FM Audit

FM Audit Data Encryption & Collection

A technical overview of all data encryption & collection in FM Audit.

Data Collected and Encryption

1.2 Data Encryption

All data packages from ECI DCA and FMAudit Onsite are encoded and obfuscated. FMAudit recommends utilizing HTTPS for communication Onsite and FMAudit Central. ECI DCA must be utilized with HTTPS to function correctly. Additionally, all sensitive settings and jobs between ECI DCA and Central are encrypted using AES256 standard symmetric encryption algorithm, using a protected shared key. This ensures end-to-end encryption, so data is protected from being read if intercepted by a third party, a competitive or otherwise non-authorized FMAudit instance.

1.3 Security Concerns

ECI DCA and FMAudit Onsite communicates with FMAudit Central by sending an encoded and obfuscated XML stream using the SOAP over HTTPS protocol. Confidential data is not collected, viewed or saved by any FMAudit application.Only printer-related data is collected and viewed. No other network data can be identified or collected by ECI DCA or FMAudit Onsite, with the exception of IP Address, MAC Address, and HostName, which could be excluded from the data submitted if the user chooses to exclude these details.

ECI DCA and FMAudit Onsite does not collect or process any personal data and the only way the system will collect this type of information is if you or your customers input them into FMAudit within a field or label such as location or customer name. ECI DCA and Onsite enables you to monitor network devices using Simple Network Management Protocol (SNMP). It exists inside the customer’s network and from there, it communicates with devices to gather operational information about the device that is made available via the device firmware and an SNMP Management Information Base (MIB). The data exposed by the device varies by manufacturer and model, but it is always technical or operational in nature and specific to the device itself. At the most basic level the data exposed by a printer MIB is documented in the IETF RFC 3805 (https:// tools.ietf.org/html/rfc3805). Additional device information may be exposed by the manufacturer through extensions and private MIBs, but the information is fundamentally technical and device-specific.

1.4 Types of Information Collected

ECI DCA and FMAudit Onsite attempts to collect the following information from networked printing devices during a network scan:

Device Attributes

IP address (can be masked)
Manufacturer
Serial number
Asset number
MAC address
Device description
Location
Miscellaneous (machine specific)

Coverage and Meters

Meter reads
Meter type
Coverage level
Monochrome or color identification

Supplies

Toner cartridge serial number
Toner cartridge supply level
Drum levels
Maintenance kit levels
Non-toner supply levels
Miscellaneous levels

Service

LCD reading
Device status
Error codes
Firmware

FMAudit Agent, explained further below, attempts to collect the following information from local devices:

Manufacturer
Asset number
Device description
Location
Serial number
Meter reads
Supply levels (vendor dependent)
Service codes (vendor dependent)
Miscellaneous (machine specific)
IP address of the machine the Agent is installed on (FMAudit Agent Host)

Network Discovery and Meter and Supply Collection (ECI DCA)

To add to the efficiency of the DCA, only when there is new or changed data from the devices will this information be sent into the FMAudit Central Server. This will ensure minimal network load and remove the frequency of any backlogs of device data submissions. Also, discovery and scanning of devices are now independent to ensure that only the IP addresses (or hostname) of devices that have been previously discovered are being scanned on the periodically set basis versus a full network scan (this is completed initially, periodically, or when determined by an admin user).

This will ensure that the speed of device data submissions is as up to date as possible. This will allow for users to be notified of troublesome devices within minutes or even seconds in many situations. ECI DCA separates device discovery from other scan types, enabling you to set custom scan intervals for retrieving meters, supplies attributes and errors. The minimum and maximum values for the scan intervals are:

Scan Function	Default	Minimum	Maximum
Discovery	30 minutes	10 minutes	720 minutes
Meters	120 minutes	10 minutes	720 minutes
Supplies	60 minutes	10 minutes	720 minutes
Errors	60 seconds	30 seconds	600 seconds
Attributes	360 minutes	10 minutes	720 minutes
Device w/out MDF	60 minutes	10 minutes	24 hours

Please note that scan intervals (meters, supplies, errors and attributes) are only available if a device has a model definition file (MDF). If this is not present, a full scan will be done on the device in question on a predefined interval.

FMAudit Central administrators can remotely manage ECI DCA that have been activated on the server as well as remotely trigger the ECI DCA to execute predefined commands such as data collection tasks, providing ECI DCA logs, running remote MIBWalks, installing HP JAMC, or updating ECI DCA and Onsite settings.

Note: ECI DCA always initiates this communication to the Central server, and not the other way around.

Note: Only when meter or supply information has updated or changed does communication occur, to reduce bandwidth usage.

Network Discovery and Meter and Supply Collection (FMAudit Onsite)

The FMAudit patented Automatic Network Discovery Settings use a mixture of algorithms to identify the network ranges where print devices may be located and then discover and communicate with the devices that are online, routing through multiple network elements such as active workstations or servers, routers, hubs, switches, and additional network hardware.

FMAudit Central administrators can remotely manage FMAudit Onsites that have been activated on the server as well as remotely trigger the Onsite to execute predefined commands such as data collection tasks, providing Onsite logs, running remote MIBWalks, installing HP JAMC, or updating Onsite settings. These are explained in further detail below:

Function	Location	Description
Tasks	Onsite Settings	Can remotely configure tasks to run on a preset schedule but can select tasks (Cache, Meters, Supplies, Service) to run immediately and collect device data on command.
MIB Walks	Onsite Settings	Can indicate certain IPv4/IPv6/Hostnames of devices and trigger the Onsite to Start the Collection of the MIB Walks immediately.
Logs (Detailed)	Onsite Settings	Can instruct the Onsite to collect the Logs (Critical, Error, Warning, Details, Debug) from a certain date.

None of these commands lead to data collection beyond the types of information collected as described above. Data exchanged between FMAudit Onsite and FMAudit Central is encrypted using strong encryption protocols that are FIPS compliant. Onsite receives secured software updates from the FMAudit Updates servers.

The Onsite communicates with Central at a predefined interval to determine if there are any queued actions which are not already executed, thus ensuring actions are executed in a timely manner.

Note: FMAudit Onsite always initiates this communication to the Central server, and not the other way around.

Network Traffic

Audits conducted by the software use an intelligent system to extract minimal information for each printer, copier or MFP. Unlike similar products that send a fixed set of queries (a superset of all possible queries) to every networked device, FMAudit Onsite only sends the relevant queries according to the fields the target device supports, with each device query being no more than a few kB of data. To further reduce the amount of network bandwidth used, FMAudit Onsite communicates with no more than 20 devices at a single time. Each IP within the configured ranges will be queried and if no response is received within the configured timeout period it will move onto the next IP address. A rule-of- thumb is that FMAudit will gather information on 65,000 devices in just under one hour.