintenance only and, again, does not transmit or identify any individual or group. Important: KYOCERA Document Solutions Inc., does not believe that KFS will impact other federal laws related to privacy and confidential information, because KFS does not collect, store or transmit information 23 | P A G E