Ricoh Mp 3351 User Guide

							  Page 21 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  permission, and changing the Print Settings is also permitted. Table 2 shows the relationship between the 
operation authorised by the permissions to process document data and the operations possible on the 
document data. 
Table 2: Correspondence between operations authorised by permissions to process document data and 
operations possible on document data Operations possible on document data     Operation permissions  authorised by permissions  to process document data Reading 
document data
 
Deleting 
document data
 Read-only v  Edit v  Edit/delete v v Full control v v v: possible 
blank: impossible 
The operation permissions for each document can be specified for each general user. 
Stored Data Protection Function 
The Stored Data Protection Function is for protecting document data stored on the HDD from leakage, by 
making it difficult to understand unless the document data is accessed and read in the normal way. 
Network Communication Data Protection Function 
This function is for protecting document data and print data in transit on the network from unauthorised 
access. The communication protocol that is used to protect the communication data differs according to the 
method by which the document or print data is sent.  
The network administrator decides the communication protocol to apply based on the environment in which 
the TOE is operating and the intended usage of the TOE. The following explains the sending methods and 
their corresponding communication protocols. 
 
1. Download document data using the Web Service Function from a client computer (SSL 
protocol) 
2. Print or fax from a client computer (SSL protocol) 
3. Deliver document data to an FTP server or SMB server from the TOE (IPSec protocol) 
4. Send document data attached to e-mail to a client computer from the TOE (S/MIME)  
						

							  Page 22 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  Security Management Function 
This function allows administrators, supervisors, and general users who have been successfully authenticated 
by the previously described Identification and Authentication Function to perform the following operations 
for security management according to user role. 
1. Management of document data ACL 
Allows only specified users to modify the document Data ACL. Modifying the document 
data ACL includes changing document file owners, registering new document file users for 
the document data ACL, deleting document file users previously registered for document 
data ACL, and changing operation permissions specified in document data. Only file 
administrators can change the document file owners. File administrators, document file 
owners, and document file users with full control permissions can perform other operations. 
When document data is stored, its document data ACL is set to the document data default 
ACL. 
2. Management of administrator information 
Allows specified users to register and delete administrators, to add and delete administrator 
roles, and change administrator IDs and passwords. 
Only administrators are allowed to register another administrator or add an administrator role 
to another administrator. Such administrators can delete an administrator or an administrator 
role, and change an administrators ID. Administrators and supervisors can change 
administrator passwords. An Administrator is permitted to add an Administrator Role to 
another Administrator, provided that the first Administrator is already assigned that 
Administrator Role, and an Administrator is permitted to delete one of his/her Administrator 
Roles, provided that at least one other Administrator is assigned that Administrator Role. 
Since administrators are required to have at least one administrator role, one or more of their 
roles must be given to a new administrator when they register another administrator. If 
administrators delete all of their own administrator roles, their administrator information will 
be automatically deleted. 
3. Management of general user information 
Allows only users with specified user roles to newly create, change, and delete general user 
information. The relationship between user roles and authorised operations is: 
- User administrators can newly create, change, and delete general user information. 
- General users can change their own general user information that is registered to 
them in the Address Book, with the exception of their user IDs.  
4. Management of supervisor information 
Supervisors can change their supervisor ID and password. 
5. Management of machine control data 
Each administrator is allowed to configure the items of machine control data that correspond 
to their administrator role (machine administrator, user administrator, or and file 
administrator).  
						

							  Page 23 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  Service Mode Lock Function 
The Maintenance Function is used by CEs who receive a request from the machine administrator to perform 
maintenance on the TOE from the Operation Panel. The Service Mode Lock Function prevents the 
Maintenance Function being used. In this evaluation, the Service Mode Lock Function set to On. 
Telephone Line Intrusion Protection Function 
This function is for devices equipped with a Fax Unit. It restricts communication over a telephone line to the 
TOE, so that the TOE receives only permitted data. 
MFP Control Software Verification Function 
This function verifies the integrity of the MFP Control Software by checking the integrity of an executable 
code installed in the FlashROM. 
 
1.4.5 Protected Assets 
This section describes the protected assets of this TOE (document data and print Data). 
1.4.5.1 Document Data 
Document data is imported from outside the TOE by various methods, and can be either stored in the TOE or 
output by it. Document data stored in the TOE can be deleted. 
Importing Document Data 
Document data can be imported by the following two methods: 
1. From a scanner  
Document data is created from the scanned image of a paper original that is imported to the TOE. 
2. From the network or from a device connected to the USB Port 
Document data is created from print data received through the network or the USB Port that is 
then converted to a format that the TOE can handle. 
Storing Document Data 
Document data stored inside the TOE is stored in the D-BOX. The D-BOX protects the document data from 
unauthorised access and leakage. 
Outputting Document Data 
Document data can be output by the following five methods: 
1. Sent by e-mail to a client computer (to the e-mail address). 
2. Sent to an SMB or FTP server. 
3. Downloaded by a client computer. 
4. Printed out.  
						

							  Page 24 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  5. Sent as a fax. 
When output using methods 1 to 3, document data is protected from leakage, and tampered data can be 
detected. 
1.4.5.2 Print Data 
Print data is data in which a print or fax image is written. It is generated from the document files in a client 
computer by the printer or fax drivers installed on the client computer when it is printed or faxed, 
respectively. Print data is imported to the TOE via the internal network or the USB Port. When passing from 
a client computer to the TOE through the internal network, print data is protected from leakage, and 
tampered data can be detected.  
						

							  Page 25 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  2 Conformance Claims 
This section describes the conformance claim. 
2.1 CC conformance Claim 
The CC conformance claim of this ST and TOE is as follows: 
- CC version for which this ST claims conformance 
Part 1: 
Introduction and general model September 2006 Version 3.1 Revision 1 (Japanese translation ver.1.2) 
CCMB-2006-09-002 
Part 2: 
Security functional components September 2007 Version 3.1 Revision 2 (Japanese translation ver.2.0) 
CCMB-2007-09-002 
Part 3: 
Security assurance components September 2007 Version 3.1 Revision 2 (Japanese translation ver.2.0) 
CCMB-2007-09-003 
- Functional requirements: Part 2 conformance 
- Assurance requirements: Part 3 conformance 
2.2 PP Claims, Package Claims 
This ST and TOE do not conform to any PPs. 
This ST claims conformance to the following package: 
Package: EAL3 conformant 
2.3 Conformance Rationale 
Since this ST does not claim conformance to PPs, there is no rationale for PP conformance.  
						

							  Page 26 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  3 Security Problem Definitions 
This section provides details of threats, organisational security policies, and assumptions. 
3.1 Threats 
Defined and described below are the assumed threats related to the use and environment of this TOE. The 
threats defined in this section are attacks by unauthorised persons with knowledge of published information 
about TOE operations and such attackers are capable of potential security attacks. 
T.ILLEGAL_USE (Abuse of TOE) 
Attackers may read or delete document data by gaining unauthorised access to the TOE 
through the devices interfaces (the Operation Panel, network interface, USB Port, or SD 
card interface). 
T.UNAUTH_ACCESS (Access violation to protected assets stored in TOE) 
Authorised TOE users may breach the limits of authorised usage and access document 
data through the external TOE interfaces (the Operation Panel, network interface, or 
USB Port) that are provided for them. 
T.ABUSE_SEC_MNG (Abuse of Security Management Function) 
Persons not authorised to use Security Management Functions may abuse them. 
T.SALVAGE   (Salvaging memory) 
Attackers may remove the HDD from the TOE and disclose document data. 
T.TRANSIT   (Interceptions and tampering on communication path) 
Attackers may illegally obtain, leak, or tamper with document data or print data sent or 
received by the TOE via the internal network. 
T.FAX_LINE   (Intrusion from telephone line) 
Attackers may gain access to the TOE through telephone lines. 
3.2 Organisational Security Policies 
The following security policy is assumed for organisations that demand integrity of the software installed in 
its IT products.  
						

							  Page 27 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  P.SOFTWARE   (Software integrity checking) 
Measures shall be provided for verifying the integrity of MFP Control Software, which 
is installed in the FlashROM of the TOE. 
3.3 Assumptions 
Defined and described below are the assumptions related to the use and environment of this TOE: 
A.ADMIN   (Assumption for administrators) 
Administrators shall have sufficient knowledge to operate the TOE securely in the roles 
assigned to them and will instruct general users to operate the TOE securely also. 
Additionally, administrators shall not abuse their permissions maliciously. 
A.SUPERVISOR   (Assumption for supervisor) 
Supervisors shall have sufficient knowledge to operate the TOE securely in the roles 
assigned to them, and are shall not abuse their permissions maliciously. 
A.NETWORK   (Assumption for network connections) 
When the network that the TOE is connected to (the internal network) is connected to an 
external network such as the Internet, the internal network shall be protected from the 
external network.  
						

							  Page 28 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  4 Security Objectives 
This section describes the security objectives of the TOE and its security objectives of the operational 
environment and their rationale. 
4.1 Security Objectives for TOE 
The following define the security objectives of the TOE. 
O.AUDIT   (Audit) 
The TOE shall record Security Function-related events in an audit log, and provides the 
machine administrator with a function for reading the audit logs, allowing the machine 
administrator to detect whether or not a security intrusion has occurred. 
O.I&A   (Identification and authentication) 
The TOE shall perform identification and authentication of users prior to their use of the 
TOE Security Functions, and allows successfully authenticated users to use the 
functions for which they have permission. 
O. DOC_ACC   (Access control to protected assets) 
The TOE shall ensure general users have access to document data according to their 
permissions to process document data. The TOE shall also allow the file administrator 
to delete document data stored in the D-BOX. 
O. MANAGE   (Security management) 
The TOE shall only allow specified users to manage its Security Functions, TSF data, 
and security attributes. Such users are required to maintain the TOE security. 
O.MEM.PROTECT (Prevention of disclosure of data stored in memory) 
The TOE shall convert the format of the document data stored on the HDD into a format 
that is difficult to decode. 
O. NET.PROTECT (Protection of network communication data) 
The TOE shall protect document data and print data travelling over the communication 
network from interception, and detect any tampering. 
O.GENUINE  (Protection of integrity of MFP Control Software) 
The TOE shall provide TOE users with a function that verifies the integrity of the MFP 
Control Software, which is installed in the FlashROM.  
						

							  Page 29 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  O.LINE_PROTECT (Prevention of intrusion from telephone line) 
The TOE shall prevent unauthorised access to the TOE from a telephone line connected 
to the Fax Unit. 
4.2 Security Objectives of Operational Environment 
The following describes the security objectives of the operational environment. 
OE.ADMIN   (Trusted administrators) 
The responsible manager of the MFP shall select trusted persons as administrators and 
instructs them on their administrator roles. Once instructed, administrators then shall 
instruct general users, familiarising them with the compliance rules for secure TOE 
operation as defined in the administrator guidance for the TOE. 
OE.SUPERVISOR (Trusted supervisor) 
The responsible manager of the MFP shall select trusted persons as supervisors and 
instructs them on the role of supervisor. 
OE.NETWORK  (Network environment for TOE connection) 
If the internal network, to which the TOE is connected, is connected to an external 
network such as the Internet, the organisation that manages operation of the internal 
network shall close any unnecessary ports between the external and internal networks 
(e.g. by employing a firewall) 
4.3 Security Objectives Rationale 
This section describes the rationale of the security objectives. 
If all security objectives are fulfilled as explained in the following, the security problems defined in 3. 
Security Problem Definitions are solved: all threats are countered, all organisational security policies 
enforced, and all assumptions upheld. 
4.3.1 Tracing 
This section describes the correspondence between the previously described 3.1 Threats, 3.2 
Organisational Security Policies and 3.3 Assumptions, and either 4.1 Security Objectives for TOE or 
4.2 Security Objectives of Operational Environment with Table 3. The v in the table indicates that each 
of the elements of the TOE Security Environment is satisfied by security objectives. 
Table 3 demonstrates that each security objective corresponds to at least one threat, organisational security 
policy, or assumption. As indicated by the shaded region in Table 3, assumptions are not upheld by TOE 
security objectives.  
						

							  Page 30 of 81 
Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.  Table 3: Relationship between security environment and security objectives TOE security Environment    Security objectives A.ADMIN
 
A.SUPERVISOR
 
A.NETWORK
 
T.ILLEGAL_USE
 
T.UNAUTH_ACCESS
 
T.ABUSE_SEC_MNG
 
T.SALVAGE
 
T.TRANSIT
 
T.FAX_LINE
 
P.SOFTWARE
 O.AUDIT    v  v v v v  O.I&A    v v v     O.DOC_ACC     v      O.MANAGE      v     O.MEM.PROTECT       v    O.NET.PROTECT        v   O.GENUINE          v O.LINE_PROTECT         v  OE.ADMIN v          OE.SUPERVISOR  v         OE.NETWORK   v         
4.3.2 Tracing Justification 
The following are the rationale for each security objectives being appropriate to satisfy 3.1 Threats, 3.2 
Organisational Security Policies and 3.3 Assumptions. 
A.ADMIN    (Assumptions for administrators) 
As specified by A.ADMIN, administrators shall have sufficient knowledge to operate the TOE securely in 
the roles assigned to them and instruct general users to operate the TOE securely also. Additionally, 
administrators are unlikely to abuse their permissions. 
As specified by OE.ADMIN, the responsible manager of the MFP shall select trusted persons as 
administrators and instruct them on their administrator roles. Once instructed, administrators then shall 
instruct general users, familiarising them with the compliance rules for secure TOE operation as defined in 
the administrator guidance for the TOE. Therefore, A.ADMIN is upheld. 
A.SUPERVISOR    (Assumptions for supervisors) 
As specified by A.SUPERVISOR, supervisors shall have sufficient knowledge to operate the TOE securely 
in the roles assigned to them, and be unlikely to abuse their permissions. 
As specified by OE.SUPERVISOR, the responsible manager of the MFP shall select trusted persons as 
supervisors and instruct them on the role of supervisor. Therefore, A.SUPERVISOR is upheld.