Ricoh Mp C3001 Instruction Manual
Have a look at the manual Ricoh Mp C3001 Instruction Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 127 Ricoh manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 66
Page 65 of 93
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_MTD.1.1 The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly
create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in
Table 29].
Table 29 : List of TSF Data
TSF Data Operations User Roles
Newly create, modify MFP administrator Login password of normal user
for Basic Authentication Modify Normal user who owns the login
password
Login...](http://img.usermanuals.tech/thumb/64/80702/w64_mp-c3001-instruction-manual-1499419141_d-65.png "Page 66
Page 65 of 93
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FMT_MTD.1.1 The TSF shall restrict the ability to [selection: query, modify, delete, [assignment: newly
create]] the [assignment: list of TSF data in Table 29] to [assignment: the user roles in
Table 29].
Table 29 : List of TSF Data
TSF Data Operations User Roles
Newly create, modify MFP administrator Login password of normal user
for Basic Authentication Modify Normal user who owns the login
password
Login...")
![Page 67
Page 66 of 93
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TSF Data Operations User Roles
Users for stored and received
documents Query, modify MFP administrator
User authentication method Query MFP administrator
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment:
management functions shown in Table 30]....](http://img.usermanuals.tech/thumb/64/80702/w64_mp-c3001-instruction-manual-1499419141_d-66.png "Page 67
Page 66 of 93
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
TSF Data Operations User Roles
Users for stored and received
documents Query, modify MFP administrator
User authentication method Query MFP administrator
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment:
management functions shown in Table 30]....")
![Page 69
Page 68 of 93
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces
Hierarchical to: No other components.
Dependencies: FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles
FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: the
Operation Panel, LAN, telephone line] from being forwarded without further processing by
the TSF to [assignment: the LAN and...](http://img.usermanuals.tech/thumb/64/80702/w64_mp-c3001-instruction-manual-1499419141_d-68.png "Page 69
Page 68 of 93
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces
Hierarchical to: No other components.
Dependencies: FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles
FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: the
Operation Panel, LAN, telephone line] from being forwarded without further processing by
the TSF to [assignment: the LAN and...")
Page 70 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. Table 32 : Relationship between Security Objectives and Functional Requirements O.DOC.NO_DIS O.DOC.NO_ALT O.FUNC.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED O.INTERFACE.MANAGED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED O.STORAGE.ENCRYPTED O.RCGATE.COMM.PROTECT FAU_GEN.1 X FAU_GEN.2 X FAU_STG.1 X FAU_STG.4 X FAU_SAR.1 X FAU_SAR.2 X FCS_CKM.1 X FCS_COP.1 X FDP_ACC.1(a) X X X FDP_ACC.1(b) X FDP_ACF.1(a) X X X FDP_ACF.1(b) X FDP_RIP.1 X X FIA_AFL.1 X FIA_ATD.1 X FIA_SOS.1 X FIA_UAU.1(a) X X FIA_UAU.1(b) X X FIA_UAU.2 X X FIA_UAU.7 X FIA_UID.1(a) X X FIA_UID.1(b) X X FIA_UID.2 X X FIA_USB.1 X FPT_FDI_EXP.1 X FMT_MSA.1(a) X X X FMT_MSA.1(b) X FMT_MSA.3(a) X X X
Page 71 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. O.DOC.NO_DIS O.DOC.NO_ALT O.FUNC.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED O.INTERFACE.MANAGED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED O.STORAGE.ENCRYPTED O.RCGATE.COMM.PROTECT FMT_MSA.3(b) X FMT_MTD.1 X X X X FMT_SMF.1 X X X X FMT_SMR.1 X X X X FPT_STM.1 X FPT_TST.1 X FTA_SSL.3 X X FTP_ITC.1 X X X X X X X 6.3.2 Justification of Traceability This section describes below how the TOE security objectives are fulfilled by the TOE security functional requirements corresponding to the TOE security objectives. O.DOC.NO_DIS Protection of document disclosure O.DOC.NO_DIS is the security objective to prevent the documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the document. To fulfil this security objective, it is required to implement the following countermeasures. (1) Specify and implement the access control to the document data. FDP_ACC.1(a) and FDP_ACF.1(a) only allow the following persons to view document data according to the document data attributes: the normal user who generated the document data or the normal user who is registered on the document user list of the document data. The MFP administrator, supervisor and RC Gate are not allowed to view document data. (2) Prevent reading the deleted documents, temporary documents and their fragments. Deleted documents, temporary documents and their fragments are prevented from being read by FDP_RIP.1. (3) Use trusted channels for sending or receiving document data. The document data sent and received by the TOE via the LAN are protected by FTP_ITC.1. (4) Management of the security attributes. FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user
Page 72 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. is thus restricted to perform each operation. FMT_MSA.3(a) surely sets the restrictive value to the security attributes of document data (object) when document data are generated. By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.DOC.NO_DIS is fulfilled. O.DOC.NO_ALT Protection of document alteration O.DOC.NO_ALT is the security objective to prevent the documents from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the document. To fulfil this security objective, it is required to implement the following countermeasures. (1) Specify and implement the access control to document data. FDP_ACC.1(a) and FDP_ACF.1(a) allow the following persons to delete document data (there is no editing operation of document data) according to the document data attributes: the normal user who generated the document data, the normal user who is registered in the document user list of the document data, and the MFP administrator. The supervisor and RC Gate are not allowed to delete document data. (2) Prevent deleting the deleted documents, temporary documents and their fragments. Deleted documents, temporary documents and their fragments are prevented from being used by FDP_RIP.1. (3) Use trusted channels for sending or receiving document data. The document data sent and received by the TOE via the LAN interface are protected by FTP_ITC.1. (4) Management of the security attributes. FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user is thus restricted to perform each operation. FMT_MSA.3(a) surely sets the restrictive value to the security attributes of document data (object) when the document data are generated. By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FDP_RIP.1, FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.DOC.NO_ALT is fulfilled. O.FUNC.NO_ALT Protection of user job alteration O.FUNC.NO_ALT is the security objective to prevent the user jobs from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the user job. To fulfil this security objective, it is required to implement the following countermeasures. (1) Specify and implement the access control to user jobs. FDP_ACC.1(a) and FDP_ACF.1(a) allow the MFP administrator to delete user jobs, and the normal user with the permission to delete the applicable user job. The supervisor and RC Gate are not allowed to delete user jobs. Deletion is the only modification operation on this TOEs user jobs. (2) Use trusted channels for sending or receiving user jobs. The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1.
Page 73 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. (3) Management of the security attributes. FMT_MSA.1(a) restricts each available operation (newly create, query, modify and delete) for the login user name to specified users only. FMT_MSA.3(a) sets the restrictive value to the security attributes of user jobs (object) when the user jobs are generated. By satisfying FDP_ACC.1(a), FDP_ACF.1(a), FTP_ITC.1, FMT_MSA.1(a) and FMT_MSA.3(a), which are the security functional requirements for these countermeasures, O.FUNC.NO_ALT is fulfilled. O.PROT.NO_ALT Protection of TSF protected data alteration O.PROT.NO_ALT is the security objective to allow only users who can maintain the security to alter the TSF protected data. To fulfil this security objective, it is required to implement the following countermeasures. (1) Management of the TSF protected data. By FMT_MTD.1, only the MFP administrator is allowed to manage the date, time, S/MIME user information, destination folder and users for stored and received documents. (2) Specification of the Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (3) Specification of the roles. FMT_SMR.1 maintains the users who have the privileges. (4) Use trusted channels for sending or receiving the TSF protected data. The TSF protected data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.PROT.NO_ALT is fulfilled. O.CONF.NO_DIS Protection of TSF confidential data disclosure O.CONF.NO_DIS is the security objective to allow only users who can maintain the security to disclose the TSF confidential data. To fulfil this security objective, it is required to implement the following countermeasures. (1) Management of the TSF confidential data. FMT_MTD.1 allows the MFP administrator and applicable normal user to operate the login password of normal user. A supervisor is allowed to operate the login password of supervisor. The supervisor and applicable MFP administrator are allowed to operate the login password of administrator. The MFP administrator is only allowed to operate the audit log and HDD cryptographic key. (2) Specification of the Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (3) Specification of the roles. FMT_SMR.1 maintains the users who have the privileges. (4) Use trusted channels for sending or receiving TSF confidential data. The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_DIS is fulfilled.
Page 74 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. O.CONF.NO_ALT Protection of TSF confidential data alteration O.CONF.NO_ALT is the security objective to allow only users who can maintain the security to alter the TSF confidential data. To fulfil this security objective, it is required to implement the following countermeasures. (1) Management of the TSF confidential data. FMT_MTD.1 allows the MFP administrator and applicable normal user to operate the login password of normal user. A supervisor is allowed to operate the login password of supervisor. The supervisor and applicable MFP administrator are allowed to operate the login password of administrator. The MFP administrator is only allowed to operate the audit log and newly create an HDD cryptographic key. (2) Specification of the Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (3) Specification of the roles. FMT_SMR.1 maintains the users who have the privileges. (4) Use trusted channels for sending or receiving TSF confidential data. The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_ALT is fulfilled. O.USER.AUTHORIZED User identification and authentication O.USER.AUTHORIZED is the security objective to restrict users in accordance with the security policies so that only valid users can use the TOE functions. The authentication failure handling and verification of secrets are the security policies for authentication using passwords when the TOE is accessed from the Operation Panel or a Web browser of client computer, documents are printed by using the client computer, and faxed by LAN fax from the client computer. To fulfil this security objective, it is required to implement the following countermeasures. (1) Identify and authenticate the users prior to the TOE use. FIA_UID.1(a) and FIA_UAU.1(a) identify and authenticate the persons who attempt to use the TOE from the Operation Panel or client computer on the network by the Basic Authentication. FIA_UID.1(b) and FIA_UAU.1(b) identify and authenticate the persons by the Basic Authentication if the person who attempts to use the TOE from the Operation Panel or client computer on the network is the MFP administrator or supervisor, and if the person is the normal user, the External Authentication is used for the identification and authentication. FIA_UID.2 identifies the person who attempts to use the TOE from the interface for RC Gate communication, and FIA_UAU.2 authenticates RC Gate. (2) Allow the successfully identified and authenticated user to use the TOE. FIA_ATD.1 and FIA_USB.1 manage the access procedures to the protected assets of the users who are defined in advance, and associate the users who are successfully identified and authenticated with the access procedures. FDP_ACC.1(b) and FDP_ACF.1(b) allow the applicable normal user to use the MFP application according to the operation permission granted to the successfully identified and authenticated normal user.
Page 75 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. (3) Complicate decoding of login password. FIA_UAU.7 displays dummy letters as authentication feedback on the Operation Panel and prevents the login password from disclosure. FIA_SOS.1 accepts only passwords that satisfy the minimum character number and password character combination specified for the Basic Authentication by the MFP administrator, and makes it difficult to guess the password. For the External Authentication, this depends on the settings for the External Authentication. FIA_AFL.1 does not allow the user who is unsuccessfully authenticated by the Basic Authentication for certain times to access to the TOE for certain period. For the External Authentication, this depends on the settings for the External Authentication. (4) Terminate login automatically. FTA_SSL.3 automatically logs out of the Operation Panel or a Web browser after no operation is performed from the Operation Panel or a Web browser for certain period and the auto logout time elapses. It also logs out the status of document data reception after the completion of document data reception from the printer driver or fax driver. The TOE terminates the session with RC Gate after completing the communication with RC Gate. (5) Management of the security attributes. According to FMT_MSA.1(b), the login user name and available function list of normal user are managed by the MFP administrator, and users are not allowed to operate the function type. FMT_MSA.3(b) sets the permissive default value to the available function list, and sets the restrictive default value to the function type. By satisfying FDP_ACC.1(b), FDP_ACF.1(b), FIA_UID.1(a), FIA_UID.1(b), FIA_UID.2, FIA_UAU.1(a), FIA_UAU.1(b), FIA_UAU.2, FIA_ATD.1, FIA_USB.1, FIA_UAU.7, FIA_AFL.1, FIA_SOS.1, FTA_SSL.3, FMT_MSA.1(b) and FMT_MSA.3(b), which are the security functional requirements for these countermeasures, O.USER.AUTHORIZED is fulfilled. The function for 2600.1-SMI (F.SMI), selected SFR Package from the PP, is used in conjunction with the function whose access control is enforced by FDP_ACC.1(b) and FDP_ACF.1(b). Therefore, the access control for F.SMI is included with the access control by FDP_ACC.1(b) and FDP_ACF.1(b) and fulfilled. O.INTERFACE.MANAGED Management of external interfaces by TOE O.INTERFACE.MANAGED is the security objective to ensure that the TOE manages the operation of external interface according to the security policy. To fulfil this security objective, it is required to implement the following countermeasures. (1) Identify and authenticate the users prior to use the Operation Panel and LAN interface. FIA_UID.1(a) and FIA_UID.1(b) identify the persons who attempt to use the TOE from the Operation Panel or client computer on the network, and FIA_UAU.1(a) and FIA_UAU.1(b) authenticate the identified users. FIA_UID.2 identifies the persons who attempt to use the TOE from the interface for RC Gate communication, and FIA_UAU.2 authenticates the persons. (2) Automatically terminate the connection to the Operation Panel and LAN interface. FTA_SSL.3 terminates the session after no operation is performed from the Operation Panel or LAN interface for certain period.
Page 76 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. (3) Restricted forwarding of data to external interfaces. FPT_FDI_EXP.1 prevents the data received from the Operation Panel, LAN interface and telephone line from being transmitted from the LAN or telephone line without further processing by the TSF. By satisfying FIA_UID.1(a), FIA_UID.1(b), FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.2, FIA_UAU.2, FTA_SSL.3 and FPT_FDI_EXP.1, which are the security functional requirements for these countermeasures, O.INTERFACE.MANAGED is fulfilled. O.SOFTWARE.VERIFIED Software verification O.SOFTWARE.VERIFIED is the security objective to ensure that MFP Control Software and FCU Control Software are verified. To fulfil this security objective, it is required to implement the following countermeasures. (1) Self-check FPT_TST.1 checks if the MFP Control Software and FCU Control Software are verified software at the start-up. By satisfying FTP_TST.1, which is the security functional requirement for this countermeasure, O.SOFTWARE.VERIFIED is fulfilled. O.AUDIT.LOGGED Management of audit log records O.AUDIT.LOGGED is the security objective to record the audit log required to detect the security intrusion, and allow the MFP administrator to view the audit log. To fulfil this security objective, it is required to implement the following countermeasures. (1) Record the audit log. FAU_GEN.1 and FAU_GEN.2 record the events, which should be auditable, with the identification information of the occurrence factor. (2) Protect the audit log. FAU_STG.1 protects the audit logs from the alteration, and FAU_STG.4 deletes the audit logs that have the oldest time stamp, and records the new audit logs if auditable events occur and the audit log files are full. (3) Provide Audit Function. FAU_SAR.1 allows the MFP administrator to read audit logs in a format that can be audited. FAU_SAR.2 prohibits the persons other than the MFP administrator reading the audit logs. (4) Reliable occurrence time of the event FPT_STM.1 provides a trusted time stamp, and a reliable record of the times when events occurred are recorded in the audit log. By satisfying FAU_GEN.1, FAU_GEN.2, FAU_STG.1, FAU_STG.4, FAU_SAR.1, FAU_SAR.2 and FPT_STM.1, which are the security functional requirements for these countermeasures, O.AUDIT.LOGGED is fulfilled. O.STORAGE.ENCRYPTED Encryption of storage devices O.STORAGE.ENCRYPTED is the security objective to ensure the data to be written into the HDD is encrypted. To fulfil this security objective, it is required to implement the following countermeasures.
Page 77 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. (1) Generate appropriate cryptographic keys. FCS_CKM.1 generates the cryptographic key for encryption. (2) Perform cryptographic operation. FCS_COP.1 encrypts the data to be stored in the HDD, and decrypts the data to be read from the HDD. (3) Manage the TSF data. FMT_MTD.1 allows the MFP administrator to manage the cryptographic keys. (4) Specification of Management Function. FMT_SMF.1 performs the required Management Functions for Security Function. (5) Specification of the roles. FMT_SMR.1 maintains the users who have the privileges. By satisfying FCS_CKM.1, FCS_COP.1, FMT_MTD.1, FMT_SMF.1 and FMT_SMR.1, which are the security functional requirements for these countermeasures, O.STORAGE.ENCRYPTED is fulfilled. O.RCGATE.COMM.PROTECT Protection of communication with RC Gate O.RCGATE.COMM.PROTECT is the security objective to ensure the communication data between the TOE and RC Gate are concealed, and any tampering on the communication path is detected. To fulfil this security objective, it is required to implement the following countermeasure. (1) Use trusted channel for the communication with RC Gate FTP_ITC.1 allows the TOE to establish the communication that protects the data from tampering and disclosure for the communication between the TOE and RC Gate. By satisfying FTP_ITC.1, which is the security functional requirement for this countermeasure, O.RCGATE.COMM.PROTECT is fulfilled. 6.3.3 Dependency Analysis Table 33 shows the result of dependency analysis in this ST for the TOE security functional requirements. Table 33 : Results of Dependency Analysis of TOE Security Functional Requirements TOE Security Functional Requirements Claimed Dependencies Dependencies Satisfied in ST Dependencies Not Satisfied in ST FAU_GEN.1 FPT_STM.1 FPT_STM.1 None FAU_GEN.2 FAU_GEN.1 FIA_UID.1 FAU_GEN.1 FIA_UID.1 None FAU_STG.1 FAU_GEN.1 FAU_GEN.1 None FAU_STG.4 FAU_STG.1 FAU_STG.1 None FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 None FAU_SAR.2 FAU_SAR.1 FAU_SAR.1 None FCS_CKM.1 [FCS_CKM.2 or FCS_COP.1] FCS_COP.1 FCS_CKM.4
Page 78 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. FCS_CKM.4 FCS_COP.1 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 FCS_CKM.1 FCS_CKM.4 FDP_ACC.1(a) FDP_ACF.1(a) FDP_ACF.1(a) None FDP_ACC.1(b) FDP_ACF.1(b) FDP_ACF.1(b) None FDP_ACF.1(a) FDP_ACC.1(a) FMT_MSA.3(a) FDP_ACC.1(a) FMT_MSA.3(a) None FDP_ACF.1(b) FDP_ACC.1(b) FMT_MSA.3(b) FDP_ACC.1(b) FMT_MSA.3(b) None FDP_RIP.1 None None None FIA_AFL.1 FIA_UAU.1(a) FIA_UAU.1(a) None FIA_ATD.1 None None None FIA_SOS.1 None None None FIA_UAU.1(a) FIA_UID.1(a) FIA_UID.1(a) None FIA_UAU.1(b) FIA_UID.1(b) FIA_UID.1(b) None FIA_UAU.2 FIA_UID.1 FIA_UID.2 None FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 None FIA_UID.1(a) None None None FIA_UID.1(b) None None None FIA_UID.2 None None None FIA_USB.1 FIA_ATD.1 FIA_ATD.1 None FPT_FDI_EXP.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 None FMT_MSA.1(a) [FDP_ACC.1(a) or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1(a) FMT_SMR.1 FMT_SMF.1 None FMT_MSA.1(b) [FDP_ACC.1(b) or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1(b) FMT_SMR.1 FMT_SMF.1 None FMT_MSA.3(a) FMT_MSA.1(a) FMT_SMR.1 FMT_MSA.1(a) FMT_SMR.1 None FMT_MSA.3(b) FMT_MSA.1(b) FMT_SMR.1 FMT_MSA.1(b) FMT_SMR.1 None FMT_MTD.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 None FMT_SMF.1 None None None
Page 79 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. FMT_SMR.1 FIA_UID.1 FIA_UID.1 None FPT_STM.1 None None None FPT_TST.1 None None None FTA_SSL.3 None None None FTP_ITC.1 None None None The following explains the rationale for acceptability in all cases where a dependency is not satisfied: Rationale for Removing Dependencies on FCS_CKM.4 Once the MFP administrator generates the cryptographic key that is used for the HDD encryption of this TOE at the start of TOE operation, the cryptographic key will be continuously used for the HDD and will not be deleted. Therefore, cryptographic key destruction by the standard method is unnecessary. 6.3.4 Security Assurance Requirements Rationale This TOE is software for the MFP, which is a commercially available product. The MFP is assumed that it will be used in a general office and this TOE does not assume the attackers with the possibility of moderate or greater level attacks. Architectural design (ADV_TDS.2) is adequate to show the validity of commercially available products. A high attack potential is required for the attacks that circumvent or tamper with the TSF, which is not covered in this evaluation. The vulnerability analysis (AVA_VAN.2) is therefore adequate for general needs. However, protection of the secrecy of relevant information is required to make security attacks more difficult, and it is important to ensure a secure development environment. Development security (ALC_DVS.1) is therefore important also. In order to securely operate the TOE continuously, it is important to appropriately remediate the flaw discovered after the start of TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE.