Ricoh Mp C3001 Instruction Manual
Have a look at the manual Ricoh Mp C3001 Instruction Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 127 Ricoh manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Page 30 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. Terms Definitions Users for stored and received documents A list of the normal users who are authorised to read and delete received fax documents. Folder transmission A function that sends documents from the MFP via networks to a shared folder in an SMB Server by using SMB protocol or that sends documents to a shared folder in an FTP Server by using FTP protocol. The following documents can be delivered to folders: scanned documents using Scanner Function and Fax Function, and scanned and stored documents using Scanner Function and Fax Function. IPSec protects the communication for realising this function. Destination folder Destination information for the folder transmission function. The destination folder includes the path information to the destination server, the folder in the server, and identification and authentication information for user access. The destination folder is registered and managed by the MFP administrator. E-mail transmission A function to send documents by e-mail from the MFP via networks to the SMTP Server. The documents that can be delivered using this function include: scanned documents using Scanner Function, and scanned and stored document data using Scanner Function. S/MIME protects the communication for realising this function. S/MIME user information This information is required for e-mail transmission using S/MIME. Also, this information consists of e-mail address, user certificate, and encryption setting (S/MIME setting). Uniquely provided for each e-mail address, the S/MIME user information is registered and managed by the MFP administrator. LAN Fax One of Fax Functions. A function that transmits fax data and stores the documents using the fax driver on client computer. Sometimes referred to as PC FAX. @Remote General term for remote diagnosis maintenance services for the TOE. Also called @Remote Service. Maintenance centre The facility where the centre server of @Remote is located. Repair Request Notification A function for users to request a repair to the maintenance centre via RC Gate from the TOE. The TOE displays the Repair Request Notification screen on the Operation Panel if paper jams frequently occur, or if the door or cover of the TOE is left open for a certain period of time while jammed paper is not removed.
Page 31 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 2 Conformance Claim This section describes Conformance Claim. 2.1 CC Conformance Claim The CC conformance claim of this ST and TOE is as follows: - CC version for which this ST and TOE claim conformance Part 1: Introduction and general model July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-001 Part 2: Security functional components July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-002 Part 3: Security assurance components July 2009 Version 3.1 Revision 3 Final (Japanese translation ver.1.0 Final) CCMB-2009-07-003 - Functional requirements: Part 2 extended - Assurance requirements: Part 3 conformance 2.2 PP Claims The PP to which this ST and TOE are demonstrable conformant is: PP Name/Identification : 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A Version : 1.0, dated June 2009 Notes: The PP name which is published in Common Criteria Portal is IEEE Standard for a Protection Profile in Operational Environment A (IEEE Std 2600.1-2009). 2.3 Package Claims The SAR package which this ST and TOE conform to is EAL3+ALC_FLR.2. The selected SFR Packages from the PP are: 2600.1-PRT conformant 2600.1-SCN conformant 2600.1-CPY conformant 2600.1-FAX conformant 2600.1-DSR conformant
Page 32 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 2600.1-SMI conformant 2.4 Conformance Claim Rationale 2.4.1 Consistency Claim with TOE Type in PP The targeted product type by the PP is the Hardcopy devices (hereafter, HCDs). The HCDs consist of the scanner device and print device, and have the interface to connect telephone line. The HCDs combine these devices and equip one or more functions of Copy Function, Scanner Function, Printer Function or Fax Function. The Document Server Function is also available when installing the non-volatile memory medium, such as hard disk drive, as additional equipments. The MFP is the type of this TOE. The MFP has the devices the HCDs have, and equips the functions that HCDs equip including the additional equipments. Therefore, this TOE type is consistent with the TOE type in the PP. 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP Defining all security problems in the PP, P.STORAGE_ENCRYPTION and P.RCGATE.COMM.PROTECT were augmented to the security problem definitions in chapter 3. Defining all security objectives in the PP, O.STORAGE.ENCRYPTED and O.RCGATE.COMM.PROTECT were augmented to the security objectives in chapter 4. Described below are the rationale for these augmented security problems and security objectives that conform to the PP. Although the PP is written in English, the security problem definitions in chapter 3 and security objectives in chapter 4 are translated from English into Japanese. If the literal translation of the PP was thought to be difficult for readers to understand the PP in Japanese, the translation was made comprehensible. This, however, does not mean that its description deviates from the requirements of the PP conformance. Also, the description is neither increased nor decreased. Augmentation of P.STORAGE_ENCRYPTION and O.STORAGE.ENCRYPTED P.STORAGE_ENCRYPTION and O.STORAGE.ENCRYPTED encrypt data on HDD and satisfy both other organisational security policies in the PP and security objectives of the TOE. Therefore, P.STORAGE_ENCRYPTION and O.STORAGE.ENCRYPTED were augmented but still conform to the PP. Augmentation of P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT refer to security problems and security objectives respectively, both of which are concerned with communications between the TOE and RC Gate. These communications are not assumed in the PP, so that they are independent from the PP. Neither transmission nor reception of the protected assets defined in the PP takes place in the communication between the TOE and RC Gate. Also, the protected assets are not operated from the RC Gate. For these reasons, these communications do not affect any security problems and security objectives defined in the PP. Therefore, P.RCGATE.COMM.PROTECT and O.RCGATE.COMM.PROTECT were augmented, yet still conform to the PP.
Page 33 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. For those points mentioned above, the security problems and security objectives in this ST are consistent with those in the PP. 2.4.3 Consistency Claim with Security Requirements in PP The SFRs for this TOE consist of the Common Security Functional Requirements, 2600.1-PRT, 2600.1-SCN, 2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI. The Common Security Functional Requirements are the indispensable SFR specified by the PP. 2600.1-PRT, 2600.1-SCN, 2600.1-CPY, 2600.1-FAX, 2600.1-DSR, and 2600.1-SMI are selected from the SFR Package specified by the PP. 2600.1-NVS is not selected because this TOE does not have any non-volatile memory medium that is detachable. Although the security requirements of this ST were partly augmented and instantiated over the security requirements of the PP, they are still consistent with the PP. Described below are the parts augmented and instantiated with the reasons for their consistency with the PP. Augmentation of FAU_STG.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2 FAU_STG.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2 are augmented according to PP APPLICATION NOTE7 in order for the TOE to maintain and manage the audit logs. Augmentation of FIA_AFL.1, FIA_UAU.7, and FIA_SOS.1 For the Basic Authentication function of the TOE, FIA_AFL.1, FIA_UAU.7, and FIA_SOS.1 are augmented according to PP APPLICATION NOTE36. Refinement of FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.1(a), FIA_UID.1(b), and FIA_SOS.1 For authentication of normal users of this TOE, Basic Authentication conducted by the TOE and authentication conducted by the external authentication server can be used. According to PP APPLICATION NOTE 35, the authentications of users are assumed to be executed by the TOE or external IT devices. For this reason, both Basic Authentication and External Authentication comply with the PP. The refinement of FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.1(a), FIA_UID.1(b), and FIA_SOS.1 is to identify these authentication methods; it is not to change the security requirements specified by the PP. Augmentation and Refinement of FIA_UAU.2 and FIA_UID.2 Since the identification and authentication method for RC Gate differs from the identification and authentication methods for normal users or administrator, FIA_UAU.2 and FIA_UID.2 are augmented according to PP APPLICATION NOTE 37 and PP APPLICATION NOTE 41, aside from FIA_UAU.1(a), FIA_UAU.1(b), FIA_UID.1(a) and FIA_UID.1(b). The refinement of FIA_UAU.2 and FIA_UID.2 is to identify the identification and authentication method for normal users or administrator and the identification and authentication method for RC Gate; it is not to change the security requirements specified by the PP.
Page 34 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. Ownership of Received Fax Documents For the ownership of the received fax documents, the TOE has the characteristic that the ownership of the document is assigned to the intended user. This is according to PP APPLICATION NOTE 93. Augmentation of FCS_CKM.1 and FCS_COP.1 This TOE claims O.STORAGE.ENCRYPTED as the security objectives for the data protection applied to non-volatile memory media that are neither allowed to be attached nor removed by the administrator. To fulfil this claim, additional changes were augmented to the functional requirements FCS_CKM.1 and FCS_COP.1 and to the functional requirements interdependent with FCS_CKM.1 and FCS_COP.1; however, these changes still satisfy the functional requirements demanded in the PP. Augmentation of information protected by FTP_ITC.1 FTP_ITC.1 was changed in this TOE. This change only augmented communication with RC Gate via LAN on the information protected by FTP_ITC.1 that the PP requires; it is to restrict the requirements in the PP. Therefore, this satisfies the functional requirements demanded in the PP. Augmentation of restricted forwarding of data to external interface (FPT_FDI_EXP) This TOE, in accordance with the PP, extends the functional requirement Part 2 due to the addition of the restricted forwarding of data to external interfaces (FPT_FDI_EXP). Consistency Rationale of FDP_ACF.1(a) While FDP_ACF.1.1(a) and FDP_ACF.1.2(a) in the PP require the access control SFP to the document data that is defined for each SFR package in the PP, this ST requires the access control SFP to the document data that is defined for each document data attribute, which is the security attribute for objects. This is not a deviation from the PP but an instantiation of the PP. Although FDP_ACF.1.3(a) in the PP has no additional rules on access control of document data and user jobs, this ST allows the MFP administrator to delete document data and user jobs. The TOE allows the MFP administrator to delete document data and user jobs on behalf of normal users who are privileged to delete them in case normal users cannot execute such privileges for some reasons. This does not deviate from the access control SFP defined in the PP. Although FDP_ACF.1.4(a) in the PP has no additional rules on access control of document data and user jobs, this ST rejects supervisor and RC Gate to operate document data and user jobs. Supervisor and RC Gate are not identified in the PP and are the special users for this TOE. This indicates that the PP does not allow users to operate the TOE, unless they are identified as the users of document data and user jobs. Therefore, FDP_ACF.1 (a) in this ST satisfies FDP_ACF.1 (a) in the PP. Additional Rules on FDP_ACF.1.3(b) While FDP_ACF.1.3(b) in the PP allows users with administrator privileges to operate the TOE functions, this ST allows them to operate Fax Reception Function only, which is part of the TOE functions.
Page 35 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. The TOE allows the MFP administrator to delete document data and user jobs (document access control SFP, FDP_ACC.1(a) and FDP_ACF.1(a)), and as a result, the TSF restrictively allows the MFP administrator to access the TOE functions. Therefore, the requirements described in FDP_ACF.1.3(b) in the PP are satisfied at the same time. The fax reception process, which is accessed when receiving from a telephone line, is regarded as a user with administrator privileges. Therefore, FDP_ACF.1.3(b) in this ST satisfies FDP_ACF.1.3(b) in the PP.
Page 36 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 3 Security Problem Definitions This section describes Threats, Organisational Security Policies and Assumptions. 3.1 Threats Defined and described below are the assumed threats related to the use and environment of this TOE. The threats defined in this section are unauthorised persons with knowledge of published information about the TOE operations and such attackers are capable of Basic attack potential. T.DOC.DIS Document disclosure Documents under the TOE management may be disclosed to persons without a login user name, or to persons with a login user name but without an access permission to the document. T.DOC.ALT Document alteration Documents under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the document. T.FUNC.ALT User job alteration User jobs under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the user job. T.PROT.ALT Alteration of TSF protected data TSF Protected Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Protected Data. T.CONF.DIS Disclosure of TSF confidential data TSF Confidential Data under the TOE management may be disclosed to persons without a login user name, or to persons with a login user name but without an access permission to the TSF Confidential Data. T.CONF.ALT Alteration of TSF confidential data TSF Confidential Data under the TOE management may be altered by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data.
Page 37 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 3.2 Organisational Security Policies The following organisational security policies are taken: P.USER.AUTHORIZATION User identification and authentication Only users with operation permission of the TOE shall be authorised to use the TOE. P.SOFTWARE.VERIFICATION Software verification Procedures shall exist to self-verify executable code in the TSF. P.AUDIT.LOGGING Management of audit log records The TOE shall create and maintain a log of TOE use and security-relevant events. The audit log shall be protected from unauthorised disclosure or alteration, and shall be reviewed by authorised persons. P.INTERFACE.MANAGEMENT Management of external interfaces To prevent unauthorised use of the external interfaces of the TOE, operation of those interfaces shall be controlled by the TOE and its IT environment. P.STORAGE.ENCRYPTION Encryption of storage devices The data stored on the HDD inside the TOE shall be encrypted. P.RCGATE.COMM.PROTECT Protection of communication with RC Gate As for communication with RC Gate, the TOE shall protect the communication data between itself and RC Gate. 3.3 Assumptions The assumptions related to this TOE usage environment are identified and described. A.ACCESS.MANAGED Access management According to the guidance document, the TOE is placed in a restricted or monitored area that provides protection from physical access by unauthorised persons. A.USER.TRAINING User training The responsible manager of MFP trains users according to the guidance document and users are aware of the security policies and procedures of their organisation and are competent to follow those policies and procedures.
Page 38 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. A.ADMIN.TRAINING Administrator training Administrators are aware of the security policies and procedures of their organisation, are competent to correctly configure and operate the TOE in accordance with the guidance document following those policies and procedures. A.ADMIN.TRUST Trusted administrator The responsible manager of MFP selects administrators who do not use their privileged access rights for malicious purposes according to the guidance document.
Page 39 of 93 Copyright (c) 2011 RICOH COMPANY, LTD. All rights reserved. 4 Security Objectives This section describes Security Objectives for TOE, Security Objectives of Operational Environment and Security Objectives Rationale. 4.1 Security Objectives for TOE This section describes the security objectives for the TOE. O.DOC.NO_DIS Protection of document disclosure The TOE shall protect documents from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the document. O.DOC.NO_ALT Protection of document alteration The TOE shall protect documents from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the document. O.FUNC.NO_ALT Protection of user job alteration The TOE shall protect user jobs from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the job. O.PROT.NO_ALT Protection of TSF protected data alteration The TOE shall protect TSF Protected Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Protected Data. O.CONF.NO_DIS Protection of TSF confidential data disclosure The TOE shall protect TSF Confidential Data from unauthorised disclosure by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data. O.CONF.NO_ALT Protection of TSF confidential data alteration The TOE shall protect TSF Confidential Data from unauthorised alteration by persons without a login user name, or by persons with a login user name but without an access permission to the TSF Confidential Data.