Two IEEE Protection Profiles for Multi-Function Printers Evaluated by atsec information security
2010-09-21Austin, TX/Munich, Germany – Two Protection Profiles (PPs) defining agreed security functional and security assurance requirements for multi-function printers in different environments have been evaluated by atsec on behalf of the IEEE.
Each PP postulates different assumptions of the attack potentials and threat scenarios. These PPs each include unique base functionality and contain further SFR packages that specify additional requirements in case the printer implements mechanisms covered by the packages. For example, a supplementary package of SFRs for non-volatile storage is defined - if the device under evaluation includes non-volatile storage, then the ST must include the package for non-volatile storage.
PP 2600.1 was evaluated under the NIAP’s CCEVS scheme and is listed as a US Government approved profile on the NIAP website. The IEEE Standard for a Protection Profile in Operational Environment A is aimed at “hardcopy devices in a restrictive commercial information processing environment in which a relatively high level of document security, operational accountability, and information assurance are required. Typical information processed in this environment is trade secret, mission critical, or subject to legal and regulatory considerations such as for privacy or governance. This environment is not intended to support life-critical or national security applications”.
PP 2600.2 was evaluated under the BSI scheme and is available from the BSI website. The IEEE Standard for a Protection Profile in Operational Environment B is aimed at “hardcopy devices in a commercial information processing environment in which a moderate level of document security, network security, and security assurance are required. Typically, the day-to-day proprietary and nonproprietary information needed to operate an enterprise will be handled by this environment”.
Helmut Kurth, atsec’s Chief Scientific Officer, co-editor of ISO/IEC TR 15446 “A guide for the production of Protection Profiles and Security Targets” who advised IEEE in the development of the Protection Profiles: “The IEEE developed family of Protection Profiles represent another example of an industry consortium harmonizing the security functionality for a specific class of products (in this case multi-function printer devices) and specifying those functions in the form of a Common Criteria protection profile. It was also the first time the package concept defined in the Common Criteria has been used extensively to cover the different types of function that can be offered. The smart card industry has shown that protection profiles developed by industry consortiums get a much wider acceptance than those just developed by governments and it also shows that industry sees the benefit of harmonizing the requirements for security functionality and assurance measures using the Common Criteria as a basis.”
The PPs which are available as IEEE standards free of charge from the IEEE at http://standards.ieee.org/getieee/2600.
The IEEE coordinated development of the PPs with a group of industry sponsors from the multi-function device industry including Canon, Fuji Xerox, Hewlett-Packard, InfoPrint Solutions, Konica Minolta, Kyocera Mita, Lexmark, Océ, Oki Printing Solutions, Ricoh, Samsung, Sharp, Toshiba TEC Corporation, and Xerox. PPs developed by such industry collaborations provide a useful and meaningful standard for industry accepted security functionality and assurance levels.
Companion standards, IEEE 2600.3™-2009 Standard Protection Profile for Hardcopy Devices in IEEE Std 2600™-2008 Operational Environment C* and IEEE 2600.4™-2010 Standard Protection Profile for Hardcopy Devices in IEEE Std 2600™-2008 Operational Environment D* are available from the IEEE Shop
With Common Criteria evaluation laboratories accredited under three national schemes (U.S. National Information Assurance Partnership's (NIAP), Common Criteria Evaluation and Validation Scheme (CCEVS), German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI) and Swedish CC scheme Sveriges Certifieringsorgan för IT-säkerhet (CSEC) operated by FMV) atsec was well positioned to evaluate the PPs for both NIAP and BSI.
About atsec information security
atsec information security (www.atsec.com) is an independent, standards-based information technology security services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich, Germany in 2000 and has extensive international operations with offices in the U.S., Germany, Sweden, and China. atsec's service include formal laboratory testing and evaluation, independent testing and evaluation as well as information security consultancy.
