Ricoh Aficio MP 2852SP Manual
  1. Manuals
  2. Brands
  3. Ricoh Manuals
  4. All in One Printer
  5. Aficio MP 2852SP
  6. Manual

Ricoh Aficio MP 2852SP Manual

Security target
Hide thumbs
Table of Contents

Advertisement

Quick Links

Portions of Aficio MP 2352/2852/3352 series Security Target are reprinted
with written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey
08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices,
Operational Environment A, Copyright © 2009 IEEE. All rights reserved.
This document is a translation of the evaluated and certified security target
written in Japanese.
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
Aficio MP 2352/2852/3352 series
Security Target
Author : RICOH COMPANY, LTD.
Date
: 2011-12-19
Version : 1.00

Advertisement

Table of Contents
loading

Related Manuals for Ricoh Aficio MP 2852SP

Summary of Contents for Ricoh Aficio MP 2852SP

  • Page 1 08855, from IEEE 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A, Copyright © 2009 IEEE. All rights reserved. This document is a translation of the evaluated and certified security target written in Japanese. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 2: Revision History

    Page 1 of 91 Revision History Version Date Author Detail 1.00 2011-12-19 RICOH COMPANY, LTD. Publication version. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 3: Table Of Contents

    Consistency Claim with TOE Type in PP..............30 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP ..30 2.4.3 Consistency Claim with Security Requirements in PP .......... 31 Security Problem Definitions ....................34 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 4 Tracing ........................67 6.3.2 Justification of Traceability..................69 6.3.3 Dependency Analysis ....................75 6.3.4 Security Assurance Requirements Rationale............77 TOE Summary Specification .....................78 Audit Function ......................78 Identification and Authentication Function ...............80 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 5 Document Access Control Function ................82 Use-of-Feature Restriction Function ................84 Network Protection Function ..................85 Residual Data Overwrite Function................85 Stored Data Protection Function................86 Security Management Function .................86 Software Verification Function...................91 7.10 Fax Line Separation Function..................91 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 6 Table 32 : Results of Dependency Analysis of TOE Security Functional Requirements ......75 Table 33 : List of Audit Events........................78 Table 34 : List of Audit Log Items ........................79 Table 35 : Unlocking Administrators for Each User Role ................81 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 7 Table 38 : List of Cryptographic Operations for Stored Data Protection ............86 Table 39 : Management of TSF Data......................87 Table 40 : List of Static Initialisation for Security Attributes of Document Access Control SFP ....90 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 8: St Introduction

    Enhance Option Type 3352" must be installed on the MFP if the versions of Scanner and Printer are not displayed. TOE Versions Software System/Copy 1.04 Network Support 10.65 01.01.00 RemoteFax 01.00.00 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 9: Toe Overview

    This TOE is an MFP, which is an IT device that inputs, stores, and outputs documents. 1.3.2 TOE Usage The operational environment of the TOE is illustrated below and the usage of the TOE is outlined in this section. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 10: Figure 1 : Example Of Toe Environment

    Print, fax, network transmission, and deletion of the stored documents. Also, the TOE receives information via telephone lines and can store it as a document. Network used in the TOE environment. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 11 RC Gate via network interface is not implemented in the TOE. The RC Gate products include Remote Communication Gate A, Remote Communication Gate Type BN1, and Remote Communication Gate Type BM1. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 12: Major Security Features Of Toe

    The physical boundary of the TOE is the MFP, which consists of the following hardware components (shown in Figure 2): Operation Panel Unit, Engine Unit, Fax Controller Unit, Controller Board, HDD, Ic Hdd, Network Unit, USB Port, SD Card Slot, and SD Card. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 13: Figure 2 : Hardware Configuration Of The Toe

    NVRAM A non-volatile memory medium in which TSF data for configuring MFP operations is stored. Ic Key A security chip that has the functions of random number generation, cryptographic key generation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 14 GWFCU3.5-1(WW), which is one of the components that constitute the TOE, is the identifier of the Fax Controller Unit. The HDD is a hard disk drive that is a non-volatile memory medium. It stores documents, login user names and login passwords of normal users. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 15: Guidance Documents

    D120-7523 - MP 2352/MP 2852/MP 3352 MP 2352/MP 2852/MP 3352 Aficio MP 2352/MP 2852/MP 3352 Operating Instructions Troubleshooting D120-7533 - Quick Reference Copy Guide D120-7517 - Quick Reference Printer Guide D595-7305 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 16: Table 3 : Guidance For English Version-2

    Manuals and Safety Information for This Machine D120-7500 - Notes on Hard Disk Data Encryption D120-7549 - Manuals for Users MP 2352SP/MP 2852/MP 2852SP/MP 3352/MP 3352SP Aficio MP 2352SP/MP 2852/MP 2852SP/MP 3352/MP 3352SP Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 17: Table 4 : Guidance For English Version-3

    - MP 2352SP/MP 2852/MP 2852SP/MP 3352/MP 3352SP MP 2352SP/MP 2852/MP 2852SP/MP 3352/MP 3352SP Aficio MP 2352SP/MP 2852/MP 2852SP/MP 3352/MP 3352SP Manuals and Safety Information for This Machine D120-7502 - Notes on Hard Disk Data Encryption D120-7550 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 18: Definition Of Users

    The administrator means the user registered for TOE management. According to its roles, the administrator can be classified as the supervisor and the MFP administrator. Up to four MFP administrators can be registered and selectively authorised to perform user management, machine management, network Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 19: Indirect User

    Customer engineer The customer engineer is a person who belongs to the organisation which maintains TOE operation. The customer engineer is in charge of installation, setup, and maintenance of the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 20: Logical Boundary Of Toe

    The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel. Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as a Document Server document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 21 TOE and with which secure communication can be ensured. E-mail transmission is possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE and with which secure communication can be ensured. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 22 Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted and downloaded from a Web browser. According to the guidance document, users first install the specified fax driver on their own client computers, and then use this function. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 23: Security Functions

    Also, this function provides the recorded audit log in a legible fashion for users to audit. This function can be used only by the MFP administrator to view and delete the recorded audit log. To view and delete the audit log, the Web Function will be used. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 24 If the Printer Function is used, the protection function can be enabled using the printer driver to specify encrypted communication. If the folder transmission function of Scanner Function is used, the protection function can be enabled through encrypted communication. If the e-mail Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 25: Protected Assets

    Digitised documents, deleted documents, temporary documents and their fragments, which are managed by the TOE. Function data Jobs specified by users. In this ST, a "user job" is referred to as a "job". Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 26: Tsf Data

    Login user name An identifier assigned to each normal user, MFP administrator, and supervisor. The TOE identifies users by this identifier. Login password A password associated with each login user name. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 27 One of the document data attributes. Documents sent to IT devices by e-mail or sent to folders, or downloaded on the client computer from the MFP. For these operations the Scanner Function is used. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 28 Consists of a touch screen LCD and key switches. The Operation Panel is used by users to operate the TOE. Users for stored and A list of the normal users who are authorised to read and delete received fax received documents documents. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 29 The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 30: Conformance Claim

    Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 31: Conformance Claim Rationale

    TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 32: Consistency Claim With Security Requirements In Pp

    The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 33 While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 34 The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 35: Security Problem Definitions

    TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 36: Organisational Security Policies

    The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 37 A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 38: Security Objectives

    The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 39: Security Objectives Of Operational Environment

    If audit logs are exported to a trusted IT product, the responsible manager of MFP shall ensure that those logs can be accessed in order to detect potential security violations, and only by authorised persons. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 40: Non-It Environment

    Log audit The responsible manager of MFP shall ensure that audit logs are reviewed at appropriate intervals according to the guidance document for detecting security violations or unusual patterns of activity. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 41: Security Objectives Rationale

    Table 10 describes the correspondence between the assumptions, threats and organisational security policies, and each security objective. Table 10 : Rationale for Security Objectives T.DOC.DIS T.DOC.ALT T.FUNC.ALT T.PROT.ALT T.CONF.DIS T.CONF.ALT P.USER.AUTHORIZATION P.SOFTWARE.VERIFICATION P.AUDIT.LOGGING P.INTERFACE.MANAGEMENT P.STORAGE.ENCRYPTION P.RCGATE.COMM.PROTECT A.ACCESS.MANAGED A.ADMIN.TRAINING A.ADMIN.TRUST A.USER.TRAINING Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 42: Security Objectives Descriptions

    TOE. By O.PROT.NO_ALT, the TOE protects the TSF protected Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 43 P.USER.AUTHORIZATION is enforced by these objectives. P. SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides measures for self-verifying the executable code of the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 44 By OE.PHYSICAL.MANAGED, the TOE is located in a restricted or monitored environment according to the guidance documents and is protected from the physical access by the unauthorised persons. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 45 By OE.USER.TRAINED, the responsible manager of MFP instructs the users in accordance with the guidance documents to make them aware of the security policies and procedures of their organisation, and the users follow those policies and procedures. OE.USER.TRAINED is upheld by this objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 46: Extended Components Definition

    Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 47 The TSF shall provide the capability to restrict data received on [assignment: the Operation Panel, LAN, telephone line] from being forwarded without further processing by the TSF to [assignment: the LAN and telephone line]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 48: Security Requirements

    RC Gate]. Table 11 shows the action (CC rules) recommended by the CC as auditable for each functional requirement and the corresponding auditable events of the TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 49: Table 11 : List Of Auditable Events

    Minimal: Unsuccessful use of the b) Basic: Success and failure of authentication mechanism; login operation b) Basic: All use of the authentication mechanism; c) Detailed: All TSF mediated actions performed before authentication of the user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 50 Minimal: Settings of Year-Month-Day and b) Detailed: providing a timestamp. Hour-Minute FTA_SSL.3 a) Minimal: Termination of an a) Minimal: Termination of interactive session by the session session by auto logout. locking mechanism. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 51 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.2 Restricted audit review Hierarchical to: No other components. Dependencies: FAU_SAR.1 Audit review Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 52: Class Fcs: Cryptographic Support

    Table 13 : List of Cryptographic Operation Key Type Standard Cryptographic Cryptographic Cryptographic Operation Algorithm Key Size FIPS197 256 bits - Encryption when writing the data cryptographic on HDD - Decryption when reading the data from HDD Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 53: Class Fdp: User Data Protection

    - RC Gate process Object - MFP application Operation - Execute FDP_ACF.1(a) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 54: Table 16 : Subjects, Objects And Security Attributes (A)

    Document +FAXOUT Read Normal user Not allowed. However, it is allowed for data process normal user process that created the document data. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 55: Table 18 : Additional Rules To Control Operations On Document Data And User Jobs (A)

    Objects Document Data Operations Subjects Rules to control Operations Attributes Document +PRT Delete Allows. data administrator process Document +FAXIN Delete Allows. data administrator process Document +DSR Delete Allows. data administrator process Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 56: Table 19 : Subjects, Objects And Security Attributes (B)

    FDP_ACF.1.3(b) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules that the Fax Reception Function operated using administrator permission is surely permitted]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 57: Class Fia: Identification And Authentication

    MFP administrator or the TOE's restart. MFP administrator The lockout for the MFP administrator is released by the lockout time set by the MFP administrator, release operation by a supervisor or the TOE's restart. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 58: Table 23 : List Of Security Attributes For Each User That Shall Be Maintained

    Passwords that are composed of a combination of characters based on the password complexity setting specified by the MFP administrator can be registered. The MFP administrator specifies either Level 1 or Level 2 for password complexity setting. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 59 Help from a Web browser, system status, counter and information of inquiries, execution of fax reception, and repair request notification] on behalf of the user to be performed before the user is identified (refinement: identification with Basic Authentication). Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 60: Table 24 : Rules For Initial Association Of Attributes

    - Available function list Supervisor Supervisor process - User role MFP administrator MFP administrator process - Login user name of MFP administrator - User role RC Gate RC Gate process - User role Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 61: Class Fmt: Security Management

    Query Supervisor Document data attribute No operation permitted None Document user list [when document data attributes are No operation permitted None (+PRT), (+SCN), (+CPY), and (+FAXOUT)] Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 62: Table 26 : User Roles For Security Attributes (B)

    Available function list Query, MFP administrator modify Query Applicable normal user (however, query is not allowed in case of External Authentication) Function type No operation permitted None User role No operation permitted None Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 63: Table 27 : Authorised Identified Roles Allowed To Override Default Values

    FMT_MTD.1 Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 64: Table 28 : List Of Tsf Data

    S/MIME user information (however, operation of query on user certificate is not allowed in case of External Authentication) Newly create, modify, query, MFP administrator Destination information for delete folder transmission Query Normal user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 65: Table 29 : List Of Specification Of Management Functions

    Query and modification of document user list by the normal user who stored the document Query and modification of available function list by MFP administrator Query of own available function list by normal user when the Basic Authentication is used Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 66: Class Fpt: Protection Of The Tsf

    The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the audit log data file]]. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the stored TSF executable code]]. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 67: Class Fta: Toe Access

    The evaluation assurance level of this TOE is EAL3+ALC_FLR.2. Table 31 lists the assurance components of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 3 (EAL3). Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 68: Security Requirements Rationale

    Table 32 shows the relationship between the TOE security functional requirements and TOE security objectives. Table 32 shows that each TOE security functional requirement fulfils at least one TOE security objective. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 69: Table 31 : Relationship Between Security Objectives And Functional Requirements

    Table 32 : Relationship between Security Objectives and Functional Requirements FAU_GEN.1 FAU_GEN.2 FAU_STG.1 FAU_STG.4 FAU_SAR.1 FAU_SAR.2 FCS_CKM.1 FCS_COP.1 FDP_ACC.1(a) FDP_ACC.1(b) FDP_ACF.1(a) FDP_ACF.1(b) FDP_RIP.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.1(a) FIA_UAU.1(b) FIA_UAU.2 FIA_UAU.7 FIA_UID.1(a) FIA_UID.1(b) FIA_UID.2 FIA_USB.1 FPT_FDI_EXP.1 FMT_MSA.1(a) FMT_MSA.1(b) FMT_MSA.3(a) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 70: Justification Of Traceability

    FMT_MSA.1(a) specifies the available operations (newly create, query, modify and delete) on the login user name, and available operations (query and modify) on the document user list, and a specified user Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 71 Deletion is the only modification operation on this TOE's user jobs. (2) Use trusted channels for sending or receiving user jobs. The user jobs sent and received by the TOE via the LAN are protected by FTP_ITC.1. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 72 The TSF confidential data sent and received by the TOE via the LAN are protected by FTP_ITC.1. By satisfying FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 and FTP_ITC.1, which are the security functional requirements for these countermeasures, O.CONF.NO_DIS is fulfilled. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 73 FDP_ACC.1(b) and FDP_ACF.1(b) allow the applicable normal user to use the MFP application according to the operation permission granted to the successfully identified and authenticated normal user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 74 (2) Automatically terminate the connection to the Operation Panel and LAN interface. FTA_SSL.3 terminates the session after no operation is performed from the Operation Panel or LAN interface for certain period. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 75 O.STORAGE.ENCRYPTED Encryption of storage devices O.STORAGE.ENCRYPTED is the security objective to ensure the data to be written into the HDD is encrypted. To fulfil this security objective, it is required to implement the following countermeasures. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 76: Dependency Analysis

    FPT_STM.1 FPT_STM.1 None FAU_GEN.2 FAU_GEN.1 FAU_GEN.1 None FIA_UID.1 FIA_UID.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 None FAU_STG.4 FAU_STG.1 FAU_STG.1 None FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 None FAU_SAR.2 FAU_SAR.1 FAU_SAR.1 None FCS_CKM.1 [FCS_CKM.2 or FCS_COP.1 FCS_CKM.4 FCS_COP.1] Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 77 [FDP_ACC.1(b) FDP_ACC.1(b) None or FDP_IFC.1] FMT_SMR.1 FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 FMT_MSA.3(a) FMT_MSA.1(a) FMT_MSA.1(a) None FMT_SMR.1 FMT_SMR.1 FMT_MSA.3(b) FMT_MSA.1(b) FMT_MSA.1(b) None FMT_SMR.1 FMT_SMR.1 FMT_MTD.1 FMT_SMR.1 FMT_SMR.1 None FMT_SMF.1 FMT_SMF.1 FMT_SMF.1 None None None Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 78: Security Assurance Requirements Rationale

    TOE operation according to flow reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL3+ALC_FLR.2 is appropriate for this TOE. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 79: Toe Summary Specification

    Success and failure of login operations (except login operations from RC Gate) Success and failure of login operations from RC Gate communication interface Table 30 Record of Management Function Date settings (year/month/day), time settings (hour/minute) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 80: Table 34 : List Of Audit Log Items

    - Web Function communication - Folder transmission - Printing via networks - LAN Fax via networks - Communication with RC Gate Communicating e-mail Communicating e-mail address for - E-mail transmission address e-mail transmission Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 81: Identification And Authentication Function

    When the sent login user name and login password are identified and authenticated, the user is allowed to use the TOE according to the identified user role. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 82: Table 35 : Unlocking Administrators For Each User Role

    "unlocking administrator" shown in Table 37 and specified for each user role releases the lockout. Table 37 : Unlocking Administrators for Each User Role User Roles (Locked out Users) Unlocking Administrators Normal user MFP administrator Supervisor MFP administrator MFP administrator Supervisor Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 83: Document Access Control Function

    The TOE controls user operations for document data and user jobs in accordance with (1) access control rule on document data and (2) access control rule on user jobs. (1) Access control rule on document data Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 84 Operation Scanner Function Scanner documents Folder transmission Panel Delete Fax transmission Operation Folder transmission Fax Function Fax transmission documents Panel Print Delete Operation Print Fax Function Fax reception documents Panel Delete Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 85: Use-Of-Feature Restriction Function

    The Use-of-Feature Restriction Function is to authorise TOE users to use Copy Function, Printer Function, Scanner Function, Document Server Function and Fax Function in accordance with the roles of the identified and authenticated TOE users and user privileges set for each user. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 86: Network Protection Function

    For sequential overwriting, the TOE constantly monitors the information on a residual data area, and overwrites the area if any existing residual data is discovered. If the user deletes document data, the TOE Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 87: Stored Data Protection Function

    Function, and 3) set appropriate default values to security attributes, all of which accord with user role privileges or user privileges that are assigned to normal users, MFP administrator, or supervisor. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 88 Web browser modify user who stored the documents Query, MFP administrator modify Query Operation Panel, Available function list (Query is Web browser Applicable normal unavailable for user External Authentication) Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 89 Query, Audit log Web browser MFP administrator delete HDD cryptographic key Operation panel Newly create MFP administrator Newly create, Operation Panel, modify, S/MIME user information MFP administrator Web browser query, delete Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 90 FMT_MSA.3(a) and FMT_MSA.3(b) The TOE sets default values for objects according to the rules described in Table 43 when those objects are generated. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.
  • Page 91 For Document Server Function, values to Function) identify Document Server Function. For Printer Function, values to identify Printer Function. For Scanner Function, values to identify Scanner Function. For Fax Function, values to identify Fax Function. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

  • Page 92: Software Verification Function

    Since the TOE is set to prohibit forwarding of received fax data during installation, received fax data will not be forwarded. Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved.

This manual is also suitable for:

Aficio mp 2852Aficio mp 2352spAficio mp 2352 seriesAficio mp 3352 seriesAficio mp 3352sp

Table of Contents