Xerox Multi-Function Device Security Target
27
Copyright
2013 Xerox Corporation. All rights reserved.
4.3.
Security Objectives for the Non-
IT Environment
This section describes the security objectives that must be fulfilled by non-IT
methods in the non-IT environment of the TOE.
Table 18: Security objectives for the non-IT environment
Objective
Definition
OE.PHYSICAL.MANAGED The TOE shall be placed in a secure or monitored area that
provides protection from unmanaged physical access to the
TOE.
OE.USER.AUTHORIZED
The TOE Owner shall grant permission to Users to be
authorized to use the TOE according to the security policies
and procedures of their organization.
OE.USER.TRAINED
The TOE Owner shall ensure that Users are aware of the
security policies and procedures of their organization, and
have the training and competence to follow those policies and
procedures.
OE.ADMIN.TRAINED
The TOE Owner shall ensure that TOE Administrators are
aware of the security policies and procedures of their
organization, have the training, competence, and time to
follow the manufacturer’s guidance and documentation, and
correctly configure and operate the TOE in accordance with
those policies and procedures.
OE.ADMIN.TRUSTED
The TOE Owner shall establish trust that TOE Administrators
will not use their privileged access rights for malicious
purposes.
OE.AUDIT.REVIEWED
The TOE Owner shall ensure that audit logs are reviewed at
appropriate intervals for security violations or unusual
patterns of activity.
4.4.
Rationale for Security
Objectives
This section demonstrates that each threat, organizational security policy,
and assumption are mitigated by at least one security objective for the TOE,
and that those security objectives counter the threats, enforce the policies,
and uphold the assumptions.
