Ieee P2600; Security Checklists; Conclusion: Look Beyond Common Criteria Certification; Hp's Imaging And Printing Security Framework - HP 680n - JetDirect Print Server Appendix

IEEE p2600

The IEEE p2600 working group is defining a security standard for hardcopy devices, as well as
recommendations for the security capabilities of devices when deployed in various environments,
including enterprise, high-security, small office/home office, and public spaces.
The p2600 working group has broad industry participation, including Hewlett-Packard, Lexmark,
Canon, Xerox, Sharp, Ricoh, IBM, Epson, Okidata, Equitrac, and Oce.
The p2600 standard will provide a means for credibly measuring the security capabilities of individual
manufacturers. HP is actively participating within the working group, and will Common Criteria-certify
products to the standard when complete. As of this time, HP devices support the majority of capabilities
specified in the draft documents.

Security checklists

The National Institute of Standards and Technologies (NIST) has been tasked by U.S. legislation to
develop checklists that facilitate security configuration of devices likely to be used by the U.S. Federal
Government. NIST has requested IT equipment manufacturers to develop these security checklists for
their products. Details of the checklist program are available at http://csrc.nist.gov/checklists.
NIST will review manufacturer's checklists for relevance and correctness and publish those checklists
on a searchable NIST website.
HP considers security checklists as a means to significantly improve the security capabilities' ease of
configuration for imaging and printing products. A security checklist for the HP LaserJet 4345mfp is
available for public review at http://checklists.nist.gov/repository/, and is currently the only available
hardcopy product checklist available from any manufacturer. HP plans to develop additional checklists
for hardcopy devices in the future.

Conclusion: look beyond Common Criteria Certification

Ultimately, individuals must look carefully at their requirements and not be swayed by manufacturer
advertising claims. Common Criteria Certification adds significant cost and development time to
products, while providing limited assurance to the product's actual capabilities and potential
vulnerabilities. Products that are not certified may actually provide more robust security capabilities than
products that are certified. NIST security checklists simplify the complex process of enabling security
functions, and better illustrate the product's capabilities

HP's imaging and printing security framework

To simplify the presentation of security concepts, HP developed an imaging and printing security
framework with three categories of security functions:
Secure the Device Includes elements that protect the function of the physical device, including access controls for
management and use, secure deletion of files, and physical security.
Includes network communications, including media access protocols such as 802.1x and secure
Protect Information on
the Network management, scanning, and printing protocols.
Includes the capabilities to securely manage fleets of imaging and printing devices and audit
Effectively Monitor and
devices for compliance to security policies and regulatory requirements
Manage
The categories within HP's imaging and printing security framework are built from traditional network
security theory, which identifies the four elements that compose a secure system: confidentiality, access
control, integrity, and non-repudiation.
4