Ricoh Mp C3001 Instruction Manual

							    Page 20 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
1.4.3.2. Indirect User 
Responsible manager of MFP 
The responsible manager of MFP is a person who is responsible for selection of the TOE administrators in 
the organisation where the TOE is used. 
Customer engineer 
The customer engineer is a person who belongs to the organisation which maintains TOE operation. The 
customer engineer is in charge of installation, setup, and maintenance of the TOE.  
						

							    Page 21 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
1.4.4  Logical Boundary of TOE 
The Basic Functions and Security Functions are described as follows: 
 
 
Figure 3 : Logical Scope of the TOE 
1.4.4.1. Basic Functions 
The overview of the Basic Functions is described as follows: 
Copy Function 
The Copy Function is to scan paper documents and copy scanned image data from the Operation Panel. 
Magnification and other editorial jobs can be applied to the copy image. It can also be stored on the HDD as 
a Document Server document.    
						

							    Page 22 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Printer Function 
The Printer Function of TOE is to print or store the documents the TOE receives from the printer driver 
installed on the client computer. It also allows users to print and delete the stored documents from the 
Operation Panel or a Web browser. 
-  Receiving documents from the printer driver installed on the client computer. 
The TOE receives documents from the printer driver installed on the client computer. Printing 
methods for documents is selected by users from the printer driver. The printing methods include 
direct print, Document Server storage, locked print, stored print, hold print, and sample print. 
For direct print, documents received by the TOE will be printed. The documents will not be stored 
in the TOE. 
For Document Server storage, the received documents will be stored on the HDD as Document 
Server documents. 
For locked print, stored print, hold print, and sample print, the received documents will be stored 
on the HDD as printer documents. A dedicated password, which is used for locked print, is not 
subject to this evaluation. 
-  Operating from the Operation Panel 
The TOE can print or delete printer documents according to the operations by users from the 
Operation Panel. 
-  Operating from a Web browser 
The TOE can print or delete printer documents according to the operations by users from a Web 
browser. 
-  Deleting printer documents by the TOE 
The deletion of printer documents by the TOE differs depending on printing methods. If locked 
print, hold print, or sample print is specified, the TOE deletes printer documents when printing is 
complete. If stored print is specified, the TOE does not delete printer documents even when 
printing is complete. 
According to the guidance document, users first install the specified printer driver on their own client 
computers, and then use this function. 
Scanner Function 
The Scanner Function is to scan paper documents by using the Operation Panel. The scanned documents will 
be sent to folders or by e-mail. The documents to be sent to folders or by e-mail will be stored in the TOE, so 
that they can be transmitted afterwards. The documents stored in the TOE are called scanner documents. 
Scanner documents can be sent to folders or by e-mail, or deleted from the Operation Panel or a Web 
browser. 
Folder transmission can be applied only to the destination folders in a server that the MFP administrator 
pre-registers in the TOE and with which secure communication can be ensured. E-mail transmission is 
possible only with the mail server and e-mail addresses that the MFP administrator pre-registers in the TOE 
and with which secure communication can be ensured.  
						

							    Page 23 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Fax Function 
The Fax Function is to send paper documents and documents received from the fax driver installed on the 
client computer to external faxes (Fax Transmission Function). Also, this function can be used to receive 
documents from external faxes (Fax Reception Function). 
Documents to be sent by fax can be stored in the TOE. Those documents stored in the TOE for fax 
transmission are called fax documents. Fax documents can be sent by fax, and they also can be printed, 
deleted, and sent to folders. 
The documents received by fax can be stored in the TOE, printed, deleted from the TOE, and downloaded to 
the client computer. 
-  Fax Transmission Function 
A function to send paper documents, documents in the client computer, and fax documents to 
external faxes over a telephone line. 
Paper documents will be scanned and sent by fax using the Operation Panel. The documents in the 
client computer are sent by fax from the fax driver installed on the client computer. Fax documents 
are sent by fax from the Operation Panel or a Web browser. Documents can be sent by fax only to 
the telephone numbers that are pre-registered in the TOE. 
-  Fax Data Storage Function 
A function to temporarily store paper documents or documents in the client computer for fax 
transmission in the TOE. Those documents stored in the TOE are called fax documents. Paper 
documents will be scanned and stored using the Operation Panel. The documents in the client 
computer are sent to and stored in the TOE by operating the fax driver installed on the client 
computer. 
-  Operation Function for Fax Documents 
A function to print or delete fax documents. This function can be used from the Operation Panel or 
a Web browser. 
-  Folder Transmission Function of Fax Data 
A function to send fax documents to folders by using the Operation Panel. 
The MFP administrator must pre-register the destination server that provides secure 
communication with the TOE. Users select the destination server from the servers that the MFP 
administrator pre-registers, and send data to the folder. 
-  Fax Reception Function 
A function to receive documents from external faxes via the telephone line and store the received 
documents in the TOE. Those stored documents in the TOE are called received fax documents. 
-  Operation Function for Received Fax Documents 
A function to operate the received fax documents from the Operation Panel or a Web browser. 
Documents can be printed and deleted using the Operation Panel, while they can be printed, deleted 
and downloaded from a Web browser. 
According to the guidance document, users first install the specified fax driver on their own client computers, 
and then use this function.  
						

							    Page 24 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Document Server Function 
The Document Server Function is to operate documents stored in the TOE by using the Operation Panel and 
a Web browser. 
From the Operation Panel, users can store, print and delete Document Server documents. Also, users can 
print and delete fax documents. 
From a Web browser, users can print and delete Document Server documents, fax, print, download, and 
delete fax documents. Also, users can send scanner documents to folders or by e-mail, download and delete 
them. 
Management Function 
The Management Function is to control the MFPs overall behaviour. This function can be implemented 
using the Operation panel or a Web browser. 
Maintenance Function 
The Maintenance Function is to perform maintenance service for the MFP if it is malfunctioning. When 
analysing causes of the malfunction, a customer engineer performs this function from the Operation Panel. 
The customer engineer will implement this function following the procedures that are allowed to customer 
engineers only. If the MFP administrator sets the Service Mode Lock Function to ON, the customer 
engineer cannot use this function. 
In this ST, the Service Mode Lock Function is set to ON for the target of evaluation. 
Web Function 
A function for the TOE user to remotely control the TOE from the client computer. To control the TOE 
remotely, the TOE user needs to install the designated Web browser on the client computer following the 
guidance documents and connect the client computer to the TOE via the LAN. 
@Remote Service Function 
A function for the TOE to communicate with RC Gate via networks for @Remote Service. As for the 
configuration of this TOE, this function has no access to the protected assets. 
1.4.4.2. Security Functions 
The Security Functions are described as follows: 
Audit Function 
The Audit Function is to generate the audit log of TOE use and security-relevant events (hereafter, audit 
events). Also, this function provides the recorded audit log in a legible fashion for users to audit. This 
function can be used only by the MFP administrator to view and delete the recorded audit log. To view and 
delete the audit log, the Web Function will be used.    
						

							    Page 25 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Identification and Authentication Function 
The Identification and Authentication Function is to verify persons before they use the TOE. The persons are 
allowed to use the TOE only when confirmed as the authorised user. 
Users can use the TOE from the Operation Panel or via the network. By the network, users can use the TOE 
from a Web browser, printer/fax driver, and RC Gate. 
To use the TOE from the Operation Panel or a Web browser, a user will be required to enter his or her login 
user name and login password so that the user can be verified as a normal user, MFP administrator, or 
supervisor. 
To use the Printer or Fax Function from the printer or fax driver, a user will be required to enter his or her 
login user name and login password received from the printer or fax drivers, so that the user can be verified 
as a normal user. 
To use the @Remote Service Function from the RC Gate communication interface, it will be verified 
whether the communication request is sent from RC Gate. 
Methods to verify normal users are Basic Authentication and external server authentication. The users will be 
verified by the MFP administrator-specified procedure, whereas the MFP administrator and supervisor can 
be verified only by the Basic Authentication. 
This function includes protection functions for the authentication feedback area, where dummy characters are 
displayed if a login password is entered using the Operation Panel. In addition to this and for the Basic 
Authentication only, this function can be used to register passwords that fulfil the requirements of the 
Minimum Character No. (i.e. minimum password length) and obligatory character types the MFP 
administrator specifies, so that the lockout function can be enabled and login password quality can be 
protected. 
Document Access Control Function 
The Document Access Control Function is to authorise the operations for documents and user jobs by the 
authorised TOE users who are authenticated by Identification and Authentication Function. It allows users 
operation on the user documents and user jobs based on the privileges for the user role, or the operation 
permissions for each user. 
Use-of-Feature Restriction Function 
The Use-of-Feature Restriction Function is to authorise the operations of Copy Function, Printer Function, 
Scanner Function, Document Server Function and Fax Function by the authorised TOE users who are 
authenticated by Identification and Authentication Function. It authorises the use of functions based on the 
user role and the operation permissions for each user. 
Network Protection Function 
The Network Protection Function is to prevent information leakage through wiretapping on the LAN and 
detect data tampering. The protection function can be enabled using a Web browser to specify the URL for 
possible encrypted communication. If the Printer Function is used, the protection function can be enabled 
using the printer driver to specify encrypted communication. If the folder transmission function of Scanner 
Function is used, the protection function can be enabled through encrypted communication. If the e-mail  
						

							    Page 26 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
transmission function of Scanner Function is used, the protection function can be enabled through encrypted 
communication with communication requirements that are specified for each e-mail address. If the LAN-Fax 
Transmission Function of Fax Function is used, the protection function can be enabled using the fax driver to 
specify encrypted communication. When communicating with RC Gate, encrypted communication is used. 
Residual Data Overwrite Function 
The Residual Data Overwrite Function is to overwrite specific patterns on the HDD and disable the reusing 
of the residual data included in deleted documents, temporary documents and their fragments on the HDD. 
Stored Data Protection Function 
The Stored Data Protection Function is to encrypt the data on the HDD and protect the data so that data 
leakage can be prevented. 
Security Management Function 
The Security Management Function is to control operations for TSF data in accordance with user role 
privileges or user privileges allocated to normal users, MFP administrator, and supervisor. 
Software Verification Function 
The Software Verification Function is to verify the integrity of the executable codes of the MFP Control 
Software and FCU Control Software and to ensure that they can be trusted. 
Fax Line Separation Function 
The Fax Line Separation Function is to restrict input information from the telephone lines so that only fax 
data can be received and unauthorised intrusion from the telephone lines (same as the fax line) can be 
prevented. Also, this function can be used to prohibit transmissions of received faxes so that unauthorised 
intrusion from the telephone lines to the LAN can be prevented. 
1.4.5 Protected Assets 
Assets to be protected by the TOE are user data, TSF data, and functions. 
1.4.5.1. User Data 
The user data is classified into two types: document data and function data. Table 8 defines user data 
according to these data types. 
Table 8 : Definition of User Data 
Type Description 
Document 
data Digitised documents, deleted documents, temporary documents and their 
fragments, which are managed by the TOE. 
Function  Jobs specified by users. In this ST, a user job is referred to as a job.  
						

							    Page 27 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
data 
1.4.5.2. TSF Data 
The TSF data is classified into two types: protected data and confidential data. Table 9 defines TSF data 
according to these data types. 
Table 9 : Definition of TSF Data 
Type Description 
Protected data  This data must be protected from changes by unauthorised persons. No security 
threat will occur even this data is exposed to the public. In this ST, protected 
data, listed below, is referred to as TSF protected data. 
Login user name, Number of Attempts before Lockout, settings for Lockout 
Release Timer, lockout time, date settings (year/month/day), time settings, 
Minimum Character No., Password Complexity Setting, S/MIME user 
information, destination folder, stored and received document user, document 
user list, available function list, and user authentication procedures. 
Confidential data  This data must be protected from changes by unauthorised persons and reading by 
users without viewing permissions. In this ST, confidential data, listed below, is 
referred to as TSF confidential data. 
Login password, audit log, and HDD cryptographic key. 
1.4.5.3. Functions 
The MFP applications (Copy Function, Document Server Function, Printer Function, Scanner Function, and 
Fax Function) that are for management of the document data of user data are classified as protected assets, 
whose use is subject to restrictions. 
1.5 Glossary 
1.5.1  Glossary for This ST 
For clear understanding of this ST, Table 10 provides the definitions of specific terms. 
Table 10 : Specific Terms Related to This ST 
Terms Definitions 
MFP Control Software  A software component installed in the TOE. This component is stored in 
FlashROM and SD Card. The components that identify the TOE include 
System/Copy, Network Support, Scanner, Printer, Fax, RemoteFax, Web 
Support, Web Uapl, NetworkDocBox, animation, PCL, OptionPCLFont, 
LANG0, LANG1 and Data Erase Std.  
						

							    Page 28 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Terms Definitions 
Login user name  An identifier assigned to each normal user, MFP administrator, and supervisor. 
The TOE identifies users by this identifier. 
Login password  A password associated with each login user name. 
Lockout  A type of behaviour to deny login of particular users. 
Auto logout  A function for automatic user logout if no access is attempted from the 
Operation Panel or Web Function before the predetermined auto logout time 
elapses. 
Auto logout time for the Operation Panel:   
Time specified by the MFP administrator within 60 to 999 seconds.   
Auto logout time for the Web Function:   
30 minutes (this cannot be changed by users). This auto logout time is also 
referred to as fixed auto logout time. 
Minimum Character No.  The minimum number of registrable password digits. 
Password Complexity 
Setting The minimum combination of the characters and symbols that can be used as 
registrable passwords. 
There are four types of characters: uppercase and lower case alphabets, digits 
and symbols. 
There are Level 1 and Level 2 Password Complexity Settings. Level 1 requires a 
password to be a combination of two or more types of characters and symbols 
specified above. Level 2 requires a password to be a combination of three or 
more types of characters and symbols specified above. 
Basic Authentication  One of the procedures for identification and authentication of TOE users who 
are authorised to use the TOE. The TOE authenticates TOE users by using the 
login user names and the login passwords registered on the TOE. 
External Authentication  One of the procedures for identification and authentication of TOE users who 
are authorised to use the TOE. The TOE authenticates TOE users by using the 
login user names and the login passwords registered on the external 
authentication server connected to the MFP via LAN. External Authentication 
implemented in the TOE includes Windows Authentication, LDAP 
Authentication, and Integration Server Authentication. Windows Authentication 
supports NTLM Authentication and Kerberos Authentication. As for this ST, the 
term External Authentication refers to Windows Authentication using 
Kerberos Authentication method. 
HDD  An abbreviation of hard disk drive. In this document, unless otherwise specified, 
HDD indicates the HDD installed on the TOE. 
User job  A sequence of operations of each TOE function (Copy Function, Document 
Server Function, Scanner Function, Printer Function and Fax Function) from 
beginning to end. A user job may be suspended or cancelled by users during 
operation. If a user job is cancelled, the job will be terminated. 
Documents  General term for paper documents and electronic documents used in the TOE. 
Document data 
attributes  Attributes of document data, such as +PRT, +SCN, +CPY, +FAXOUT, 
+FAXIN, and +DSR. 
+PRT  One of the document data attributes. Documents printed from the client 
computer, or documents stored in the TOE by locked print, hold print, and 
sample print using the client computer.  
						

							    Page 29 of 93 
Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 
Terms Definitions 
+SCN  One of the document data attributes. Documents sent to IT devices by e-mail or 
sent to folders, or downloaded on the client computer from the MFP. For these 
operations the Scanner Function is used. 
+CPY  One of the document data attributes. Documents copied by using Printer 
Function. 
+FAXOUT  One of the document data attributes. Documents sent by fax or to folders by 
using Fax Function. 
+FAXIN  One of the document data attributes. Documents received from the telephone 
line. Documents stored in the TOE after the reception are also included. 
+DSR  One of the document data attributes. Document stored in the TOE by using Copy 
Function, Scanner Function, Document Server Function, and Fax Data Storage 
Function. Documents stored in the TOE after being printed with Document 
Server printing or stored print from the client computer, 
Document user list  One of the security attributes of document data. 
A list of the login user names of the normal users whose access to documents is 
authorised, and it can be set for each document data. This list does not include 
the login user names of MFP administrators whose access to the document data 
is possible for administration. 
Stored documents  Documents stored in the TOE so that they can be used with Document Server 
Function, Printer Function, Scanner Function, and Fax Function. 
Stored document type  Classification of stored documents according to their purpose of use. This 
includes Document Server documents, printer documents, scanner documents, 
fax documents, and received fax documents. 
Document Server 
documents One of the stored document types. Documents stored in the TOE when 
Document Server storage is selected as the printing method for Copy Function, 
Document Server Function, and Printer Function. 
Printer documents  One of the stored document types. Documents stored in the TOE when any one 
of locked print, hold printing, and sample print is selected as the printing method 
for Printer Function. 
Scanner documents  One of the stored document types. Documents stored in the TOE using Scanner 
Function. 
Fax documents  One of the stored document types. Documents scanned and stored using Fax 
Function, and those stored using the LAN Fax. 
Received fax documents  One of the stored document types. Documents received by fax and stored. These 
documents are externally received and whose users cannot be identified. 
MFP application  A general term for each function the TOE provides: Copy Function, Document 
Server Function, Scanner Function, Printer Function, and Fax Function. 
Available function list  A list of the functions (Copy Function, Printer Function, Scanner Function, 
Document Server Function, and Fax Function) that normal users are authorised 
to access. This list is assigned as an attribute of each normal user. 
Operation Panel  Consists of a touch screen LCD and key switches. The Operation Panel is used 
by users to operate the TOE.