Xerox WorkCentre 5845 User Information Download Page 31

Page: 31 / 83

Xerox Multi-Function Device Security Target



Threats. Policies, and
Assumptions

Summary

Objectives and rationale

OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization

OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization to use the TOE

P.SOFTWARE.VERIFICATION

Procedures will exist to
self-verify executable
code in the TSF

O.SOFTWARE.VERIFIED provides
procedures to self-verify executable
code in the TSF

P.AUDIT.LOGGING

An audit trail of TOE
use and security-
relevant events will be
created, maintained,
protected, and
reviewed.

O.AUDIT.LOGGED creates and
maintains a log of TOE use and
security-relevant events, and
prevents unauthorized disclosure
or alteration

O.AUDIT_STORAGE.PROTECTE
D protects internal audit records
from unauthorized access, deletion
and modifications

OE.AUDIT_STORAGE.PROTECT
ED protects exported audit records
from unauthorized access, deletion
and modifications

OE.AUDIT_ACCESS.AUTHORIZE
D establishes responsibility of, the
TOE Owner to provide appropriate
access to exported audit records

OE.AUDIT.REVIEWED establishes
responsibility of the TOE Owner to
ensure that audit logs are
appropriately reviewed

P.INTERFACE.MANAGEMENT

Operation of external
interfaces will be
controlled by the TOE
and its IT environment.

O.INTERFACE.MANAGED
manages the operation of external
interfaces in accordance with
security policies

OE.INTERFACE.MANAGED
establishes a protected
environment for TOE external
interfaces

Summary of Contents for WorkCentre 5845

Page 1: ...evice Security Target WorkCentre 5845 5855 5865 5875 5890 7220 7225 7830 7835 7845 7855 ColorQube 9301 9302 9303 Prepared by Xerox Corporation Computer Sciences Corporation 800 Phillips Road 7231 Park...

Page 2: ...reserved Xerox and the sphere of connectivity design are trademarks of Xerox Corporation in the United States and or other counties All copyrights referenced herein are the property of their respectiv...

Page 3: ...9 3 1 3 Operations 21 3 1 4 Channels 21 3 2 ASSUMPTIONS 22 3 3 THREATS 23 3 3 1 Threats Addressed by the TOE 23 3 3 2 Threats Addressed by the IT Environment 23 3 4 ORGANIZATIONAL SECURITY POLICIES 24...

Page 4: ...SECURITY FUNCTIONAL REQUIREMENTS 57 6 7 RATIONALE FOR SECURITY ASSURANCE REQUIREMENTS 64 6 8 RATIONALE FOR DEPENDENCIES 65 6 8 1 Security Functional Requirement Dependencies 65 6 8 2 Security Assuran...

Page 5: ...THE TOE 22 TABLE 13 THREATS TO USER DATA 23 TABLE 14 THREATS TO TSF DATA 23 TABLE 15 ORGANIZATIONAL SECURITY POLICIES 24 TABLE 16 SECURITY OBJECTIVES FOR THE TOE 25 TABLE 17 SECURITY OBJECTIVES FOR T...

Page 6: ...Xerox Multi Function Device Security Target WorkCentre 5845 5855 5865 5875 5890 7220 7225 7830 7835 7845 7855 ColorQube 9301 9302 9303 ST Version 2 0 Revision Number 2 0 Publication Date 25 November...

Page 7: ...Switched Telephone Network PSTN connections and also enables LanFax1 Xerox s Workflow Scanning Accessory is part of the TOE configuration This accessory allows documents to be scanned at the device wi...

Page 8: ...i Function Device Security Target 8 Copyright 2013 Xerox Corporation All rights reserved Figure 2 Xerox WorkCentre 7220 7225 Figure 3 Xerox WorkCentre 7830 7835 7845 7855 Figure 4 Xerox ColorQube 9301...

Page 9: ...ry image data consists of the original data submitted and additional files created during a job All partitions of the HDD used for spooling temporary files are encrypted The encryption key is created...

Page 10: ...card Kerberos and Lightweight Directory Access Protocol LDAP for network authentication 1 2 2 TOE Type The TOE is an MFD that provides copy and print document scanning and optional fax services 1 2 3...

Page 11: ...etwork Controller WorkCentre 5845 5855 5865 5875 5890 071 190 103 06400 071 193 06410 LL WorkCentre 7220 7225 071 030 103 06400 071 033 06410 LL WorkCentre 7830 7835 071 010 103 06400 071 043 06410 LL...

Page 12: ...put 1 3 2 Logical Scope of the TOE The logical scope of the TOE includes all software and firmware that are installed on the product see Table 3 The TOE logical boundary is composed of the security fu...

Page 13: ...TOE may alternatively be configured to use an external authentication store as described by section 1 3 2 3 The TOE enforces administrator defined session timeout periods for the LUI and Web UI 1 3 2...

Page 14: ..._NET_SEC The TOE supports the following secure communication protocols TLS for Web UI SFTP and TLS for document transfers to the remote file depository IPsec for communication over IPv4 and IPv6 and K...

Page 15: ...capabilities Network Authorization When configured the printer references an anauthorization server for authorization information such as role for the authenticated user Reprint Saved Jobs The Reprin...

Page 16: ...ecurity Evaluation Part 3 Security Assurance Components Version 3 1 Revision 3 CCMB 2009 07 003 This ST claims the following CC conformance Part 2 extended Part 3 conformant Evaluation Assurance Level...

Page 17: ...rity objective for the IT environment OE USER AUTHENTICATED has been added in accordance to application notes 37 42 and 43 from IEEE Std 2600 2 2009 The statement of Security Requirements contains the...

Page 18: ...ntation Identification and Authentication FIA_UAU 7 The packages shown in Table 6 from IEEE Std 2600 2 2009 have been augmented with additional including iterated SFRs from CC Part 2 Table 6 IEEE Std...

Page 19: ...TOE security policy TSP Administrators may possess special privileges that provide capabilities to override portions of the TSP This ST specifies U ADMINISTRATOR System Administrator U ADMINISTRATOR A...

Page 20: ...on TSF Protected Data or protection from both unauthorized disclosure and unauthorized alteration TSF Confidential Data The data assets have been identified and categorized in Table 9 and Table 10 bel...

Page 21: ...ch physical document input is duplicated to physical document output F FAX Faxing a function in which physical document input is converted to a telephone based document facsimile fax transmission and...

Page 22: ...ast one input channel and one output channel would be present in any HCD configuration and at least one of those channels would be either an Original Document Handler or a Hardcopy Output Handler 3 2...

Page 23: ...ts The threats and policies defined in this ST address the threats posed by these threat agents This section describes threats to assets described in section 3 1 2 Table 13 Threats to user data Threat...

Page 24: ...R AUTHORIZATION To preserve operational accountability and security Users will be authorized to use the TOE only as permitted by the TOE Owner P SOFTWARE VERIFICATION To detect corruption of the execu...

Page 25: ...Document Data from unauthorized alteration O FUNC NO_ALT The TOE shall protect User Function Data from unauthorized alteration O PROT NO_ALT The TOE shall protect TSF Protected Data from unauthorized...

Page 26: ...exported from the TOE to another trusted IT product the TOE Owner shall ensure that those records are protected from unauthorized access deletion and modifications OE AUDIT_ACCESS AUTHORIZED If audit...

Page 27: ...d have the training and competence to follow those policies and procedures OE ADMIN TRAINED The TOE Owner shall ensure that TOE Administrators are aware of the security policies and procedures of thei...

Page 28: ...olicies and assumptions T DOC DIS X X X X T DOC ALT X X X X T FUNC ALT X X X X T PROT ALT X X X X T CONF DIS X X X X T CONF ALT X X X X P USER AUTHORIZATION X X X P SOFTWARE VERIFICATION X P AUDIT LOG...

Page 29: ...OE USER AUTHENTICATED establishes alternative remote means for user identification and authentication as the basis for authorization T FUNC ALT User Function Data may be altered by unauthorized perso...

Page 30: ...stablishes responsibility of the TOE Owner to appropriately grant authorization OE USER AUTHENTICATED establishes alternative remote means for user identification and authentication as the basis for a...

Page 31: ...ewed O AUDIT LOGGED creates and maintains a log of TOE use and security relevant events and prevents unauthorized disclosure or alteration O AUDIT_STORAGE PROTECTE D protects internal audit records fr...

Page 32: ...INING Administrators are aware of and trained to follow security policies and procedures OE ADMIN TRAINED establishes responsibility of the TOE Owner to provide appropriate Administrator training A AD...

Page 33: ...capability for attackers to misuse external interfaces to violate the security of the TOE or devices that are connected to the TOE s external interfaces Therefore direct forwarding of unprocessed dat...

Page 34: ...nality as a single component that allows specifying the property to disallow direct forwarding and require that only an authorized role can allow this Since this is a function that is quite common for...

Page 35: ...Xerox Corporation All rights reserved FPT_FDI_EXP 1 1 The TSF shall provide the capability to restrict data received on assignment list of external interfaces from being forwarded without further pro...

Page 36: ...eet its security objectives e g configuration management testing and vulnerability assessment These requirements are discussed separately within the following subsections 6 1 Conventions All operation...

Page 37: ...affic to and from that destination Operations Pass network traffic Note The TOE cannot enforce the IP Filtering SFP when it is configured for IPv6 6 2 2 User Access Control SFP The Security Function P...

Page 38: ...documents U ADMINISTRATOR System Administrator Allowed D FUNC Any Attribute except CPY Modify U NORMAL U ADMINISTRATOR Denied PRT Delete U NORMAL Denied except for his her own documents U ADMINISTRAT...

Page 39: ...Hence the ST is conformant to IEEE Std 2600 2 2009 Application Note A document D DOC is owned by a User U User if that document was created or submitted to the TOE by that User The only exception are...

Page 40: ...identified in Table 23 The rest of this section contains a description of each component and any related dependencies Table 23 TOE security functional requirements Functional Component ID Functional...

Page 41: ...omponents Dependencies FPT_STM 1 Reliable time stamps FAU_GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events Start up and shutdown of the audit functions All a...

Page 42: ...ole FMT_SMR 1 Minimum None required Changes to the time FPT_STM 1 Minimum None required Failure of the trusted channel functions 2 FTP_ITC 1 Minimum Non required 6 3 1 2 FAU_GEN 2 User identity associ...

Page 43: ...pendencies FDP_ITC 1 Import of user data without security attributes or FDP_ITC 2 Import of user data with security attributes or FCS_CKM 1 Cryptographic key generation FCS_CKM 4 Cryptographic key des...

Page 44: ...rate cryptographic keys in accordance with a specified cryptographic key generation algorithm the cryptographic algorithms listed in the Cryptographic Algorithm column of Table 26 and specified crypto...

Page 45: ...other components Dependencies FDP_ITC 1 Import of user data without security attributes or FDP_ITC 2 Import of user data with security attributes or FCS_CKM 1 Cryptographic key generation FCS_CKM 4 1...

Page 46: ...bjects and objects controlled under the User Access Control SFP in Table 21 and for each the indicated security attributes in Table 21 FDP_ACF 1 2 USER The TSF shall enforce the following rules to det...

Page 47: ...ed on the following additional rules none FDP_ACF 1 4 FUNC The TSF shall explicitly deny access of subjects to objects based on the none Application Note This SFR is FDP_ACF 1 b from The IEEE Std 2600...

Page 48: ...information flow based on the following rules if there are no rules with matching security attributes or if a rule explicitly denies an information flow Application Note When custom rules have not bee...

Page 49: ...ification Hierarchical to No other components Dependencies No dependencies FIA_UID 1 1 The TSF shall allow job requests to be received via printing protocols on behalf of the user to be performed befo...

Page 50: ...change_default modify delete read the security attributes all to U ADMINISTRATOR System Administrator Application Note This SFR is FMT_MSA 1 a from The IEEE Std 2600 2 PP 6 3 6 2 FMT_MSA 1 FUNC Manage...

Page 51: ...l enforce the TOE Function Access Control Policy to provide permissive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 FUNC The TSF shall allow the U ADMINISTRATOR...

Page 52: ...archical to No other components Dependencies FMT_SMF 1 Specification of Management Functions FMT_SMR 1 Security Roles FMT_MTD 1 1 KEY The TSF shall restrict the ability to modify delete create the IPs...

Page 53: ...e 802 1x Enable disable and configure IPsec Configure specify the IP address and or IP address range port and port range for remote trusted IT products presumed allowed to connect to the TOE via the n...

Page 54: ...in other SFRs 6 3 7 Class FPR Privacy There are no Class FPR security functional requirements for this Security Target 6 3 8 Class FPT Protection of the TSF 6 3 8 1 FPT_STM 1 Reliable time stamps Hie...

Page 55: ...configurable amount of time in the LUI or on the WebUI 6 3 10 Class FTP Trusted paths channels 6 3 10 1 FTP_ITC 1 Inter TSF trusted channel Hierarchical to No other components Dependencies No dependen...

Page 56: ...les This extended component as defined in IEEE 2600 2 does not provide a mechanism for specifying authorized identified roles For this reason the authorized identified role that is not included in thi...

Page 57: ...2 Security objectives ASE_REQ 2 Derived security requirements ASE_SPD 1 Security problem definition ASE_TSS 1 TOE summary specification ATE Tests ATE_COV 1 Evidence of coverage ATE_FUN 1 Functional te...

Page 58: ...AUTHORIZED O INTERFACE MANAGED O SOFTWARE VERIFIED O AUDIT LOGGED O AUDIT_STORAGE PROTECTED SFRs FAU_GEN 1 P P FAU_GEN 2 P P FAU_STG 1 P FAU_STG 4 P FCS_COP 1 S S S S S S FCS_CKM 1 S S S S S S FCS_CKM...

Page 59: ...1 MGMT1 P P P FMT_MTD 1 MGMT2 P P P FMT_MTD 1 FILTER P P P FMT_MTD 1 KEY P P P FMT_SMF 1 S S S S S S S FMT_SMR 1 S S S S S S S FPT_STM 1 S S FPT_TST 1 P FPT_FDI_EXP 1 P FTA_SSL 3 P P FTP_ITC 1 P P P...

Page 60: ...roles O DOC NO_DIS Protection of User Document Data from unauthorized disclosure FDP_RIP 1 Enforces protection by making residual data unavailable O CONF NO_DIS O PROT NO_ALT O CONF NO_ALT Protection...

Page 61: ...ication FIA_UAU 7 Supports authorization by protecting passwords FIA_UID 1 Enforces authorization by requiring user identification FIA_USB 1 Enforces authorization by distinguishing subject security a...

Page 62: ...s management of external interfaces by requiring user authentication FIA_UID 1 Enforces management of external interfaces by requiring user identification FTA_SSL 3 Enforces management of external int...

Page 63: ...f relevant events FPT_STM 1 Supports audit policies by requiring time stamps associated with events O AUDIT_STORA GE PROTECTED Logging and authorized access to audit events FAU_GEN 1 Enforces audit po...

Page 64: ...escribe Hardcopy Devices used in commercial information processing environments that require a moderate level of document security network security and security assurance The TOE environment will be e...

Page 65: ...ncies and whether the dependency was satisfied Table 31 SFR dependencies satisfied Functional Component Dependency ies Satisfied FAU_GEN 1 FPT_STM 1 Yes FAU_GEN 2 FAU_GEN 1 Yes FIA_UID 1 Yes FAU_STG 1...

Page 66: ...T_MSA 3 FUNC FMT_MSA 1 Yes FMT_MSA 1 FUNC FMT_SMR 1 Yes FMT_MTD 1 MGMT1 FMT_SMF 1 Yes FMT_SMR 1 Yes FMT_MTD 1 MGMT2 FMT_SMF 1 Yes FMT_SMR 1 Yes 3 The dependency of FDP_IFF 1 FILTER on FMT_MSA 3 is not...

Page 67: ..._FLR 3 SAR dependencies satisfied Assurance Component ID Dependencies Satisfied ADV_ARC 1 ADV_FSP 1 ADV_TDS 1 Yes hierarchically Yes ADV_FSP 2 ADV_TDS 1 Yes ADV_TDS 1 ADV_FSP 2 Yes AGD_OPE 1 ADV_FSP 1...

Page 68: ...ASE_ECD 1 None ASE_INT 1 None ASE_OBJ 2 ASE_SPD 1 Yes ASE_REQ 2 ASE_ECD 1 ASE_OBJ 2 Yes Yes ASE_SPD 1 None ASE_TSS 1 ADV_FSP 1 ASE_INT 1 ASE_REQ 1 Yes hierarchically Yes Yes hierarchically ATE_COV 1...

Page 69: ...Protection Disk Encryption TSF_FDP_UDE 7 1 1 Image Overwrite TSF_IOW FDP_RIP 1 The TOE implements an image overwrite security function using a three pass overwrite procedure consistent with U S Depar...

Page 70: ...W FPT_FDI_EXP 1 The only physical shared medium interface of the TOE is the network interface The TOE controls and restricts the data information flow from the LUI document scanner and document feeder...

Page 71: ...must authenticate by entering a username and password prior to being granted access to the LUI or the Web UI While the user is typing the password the TOE obscures each character entered Upon successf...

Page 72: ...able events The time reference is hardware based CPU clock The system administrator must set the time The audit log tracks user identification and authentication system administrator actions and failu...

Page 73: ...ol policy based on a configurable rule set The information flow control policy IPFilter SFP is defined by the system administrator through specifying a series of rules to accept deny or drop packets T...

Page 74: ...can only be canceled deleted during its execution Once completed the job is removed 7 1 10 4 Print Print jobs can be submitted remotely via printing protocols e g lpr port 9100 or from the WebUI Print...

Page 75: ...ead or deleted D DOC faxOUT Read Delete Once a job is submitted only a system administrator can delete the job before it is fully completed in the case of delayed send for example D FUNC faxOUT Delete...

Page 76: ...orporation All rights reserved loaded is compared to the expected software version number any corruption of this data will be reported The system administrator can verify the integrity of the TOE soft...

Page 77: ...cation Security measure that verifies a claimed identity Authentication data Information used to verify a claimed identity Authorization Permission granted by an entity authorized to do so to perform...

Page 78: ...ion operations that protect and defend information and information systems by ensuring their availability integrity authentication confidentiality and non repudiation This includes providing for resto...

Page 79: ...ecurity Target Private medium interface Mechanism for exchanging data that 1 use wired or wireless electronic methods over a communications medium which in conventional practice is not accessed by mul...

Page 80: ...y of the TOE TSF Protected Data Assets for which alteration by a User who is not an Administrator or the owner of the data would have an effect on the operational security of the TOE but for which dis...

Page 81: ...Host Configuration Protocol DIS Disclosure DSR Document Storage And Retrieval EAL Evaluation Assurance Level EIP Extensible Interface Platform FIPS Federal Information Processing Standard HCD Hardcopy...

Page 82: ...cation PPM Page Per Minute PP Protection Profile PRT Print PSTN Public Switched Telephone Network SCN Scan SFP Security Function Policy SFR Security Functional Requirement SMI Shared Medium Interface...

Page 83: ...neral Model B2 Common Methodology for Information Technology Security Evaluation Version 3 1 Release 3 Evaluation Methodology B3 IEEE Std 100 The Authoritative Dictionary of IEEE Standards Terms Seven...

Search results

Summary of Contents for WorkCentre 5845

Reviews:

Related manuals for WorkCentre 5845

Brands by name

Popular brands

Xerox WorkCentre 5845, User Information

Search results

Summary of Contents for WorkCentre 5845

Reviews:

Related manuals for WorkCentre 5845

Brands by name

Popular brands