Managing Security

RICOH uses a comprehensive print security policy rooted in Zero Trust policies to ensure data protection by design and by default.

Using industry-leading security and vulnerability-assessment tools to maintain robust security, its policies have been built by capturing best practices from industry certification standards, including ISO 27001.

In-built security functions

RSI offers several security features to protect and manage your account:

RSI provides additional layers of security when transmitting print jobs across a network. For in-transit print jobs, they are automatically encrypted using AES-256 symmetric key cryptography algorithm until they reach the device from which they can be securely released.
RSI provides tools to help you manage your passwords securely. You can set a password policy for each tenant which includes restrictions such as a word count, character type, reuse of used passwords, number of times until account lock and expiration date of a password.
RSI includes a backup feature, allowing you to restore important information. A backup is captured regularly and the backup data is encrypted using AES-256 and stored in a secure storage location in AWS.
You can export, import and restrict account information for all users in your tenant. Sensitive data is also secured through user and group-based access, password protection and automated retention and disposition.
Logs viewed by RICOH employees do not include confidential customer information and logs are protected from tampering. Logs are stored in a location with restricted access, protecting them from unintended viewing, editing or deletion. You can view and obtain logs to monitor for unauthorised login attempts or system operations, for example:
1. Login history: See the success or failure of login attempts, including dates and times, for the last 35 days.
2. System operation history: Track actions like adding or deleting users and changing user privileges over the past 35 days.
3. Job execution history: Review the results of applications executed by users.
All communication paths, except for email, are encrypted using HTTPS. Emails are sent using SMTP. If the recipient's email service supports TLS communication, the emails will be encrypted using TLS.

Print job security

RSI offers a secure printing function, which allows users to send confidential documents to network printers from desktops or mobile devices. On-device authentication via ID card or PIN code adds an extra layer of authentication and means only the intended user will be the one collecting the job from the output tray. RSI also supports guest printing to allow guests to print without giving them network access.

If a device error occurs and a user is logged out, RSI will automatically delete any remaining print jobs.

RSI has built-in features to support and strengthen your security, for example, printers which let you lock down ‘to/cc/bcc’ email fields, limiting scan destinations to designated domains only, such as internal ones.

Development security

RSI follows RICOH’s established security processes and routinely carries out the following measures to ensure ongoing development security.

The teams use thorough code reviews and static analysis tools to confirm code follows secure coding practices and to identify any potential security issues.

RICOH regularly checks the versions of libraries used in its software development, including assessing whether these libraries contain any known vulnerabilities. This helps ensure only up-to-date and secure libraries are used to build its services.

Supply chain security

RICOH takes steps to make sure the supply chain, including cloud services and subcontractors, maintains the necessary security standards to protect RSI's services and customer data.

RSI utilises AWS as its Infrastructure as a Service (IaaS) platform. AWS is widely recognised for its security standards. You can [learn more about AWS compliance programs and security measures](https://aws.amazon.com/compliance/programs/ ).

RSI has established contracts with subcontractors that align with RICOH’s information security standards.

Data encryption

RSI encrypts all data using AES-256 symmetric key cryptography algorithm until it reaches the device from which it can be securely released. RSI adds extra protection for highly-sensitive data, for example passwords, by encrypting or hashing it more securely.

RICOH follows strict industry procedures to manage and protect encryption keys to make sure they are kept safe and do not get leaked.

Type of data	Protection level
User ID First and last name Email address Tokens for external services which use OAuth2.0 Account information for external services that do not support OAuth2.0 Account name and email address of external service (Microsoft 365) that supports OpenID Connect	Fully encrypted
Passwords	Hashed and encrypted, so the original password can't be retrieved
Files creating during processing (otherwise known as ‘intermediate files’), for example scanned images or printed files	Fully encrypted and deleted immediately after processing

Authentication

All RICOH’s cloud storage applications take additional measures to ensure that user data is protected at all costs, for example ensuring user credentials are never stored at the multi-function printer, while still supporting single sign-on (SSO) on the device panel.

When connecting to external services that support OAuth2.0, for example external identity providers, such as Microsoft Entra ID Single Sign-On, RSI uses tokens. RSI doesn’t store your actual account information for these services. The token lasts for 1 hour. Only the following information is stored:

access time
model name of MFP
serial number of MFP
application ID of the embedded application
authorisation code to manage user sessions and actions on the panel

For external services that don't support OAuth2.0, RICOH does store your account information to connect to these services.

For Microsoft 365 (which supports OpenID Connect) RICOH stores your account name and email address for account synchronisation.

Access controls

RSI implements both external and internal access controls as a countermeasure against unauthorised access to users’ data.

External access controls

AWS servers that store customer data cannot be accessed directly from the internet – access goes through an endpoint within RSI.

Communication is restricted by a virtual firewall (AWS security group) to prevent unauthorised access.

RSI is a multi-tenant environment used by multiple customers, but each tenant’s data is logically separated, making it impossible to access information from other tenants.

Internal access controls

RSI uses various access control mechanisms, for example a proximity IC card, username/ password or PIN code. Authentication can work at any network printer.

RSI uses AWS Identity and Access Management (IAM) to set access permissions for each account and server, ensuring that access is controlled.

RSI administrators can control or limit access to individuals or groups. Managing access requires prior approval and is governed by internal procedures.

Your responsibilities

You should perform certain steps to ensure robust security for your organisation.

Ensure proper management of tenant accounts, including registering new users, deleting users, and setting user permissions.
Each of your users is responsible for managing their own password securely. Users should set their passwords following instructions in the registration email and not share with others.
Be cautious with confidential information, especially if using a shared account for external service connections within your organisation.
Properly manage the RICOH device you use, including making sure the time on your device is synchronised with standard time to maintain secure encrypted communication with RSI.