Ricoh Mp C3001 Instruction Manual
Have a look at the manual Ricoh Mp C3001 Instruction Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 127 Ricoh manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Page 40 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. O.USER.AUTHORIZED User identification and authentication The TOE shall require identification and authentication of users and shall ensure that users are authorised in accordance with security policies before allowing them to use the TOE. O.INTERFACE.MANAGED Management of external interfaces by TOE The TOE shall manage the operation of external interfaces in accordance with the security policies. O.SOFTWARE.VERIFIED Software verification The TOE shall provide procedures to self-verify executable code in the TSF. O.AUDIT.LOGGED Management of audit log records The TOE shall create and maintain a log of TOE use and security-relevant events in the MFP and prevent its unauthorised disclosure or alteration. O.STORAGE.ENCRYPTED Encryption of storage devices The TOE shall ensure that the data is encrypted first and then stored on the HDD. O.RCGATE.COMM.PROTECT Protection of communication with RC Gate The TOE shall conceal the communication data on the communication path between itself and RC Gate, and detect any tampering with those communication data. 4.2 Security Objectives of Operational Environment This section describes the security objectives of the operational environment. 4.2.1 IT Environment OE.AUDIT_STORAGE.PROTECTED Audit log protection in trusted IT products If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs are protected from unauthorised access, deletion and modifications. OE.AUDIT_ACCESS.AUTHORIZED Audit log access control in trusted IT products If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons.
Page 41 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. OE.INTERFACE.MANAGED Management of external interfaces in IT environment The IT environment shall take a countermeasure for the prevention of unmanaged access to TOE external interfaces. 4.2.2 Non-IT Environment OE.PHYSICAL.MANAGED Physical management According to the guidance document, the TOE shall be placed in a secure or monitored area that provides protection from physical access to the TOE by unauthorised persons. OE.USER.AUTHORIZED Assignment of user authority The responsible manager of MFP shall give users the authority to use the TOE in accordance with the security policies and procedures of their organisation. OE.USER.TRAINED User training The responsible manager of MFP shall train users according to the guidance document and ensure that users are aware of the security policies and procedures of their organisation and have the competence to follow those policies and procedures. OE.ADMIN.TRAINED Administrator training The responsible manager of MFP shall ensure that administrators are aware of the security policies and procedures of their organisation; have the training, competence, and time to follow the guidance document; and correctly configure and operate the TOE according to those policies and procedures. OE.ADMIN.TRUSTED Trusted administrator The responsible manager of MFP shall select administrators who will not use their privileged access rights for malicious purposes according to the guidance document. OE.AUDIT.REVIEWED Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity.
Page 42 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 4.3 Security Objectives Rationale This section describes the rationale for security objectives. The security objectives are for upholding the assumptions, countering the threats, and enforcing the organisational security policies that are defined. 4.3.1 Correspondence Table of Security Objectives Table 11 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective. Table 11 : Rationale for Security Objectives O.DOC.NO_DIS O.DOC.NO_ALT O.FUNC.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED OE.USER.AUTHORIZED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED OE.AUDIT_STORAGE.PROTCTED OE.AUDIT_ACCESS_AUTHORIZED OE.AUDIT.REVIEWED O.INTERFACE.MANAGED OE.PHYSICAL.MANAGED OE.INTERFACE.MANAGED O.STORAGE.ENCRYPTED O.RCGATE.COMM.PROTECT OE.ADMIN.TRAINED OE.ADMIN.TRUSTED OE.USER.TRAINED T. D O C . D I S X X X T.DOC.ALT X X X T. F U N C . A LT X X X T. P R O T. A LT X X X T.CONF.DIS X X X T. C O N F. A LT X X X P.USER.AUTHORIZATION X X P.SOFTWARE.VERIFICATION X P.AUDIT.LOGGING X X X X P.INTERFACE.MANAGEMENT X X P.STORAGE.ENCRYPTION X P.RCGATE.COMM.PROTECT X A.ACCESS.MANAGED X A.ADMIN.TRAINING X A.ADMIN.TRUST X A.USER.TRAINING X
Page 43 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 4.3.2 Security Objectives Descriptions The following describes the rationale for each security objective being appropriate to satisfy the threats, assumptions and organisational security policies. T.DOC.DIS T.DOC.DIS is countered by O.DOC.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.DOC.NO_DIS, the TOE protects the documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to those documents. T.DOC.DIS is countered by these objectives. T.DOC.ALT T.DOC.ALT is countered by O.DOC.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.DOC.NO_ALT, the TOE protects the documents from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the document. T.DOC.ALT is countered by these objectives. T.FUNC.ALT T.FUNC.ALT is countered by O.FUNC.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.FUNC.NO_ALT, the TOE protects the user jobs from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the user job. T.FUNC.ALT is countered by these objectives. T.PROT.ALT T.PROT.ALT is countered by O.PROT.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected
Page 44 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF protected data. T.PROT.ALT is countered by these objectives. T.CONF.DIS T.CONF.DIS is countered by O.CONF.NO_DIS, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.CONF.NO_DIS, the TOE protects the TSF confidential data from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the TSF confidential data. T.CONF.DIS is countered by these objectives. T.CONF.ALT T.CONF.ALT is countered by O.CONF.NO_ALT, O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. By O.CONF.NO_ALT, the TOE protects the TSF confidential data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF confidential data. T.CONF.ALT is countered by these objectives. P.USER.AUTHORIZATION P.USER.AUTHORIZATION is enforced by O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the responsible manager of MFP gives the authority to use the TOE to users who follow the security policies and procedures of their organisation. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, and users are authorised in accordance with the security policies before being allowed to use the TOE. P.USER.AUTHORIZATION is enforced by these objectives. P. SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective.
Page 45 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. P. AUDIT.LOGGING P.AUDIT.LOGGING is enforced by O.AUDIT.LOGGED, OE.AUDIT.REVIEWED, OE.AUDIT_STORAGE.PROTECTED and OE.AUDIT_ACCESS.AUTHORIZED. By O.AUDIT.LOGGED, the TOE creates and maintains a log of TOE use and security-relevant events in the MFP and prevents its unauthorised disclosure or alteration. By OE.AUDIT.REVIEWED, the responsible manager of MFP reviews audit logs at appropriate intervals for security violations or unusual patterns of activity according to the guidance document. By OE.AUDIT_STORAGE.PROTECTED, if audit records are exported from the TOE to another trusted IT product, the responsible manager of MFP protects those records from unauthorised access, deletion and alteration. By OE.AUDIT_ACCESS.AUTHORIZED, the responsible manager of MFP ensures that those records can be accessed in order to detect potential security violations, and only by authorised persons. P.AUDIT.LOGGING is enforced by these objectives. P.INTERFACE.MANAGEMENT P.INTERFACE.MANAGEMENT is enforced by O.INTERFACE.MANAGED and OE.INTERFACE.MANAGED. By O.INTERFACE.MANAGED, the TOE manages the operation of the external interfaces in accordance with the security policies. By OE.INTERFACE.MANAGED, the TOE constructs the IT environment that prevents unmanaged access to TOE external interfaces. P.INTERFACE.MANAGEMENT is enforced by these objectives. P.STORAGE.ENCRYPTION P.STORAGE.ENCRYPTION is enforced by O.STORAGE.ENCRYPTED. By O.STORAGE.ENCRYPTED, the TOE shall encrypt the data to be written on the HDD, and written on the HDD shall be those encrypted data. P.STORAGE.ENCRYPTION is enforced by this objective. P.RCGATE.COMM.PROTECT P.RCGATE.COMM.PROTECT is enforced by O.RCGATE.COMM.PROTECT. By O.RCGATE.COMM.PROTECT, the TOE shall conceal the communication data on the communication path between itself and RC Gate, and detect any tampering with those communication data. P.RCGATE.COMM.PROTECT is enforced by this objective. A.ACCESS.MANAGED A.ACCESS.MANAGED is upheld by OE.PHYSICAL.MANAGED. By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED.
Page 46 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. By OE.ADMIN.TRAINED, the responsible manager of MFP ensures that the administrators are aware of the security policies and procedures of their organisation. For this, the administrators have the training, competence, and time to follow the guidance documents, and correctly configure and operate the TOE in accordance with those policies and procedures. A.ADMIN.TRAINING is upheld by this objective. A.ADMIN.TRUST A.ADMIN.TRUST is upheld by OE.ADMIN.TRUSTED. By OE.ADMIN.TRUSTED, the responsible manager of MFP selects the administrators and they will not abuse their privileges in accordance with the guidance documents. A.ADMIN.TRUST is upheld by this objective. A.USER.TRAINING A.USER.TRAINING is upheld by OE.USER.TRAINED. By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective.
Page 47 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 5 Extended Components Definition This section describes Extended Components Definition. 5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP) Family behaviour This family defines requirements for the TSF to restrict direct forwarding of information from one external interface to another external interface. Many products receive information on specific external interfaces and are intended to transform and process this information before it is transmitted on another external interface. However, some products may provide the capability for attackers to misuse external interfaces to violate the security of the TOE or devices that are connected to the TOEs external interfaces. Therefore, direct forwarding of unprocessed data between different external interfaces is forbidden unless explicitly allowed by an authorized administrative role. The family FPT_FDI_EXP has been defined to specify this kind of functionality. Component levelling: FPT_FD I_E XP: Res tric ted fo rwa rdin g o f data t o ex t ern al int er fac es 1 FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces provides for the functionality to require TSF controlled processing of data received over defined external interfaces before these data are sent out on another external interface. Direct forwarding of data from one external interface to another one requires explicit allowance by an authorized administrative role. Management: FPT_FDI_EXP.1 The following actions could be considered for the management functions in FMT: a) Definition of the role(s) that are allowed to perform the management activities b) Management of the conditions under which direct forwarding can be allowed by an administrative role c) Revocation of such an allowance Audit: FPT_FDI_EXP.1 There are no auditable events foreseen. Rationale: Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples
Page 48 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. are firewall systems but also other systems that require a specific work flow for the incoming data before it can be transferred. Direct forwarding of such data (i.e., without processing the data first) between different external interfaces is therefore a function that—if allowed at all—can only be allowed by an authorized role. It has been viewed as useful to have this functionality as a single component that allows specifying the property to disallow direct forwarding and require that only an authorized role can allow this. Since this is a function that is quite common for a number of products, it has been viewed as useful to define an extended component. The Common Criteria defines attribute-based control of user data flow in its FDP class. However, in this Protection Profile, the authors needed to express the control of both user data and TSF data flow using administrative control instead of attribute-based control. It was found that using FDP_IFF and FDP_IFC for this purpose resulted in SFRs that were either too implementation-specific for a Protection Profile or too unwieldy for refinement in a Security Target. Therefore, the authors decided to define an extended component to address this functionality. This extended component protects both user data and TSF data, and it could therefore be placed in either the FDP or the FPT class. Since its purpose is to protect the TOE from misuse, the authors believed that it was most appropriate to place it in the FPT class. It did not fit well in any of the existing families in either class, and this led the authors to define a new family with just one member. FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line].
Page 49 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 6 Security Requirements This section describes Security Functional Requirements, Security Assurance Requirements and Security Requirements Rationale. 6.1 Security Functional Requirements This section describes the TOE security functional requirements for fulfilling the security objectives defined in section 4.1. The security functional requirements are quoted from the requirement defined in the CC Part2. The security functional requirements that are not defined in CC Part2 are quoted from the extended security functional requirements defined in the PP (IEEE Standard for a Protection Profile in Operational Environment A (IEEE Std 2600.1-2009)). The part with assignment and selection defined in the [CC] is identified with [bold face and brackets]. The part with refinement is identified with (refinement:). 6.1.1 Class FAU: Security audit FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection: not specified] level of audit; and c) [assignment: auditable events of the TOE shown in Table 12]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: types of job for FDP_ACF.1(a), all login user names that attempted the user identification for FIA_UID.1, communication direction of Web Function, communication IP address of the communication used for Web Function and folder transmission, recipients e-mail address used for e-mail transmission, and communication direction of communication with RC Gate]. Table 12 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE. Table 12 : List of Auditable Events Functional Requirements Actions Which Should Be Auditable Auditable Events FDP_ACF.1(a) a) Minimal: Successful requests to Original: