Konica-minolta BIZHUB 920 User Manual

Multi functional printer (digital copier) bizhub 920 / bizhub PRO 920 Security Target Version : 6 June 10, 2005 Konica Minolta Bus

2．TOE Description 2.1. TOE Type The TOE is software product with the digital MFP that is installed the network function. 2.2. Terminology No. T

Public telephone line networkInternetMailserverClient PC FirewallOfficeFTPserverInternal networkExternal networkbizhub PRO 920bizhub PRO 920 contro

- Administrator Administrator enrolled at the organization that bizhub PRO 920 series is installed, carries out the operation and management of biz

2.5. TOE Structure Figure 2.2 shows the structure of this TOE. Scanning functionFTP functionOperation panelHDD１Network cardbizhub PRO 920 main u

to FTP, scan to PC (SMB), HDD storage, HDD readout, document data deletion functions) and basic function (scanning, printing, deletion, BOX storage

User BOXClient PCFTP serverMail serverInput OutputPaper documentPaper document bizhub PRO 920 Readout function of document dataPC-shared folderHDD1

The basic functions shown in Figure 2.3 are described below. (1) Scanning function By request from the operation panel by a general user, the info

(8) SMB function The document data gotten by the scanning function, which is stored temporarily into the HDD1 temporary storage or DRAM temporary s

2.8 Function not provided by the TOE The TOE does not prevent the deletion of document data, because the user owns its original data in his/he

3. TOE Security Environment 3.1. Assumptions ASM.PLACE Installation condition for the TOE The TOE shall be installed in the area where only the

Document Revision History Version Description Approved by Checked by Created by 1 - Initial version 01/21/2005 Masaru Ushio01/21/2005 Kazuo Y

4. Security Objectives Policies 4.1. Security Objectives Policies for the TOE O.IA Identification and authentication when using The TOE identif

OE.ADMIN Personal condition for the administrator The responsible person shall select a person as the administrator who does not carry out an ille

5. IT Security Requirements 5.1. TOE Security Requirements 5.1.1. TOE Security Functional Requirements FIA_UID.2 User identification before an

FIA_UAU.2 User authentication before any action Hierarchical to: FIA_UAU.1 FIA_UAU.2.1 The TSF shall require each user to be successfully authe

FIA_UAU.7 Protected authentication feedback Hierarchical to: No other components. FIA_UAU.7.1 The TSF shall provide only [assignment: list of fe

FIA_AFL.1 Authentication failure handling Hierarchical to: No other components. FIA_AFL.1.1 The TSF shall detect when [assignment: number] unsu

FIA_SOS.1[1] Verification of secrets Hierarchical to: No other components. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets

FIA_SOS.1[2] Verification of secrets Hierarchical to: No other components. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets

FDP_ACC.1[1] Subset access control Hierarchical to: No other components. FDP_ACC.1.1 The TSF shall enforce the [assignment: access control SFP]

FDP_ACC.1[2] Subset access control Hierarchical to: No other components. FDP_ACC.1.1 The TSF shall enforce the [assignment: access control SFP]

Table of Contents 1. ST Introduction ...7 1.1. ST Identification ...

FDP_ACF.1[1] Security attribute based access control Hierarchical to: No other components. FDP_ACF.1.1 The TSF shall enforce the [assignment: ac

- None FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that

FDP_ACF.1[2] Security attribute based access control Hierarchical to: No other components. FDP_ACF.1.1 The TSF shall enforce the [assignment: acc

FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explici

FAU_GEN.1 Audit data generation Hierarchical to: No other components. FAU_GEN.1.1 The TSF shall be able to generate an audit record of the foll

FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subje

FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. FAU_STG.1.1 The TSF shall protect the stored audit records from u

FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 FAU_STG.4.1 The TSF shall [selection: ‘ignore auditable events’, ‘prevent au

FAU_SAR.1 Audit review Hierarchical to: No other components. FAU_SAR.1.1 The TSF shall provide [assignment: authorised users] with the capabilit

FAU_SAR.2 Restricted audit review Hierarchical to: No other components. FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit r

5.1.2. TOE Security Assurance Requirements...56 5.2. Security Functional

FMT_MTD.1[1] Management of TSF data Hierarchical to: No other components. FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_

FMT_MTD.1[2] Management of TSF data Hierarchical to: No other components. FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_

FMT_MTD.1[3] Management of TSF data Hierarchical to: No other components. FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_

FMT_MTD.1[4] Management of TSF data Hierarchical to: No other components. FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_

FMT_MTD.1[5] Management of TSF data Hierarchical to: No other components. FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_

FMT_MSA.1 Management of security attributes Hierarchical to: No other components. FMT_MSA.1.1 The TSF shall enforce the [assignment: access con

FMT_MSA.3 Static attribute initialisation Hierarchical to: No other components. FMT_MSA.3.1 The TSF shall enforce the [assignment: access contr

FMT_SMR.1 Security roles Hierarchical to: No other components. FMT_SMR.1.1 The TSF shall maintain the roles [assignment: the authorised identifi

FMT_MOF.1 Management of security functions behaviour Hierarchical to: No other components. FMT_MOF.1.1 The TSF shall restrict the ability to [s

FMT_SMF.1 Specification of management functions Hierarchical to: No other components. FMT_SMF.1.1 The TSF shall be capable of performing the fo

List of Figures Figure 2.1 Operating Environment of bizhub PRO 920 Series…..………………………………...11 Figure 2.2 TOE Structure...

Required function Required management Management item FDP_SOS.1 Management of the scale used for the validation of secret for IT environment Ther

Required function Required management Management item FMT_MTD.1[4] Management of the group that has a role that may affect TSF data with each oth

FPT_RVM.1 Non-bypassability of the TSP Hierarchical to: No other components. FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions ar

This ST newly creates and uses the TOE security functional requirements (FDP_MTD.1 Management of administrator data and FDP_SOS.1 Verification of s

FPT_STM.1 Reliable time stamps Hierarchical to: No other components. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its

FDP_SOS.1 Verification of secrets of IT environment FDP_SOS.1 Verification of secrets of IT environment requires the TSF to verify that secrets

5.1.2. TOE Security Assurance Requirements This TOE asserts EAL3 that is a sufficient level as quality assurance for commercial office products. T

5.2. Security Functional Requirements for the IT environment FIA_UID.2[E] User identification before any action Hierarchical to: FIA_UID.1 FＩＡ

FIA_UAU.2[E] User authentication before any action Hierarchical to：FIA_UAU.1 FIA_UAU.2.1[E] The TSF shall require each user to be successfully

5.3. Security Function Strength The following three password mechanisms are targeted for the claim of TOE function strength, and the subsequence s

List of Tables Table 2.1 Correspondence between User Functions and Basic Functions...15 Table 5.1 Auditable E

6. TOE Summary Specification 6.1. TOE Security Function 6.1.1. Identification and Authentication Function The identification and authentication

changed in IA_PASS. IA.ADM_AUTH identificates that he/she is the administrator by the indication of interface for the identification and authentica

Administrator ： Administrator password, User BOX password General user who owns User BOX ： User BOX password of his/her own User BOX For the pa

- Reading out and printing of document data In case of unsuccessful identification and authentication, the interface for the identification and aut

6.1.4. Management Support Function The management function provides the following a group of security functions. Function title Specification of

(year/month/day/hour/minute/second) of events occurrence, operational subjective identification, and the result of events. It is displayed in a for

6.3. Assurance Measures The developer shall develop according to the assurance requirements and the development rules regulated by the developmen

Distribution and operation ADO_DEL.1 bizhub 920/bizhub PRO 920 Distribution Regulations (Japanese) bizhub 920/bizhub PRO 920 Installation Manual (J

ADO_IGS.1 bizhub 920/bizhub PRO 920 Introduction and Operation Regulations (Japanese) bizhub 920/bizhub PRO 920 Installation Manual (Japanese) bizh

Guidance document AGD_ADM.1 bizhub 920/bizhub PRO 920 Installation Manual (Japanese) bizhub 920/bizhub PRO 920 User’s Guide Copier (Japanese) bi

1. ST Introduction 1.1. ST Identification 1.1.1. ST Identification and Management Title： Multi functional printer (digital copier) bizhub 920 /

AGD_USR.1 bizhub 920/bizhub PRO 920 User’s Guide Copier (Japanese) bizhub 920/bizhub PRO 920 User’s Guide POD Administrator’s Reference (Japanese)

AVA_MSU.1 bizhub 920/bizhub PRO 920 Installation and Operation Regulations (Japanese) bizhub 920/bizhub PRO 920 Installation Manual (Japanese) bizh

7. PP Claim There is no applicable PP in this ST. Copyright© 2005 KONICA MINOLTA BUSINESS TECHNOLOGIES, INC., All Rights Reserved 72

8. Rationale 8.1. Security Objectives Policies Rationale Table 8.1 shows the correspondence relation of the security objectives policy to the thr

The following shows the rationale for Table 8.1. T.HDDACCESS：Unauthorized access to the HDD TSF changes and manages the HDD lock password of HDD1

ASM.PLACE：Installation condition for the TOE In OE.PLACE, TOE is installed in the area where only the product-related person can operate, therefo

8.2. Security Requirements Rationale 8.2.1. Security Functional Requirements Rationale 8.2.1.1. Reason for the adoption of security functional r

Table 8.2 Correspondence between Security Objectives Policies and IT Security Functional Requirements Security objectives policy I

FMT_MSA.1 ✔ FMT_MSA.3 ✔ FMT_SMR.1 ✔ ✔ ✔ ✔ FMT_MOF.1 ✔ ✔ ✔ ✔ ✔ FPT_RVM.1 ✔ ✔ ✔ ✔ ✔ FMT_SMF.1 ✔ ✔ ✔ ✔ FPT_STM.1 ✔ FDP_MTD.

targeted User BOX is maintained in FMT_SMR.1. Their functions are not bypassed with FPT_ RVM.1 and the state of operating are effectively ready i

Note）The following references are used for Japanese version. - Common Criteria for Information Technology Security Evaluation Part 1：Introduction

RVM.1 and the state of operating effectively is ready in FMT_MOF.1. Therefore, O.CE can be realized by the correspondent security functional requir

are successfully identified and authenticated. It prevents the HDD1 and HDD2 from the unauthorized access. Therefore, OE.HDD can be realized by t

9 FDP_ACC.1[2] None FDP_ACF.1 11 10 FDP_ACF.1[1] None FDP_ACC.1 FMT_MSA.3 8 11 FMT_MSA.3 is fulfilled with dependent relationship of FDP_A

27 FPT_RVM.1 None None 28 FPT_STM.1 None None 29 FDP_MTD.1 None FMT_SMR.1 FMT_SMF.1 26 25 30 FIA_UID.2[E] FIA_UID.1 None 31 FIA

22 FMT_MSA.1 FPT_RVM.1 FMT_MOF.1 23 FMT_MSA.3 FPT_RVM.1 FMT_MOF.1 24 FMT_MOF.1 FPT_RVM.1 25 FMT_SMF.1 None FMT_MOF.1 26 FMT_SMR.1 None F

assumed. And it assumes to be operated under the adequate security condition in terms of the physical and human. Therefore, in “5.3. Security Str

8.3. TOE Summary Specification Rationale 8.3.1. Conformity of Security Functional Requirements to TOE Summary Specification Table 8.4 shows the

FMT_MTD.1[2] ✔ FMT_MTD.1[3] ✔ FMT_MTD.1[4] ✔ FMT_MTD.1[5] ✔ FMT_MSA.1 ✔ FMT_MSA.3 ✔ FMT_MOF.1

FIA_SOS.1[1] For the registration and the change of User BOX password, whether the password is within the coverage of permitted value along the p

FDP_ACF.1[2] MNG.ADM creates the User BOX according to Access control policy 2. Therefore, FDP_ACF.1[2] is realized by implementing MNG.ADM. FAU_G

- Common Criteria CCIMB Interpretations-0407 - Common Criteria Addendum-0407 - ISO/IEC 15408, Information Technology – Security techniques – Eval

FMT_MTD.1[3] In MNG.ADM, the change of use BOX password is permitted and executed by only the administrator. Therefore, FMT_MTD.1[3] is realized

FMT_SMR.1 The maintenance of role is realized by realizing the registration of User BOX identifier and User BOX password, and the change of CE,