CRP-C0178-01 Certification Report Koji Nishigaki, Chairman Information-technology Promotion Agency, Japan Target of Evaluation Application date/ID 2008-02-21 (ITC-8196) Certification No. C0178 Sponsor TOSHIBA TEC CORPORATION Name of TOE [Japanese]e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 System Software [English] System Software for e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 Version of TOE V2.0 PP Conformance None Conformed Claim EAL3 Developer TOSHIBA TEC CORPORATION Evaluation Facility Electronic Commerce Security Technology Laboratory Inc. Evaluation Center This is to report that the evaluation result for the above TOE is certified as follows. 2008-08-12 Hideji Suzuki, Technical Manager Information Security Certification Office IT Security Center Evaluation Criteria, etc.: This TOE is evaluated in accordance with the following criteria prescribed in the "IT Security Evaluation and Certification Scheme". - Common Criteria for Information Technology Security Evaluation Version 2.3 (ISO/IEC 15408:2005) - Common Methodology for Information Technology Security Evaluation Version 2.3 (ISO/IEC 18045:2005) Evaluation Result: Pass "[Japanese]e-STUDIO520/600/720/850,e-STUDIO523/603/723/853 System Software V2.0, [English] System Software for e-STUDIO520/600/720/850,e-STUDIO523/603/723/853 V2.0" has been evaluated CRP-C0178-01 in accordance with the provision of the "IT Security Certification Procedure" by Information-technology Promotion Agency, Japan, and has met the specified assurance requirements. CRP-C0178-01 Notice: This document is the English translation version of the Certification Report published by the Certification Body of Japan Information Technology Security Evaluation and Certification Scheme. CRP-C0178-01 Table of Contents 1. Executive Summary ............................................................................... 1 1.1 Introduction ..................................................................................... 1 1.2 Evaluated Product ............................................................................ 1 1.2.1 Name of Product ......................................................................... 1 1.2.2 Product Overview ........................................................................ 1 1.2.3 Scope of TOE and Overview of Operation....................................... 1 1.2.4 TOE Functionality ....................................................................... 2 1.3 Conduct of Evaluation....................................................................... 5 1.4 Certificate of Evaluation .................................................................... 6 1.5 Overview of Report ............................................................................ 6 1.5.1 PP Conformance.......................................................................... 6 1.5.2 EAL ........................................................................................... 6 1.5.3 SOF ........................................................................................... 6 1.5.4 Security Functions ...................................................................... 6 1.5.5 Threat ........................................................................................ 7 1.5.6 Organisational Security Policy ..................................................... 7 1.5.7 Configuration Requirements ........................................................ 7 1.5.8 Assumptions for Operational Environment .................................... 7 1.5.9 Documents Attached to Product ................................................... 7 2. Conduct and Results of Evaluation by Evaluation Facility......................... 9 2.1 Evaluation Methods .......................................................................... 9 2.2 Overview of Evaluation Conducted ..................................................... 9 2.3 Product Testing ................................................................................ 9 2.3.1 Developer Testing........................................................................ 9 2.3.2 Evaluator Testing...................................................................... 11 2.4 Evaluation Result ........................................................................... 12 3. Conduct of Certification ....................................................................... 13 4. Conclusion.......................................................................................... 14 4.1 Certification Result ......................................................................... 14 4.2 Recommendations ........................................................................... 14 5. Glossary ............................................................................................. 15 6. Bibliography ....................................................................................... 16 CRP-C0178-01 1 1. Executive Summary 1.1 Introduction This Certification Report describes the content of certification result in relation to IT Security Evaluation of "[Japanese]e-STUDIO520/600/720/850,e-STUDIO523/6 03/723/853 System Software V2.0, [English] System Software for e-STUDIO520/60 0/720/850,e-STUDIO523/603/723/853 V2.0" (hereinafter referred to as "the TOE") conducted by Electronic Commerce Security Technology Laboratory Inc. Evaluatio n Center (hereinafter referred to as "Evaluation Facility"), and it reports to the sponsor, TOSHIBA TEC CORPORATION. The reader of the Certification Report is advised to read the corresponding ST and manuals (please refer to "1.5.9 Documents Attached to Product" for further details) attached to the TOE together with this report. The assumed environment, corresponding security objectives, security functional and assurance requirements needed for its implementation and their summary specifications are specifically described in ST. The operational conditions and functional specifications are also described in the document attached to the TOE. Note that the Certification Report presents the certification result based on assurance requirements conformed to the TOE, and does not certify individual IT product itself. Note: In this Certification Report, IT Security Evaluation Criteria and IT Security Evaluation Method prescribed by IT Security Evaluation and Certification Scheme are named CC and CEM, respectively. 1.2 Evaluated Product 1.2.1 Name of Product The target product by this Certificate is as follows: Name of Product: [Japanese] e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 System Software [English] System Software for e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 Version: V2.0 Developer: TOSHIBA TEC CORPORATION 1.2.2 Product Overview This product is the system software of the digital multi function device "e-STUDIO520/600/720/850, e-STUDIO523/603/723/853" (hereafter referred to collectively as the "MFP") manufactured by TOSHIBA TEC CORPORATION. The system software provides general functions as a MFP as well as the function of data overwrite and permanently erase on the user document data deleted from the e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 HDD. The function of data overwrite and permanently erase includes the function to collectively and completely delete all user document data from the HDD before the HDD is disposed or replaced. This function also prevents unauthorized restore of data. 1.2.3 Scope of TOE and Overview of Operation CRP-C0178-01 2 The TOE is the control software of MFP. Figure 1-2 depicts the relation to each part of MFP. As shown in Figure 1-1 below, MFP is used as a terminal to send/receive data to/from facsimiles, a terminal to send Email to Email servers, and a remote printer for remote PCs in network environments as well as they are installed in general offices as a standalone copier. Figure 1-1 Typical operating environment of the TOE The MFP is a digital copier which inputs, processes, and outputs user documents. Its output processes are copy, print, scan, and fax reception and fax transmission. After each process completes, user document data is deleted by the file delete function provided by the operation system, except for the cases when the MFP user stores his/her user document data stored in temporally area(*) in the HDD. User document data stored in temporally area in the HDD are managed by each MFP user based on importance and confidentiality of the user document data and deleted using the operation system's file delete function as necessary. *Caution) In this report, "e-Filing Box" and a shared folder are called temporally area in the HDD. 1.2.4 TOE Functionality The TOE has normal mode where MFP users operate these models in ordinary cases, and self-diagnostic mode where service engineers perform maintenance services. 1.2.4.1 Normal Mode Figure 1-2 shows the configuration of the MFP in normal mode. LAN Mail server PC PSTN FAX Internet CRP-C0178-01 3 Figure 1-2 Product Configuration in Normal Mode This section describes the functionality of the TOE. 1) Process of GP-1060 Installation Information This process checks whether or not the GP-1060 is installed. In order to make the MFP users aware that the Data Delete Function is available, the TOE name and TOE version are displayed on the LCD display of the control panel. 2) Copy process This process scans user document data using the scanner and writes the scanned data in the HDD work area. Then, this process reads the user document data in the work area and performs both or either of the following processes, "Outputs the user document data to the printer" and "Saves the user document data in the HDD temporary area specified by the MFP user" 3) Print process This process receives user document data from PC or reads a USB, and writes the data in the HDD work area. Then, this process reads the user document data in the work area and performs both or either of the following processes, "Outputs the user document data to the printer" and "Saves the user document data in the HDD temporary area specified by the MFP user. 4) Scan process This process scans user document data using the scanner and performs both or either of the following processes, "Saves the user document data in the HDD temporary area specified by the MFP user" and "Sends Email to a destination specified by the MFP user". 5) Fax transmission process This process scans user document data using the scanner and writes the scanned data in the HDD work area. Then, this process reads the user document data in the work area and sends the data TOE Storage for assets to be protected PSTN (FAX) GP-1060 Scanner e-STUDIO General Functions (Job Management) Data Erasing Function Printer LAN Line (PC) Initialization Processing (System Administration) Control Panel Display Overwrite Processing Registration of Overwrite Processing Copying Scanning Printing FAX Transmissi on FAX Reception Processing for e-Filing Box/ Processing GP-1060 installation information OS (VxWorks 5.5) User document data deleted HDD USB CRP-C0178-01 4 to facsimile(s). The data can also be saved in the HDD temporary area specified by the MFP user 6) Fax reception process This process receives user document data from a facsimile and writes the data in the HDD work area. Then, this process reads the user document data in the work area and performs both or either of the following processes, "Outputs the user document data to the printer" and "Saves the user document data in the HDD temporary area specified by the MFP user". 7) HDD temporary Data delete process This process deletes user document data saved in the HDD temporary area by operating the control panel or PC. 8) Data Overwrite allocation process (Security Function) - During each process of the MFP General Functions described above, this process allocates an area in the dustbox where user document data in the work area, deleted by the operation system's file delete function, is to be stored. - When user document data is saved in and deleted from an e-Filing Box or a shared folder in the HDD during Process (7) described above, this process allocates an area in the dustbox where the user document data, deleted by the operation system's file delete function, is to be stored. 9) Data Overwrite process (Security Function) User document data has been allocated in the dustbox and if any, overwrite the areas where the user document data has been allocated. While this process is being executed, the message "ERASING DATA" is displayed on the control panel. The MFP users must make sure that user document data has been permanently erased from the HDD by checking that the "ERASING DATA" message on the LCD display, if displayed on the control panel, has disappeared properly. The MFP users check the message on the LCD display when collecting printout from the MFP and confirm the area was overwritten. 1.2.4.2 Self-diagnostic Mode Figure 1-3 shows the configuration of the MFP in self-diagnostic mode. CRP-C0178-01 5 Figure 1-3 Product Configuration in Self-diagnostic Mode This section describes the functionality of the TOE. 1) Process of GP-1060 Installation Information This process checks whether or not the GP-1060 is installed. In order to make the MFP users aware that the Data Delete Function is available, the TOE name and TOE version are displayed on the LCD display of the control panel. 2) Forcible Data Overwrite process (Security Function) When HDD is disposed or replaced, this process overwrites all HDD areas where user document data are saved in the HDD temporary area. The service engineer operates forcible Data Overwrite function upon request from the MFP administrator. 1.3 Conduct of Evaluation Based on the IT Security Evaluation/Certification Program operated by the Certification Body, TOE functionality and its assurance requirements are being evaluated by evaluation facility in accordance with those publicized documents such as "IT Security Evaluation and Certification Scheme"[2], "IT Security Certification Procedure"[3] and "Evaluation Facility Approval Procedure"[4]. Scope of the evaluation is as follow. - Security design of the TOE shall be adequate; - Security functions of the TOE shall be satisfied with security functional requirements described in the security design; - This TOE shall be developed in accordance with the basic security design; - Above mentioned three items shall be evaluated in accordance with the CC Part 3 and CEM. More specific, the evaluation facility examined " GP-1060 Data Erasing Function Initialization Processing (System Administration) Control Panel Display Forcible Data Overwrite Processing GP-1060 installation information OS (VxWorks 5.5) e-Filing Box HDD Shared Folder TOE Storage for assets to be protected CRP-C0178-01 6 e-STUDIO520/600/720/850,e-STUDIO523/603/723/853 System Software Security Target " as the basis design of security functions for the TOE (hereinafter referred to as "the ST")[1], the evaluation deliverables in relation to development of the TOE and the development, manufacturing and shipping sites of the TOE. The evaluation facility evaluated if the TOE is satisfied both Annex B of CC Part 1 (either of [5], [8] or [11]) and Functional Requirements of CC Part 2 (either of [6], [9] or [12]) and also evaluated if the development, manufacturing and shipping environments for the TOE is also satisfied with Assurance Requirements of CC Part 3 (either of [7], [10] or [13]) as its rationale. Such evaluation procedure and its result are presented in "e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 System Software V2.0, System Software for e-STUDIO520/600/720/850,e-STUDIO523/603/723/853 V2.0 Evaluation Technical Report" (hereinafter referred to as "the Evaluation Technical Report") [17]. Further, evaluation methodology should comply with the CEM (either of [14], [15] or [16]). 1.4 Certification The Certification Body verifies the Evaluation Technical Report and Observation Report prepared by the evaluation facility and evaluation evidence materials, and confirmed that the TOE evaluation is conducted in accordance with the prescribed procedure. Certification review is also prepared for those concerns found in the certification process. Evaluation is completed with the Evaluation Technical Report dated 2008-07 submitted by the evaluation facility and those problems pointed out by the Certification Body are fully resolved and confirmed that the TOE evaluation is appropriately conducted in accordance with CC and CEM. The Certification Body prepared this Certification Report based on the Evaluation Technical Report submitted by the evaluation facility and concluded fully certification activities. 1.5 Overview of Report 1.5.1 PP Conformance There is no PP to be conformed. 1.5.2 EAL Evaluation Assurance Level of TOE defined by this ST is EAL3 conformance. 1.5.3 SOF This ST claims "SOF-basic" as its minimum strength of function. Although this TOE is utilized by being installed at generic offices and it is assumed that attackers' attack capabilities are low. For this reason, the appropriate minimum SOF is SOF-basic. 1.5.4 Security Functions Security functions of the TOE are as follow. SF.TEMPDATA_OVERWRITE - In normal mode, register an area in the dustbox where user document data, deleted from the HDD, is to be stored. - Completely overwrite the registered areas in the dustbox where the user document CRP-C0178-01 7 data, deleted from the HDD, is stored. Deleting is executed, according to DoD5220.22-M.(0x00Fill+0xFF Fill+ random number and Fill + verification) SF.STOREDATA_OVERWRITE - In self-diagnostic mode, collectively and completely overwrite all areas of the HDD. Deleting is executed, according to DoD5220.22-M.(0x00Fill+0xFF Fill+ random number and Fill+ verification) 1.5.5 Threat This TOE assumes such threats presented in Table 1-1 and provides functions for countermeasure to them. Table 1-1 Assumed Threats Identifier Threat T.TEMPDATA_ACCESS By using commercially available tools and by means of reverse engineering of the areas where residual user document data remains, a malicious MFP user or non-privileged user may attempt to recover or decode user document data, deleted from the HDD of the MFP by the operation system's file delete function. T.STOREDATA_ACCESS Using commercially available tools, a malicious MFP user or non-privileged user may attempt to recover or decode the areas in the HDD of the MFP where user document data, all of which were deleted by the operation system's file delete function, still remain. 1.5.6 Organisational Security Policy There are no organizational security policies required for using the TOE. 1.5.7 Configuration Requirements This TOE is the System Software installed on the TOSHIBA TEC CORPORATION 's digital copier. This operating environment of the TOE is indicated below. - Installing on e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 with GP-1060. - For Printer Driver, e-STUDIO850 Series Printer Driver Version 4.4.63.0 is utilized. - For Fax Driver, e-STUDIO850 Series N/W-Fax Driver Version 2.1.8 is utilized. - For Browser, InternetExplorer ver6.0 sp1 or Firefox ver2.0.0.14 is utilized. - For Mailer, AL-MaiL32 Version1.13 or Thunderbird ver2.0.0.14 is utilized. - For WIA Scan Driver Application, Windows FAX and Scan Version 6.0 are utilized. 1.5.8 Assumptions for Operational Environment No assumptions required in environment using this TOE presents. 1.5.9 Documents Attached to Product Documents attached to the TOE (Japanese Version) are listed below. - e-STUDIO600/720/850 Quick Start Guide, OMJ070096A0 01 CRP-C0178-01 8 - Data Overwrite Kit(Operator's Manual in six languages), OME050034C0 03 - Operator's Manual , OMJ040119F0 06 - Operator's Manual, OMJ040121E0 05 - GD-1170 Operator's Manual, OMJ050013C0 03 - Printing Guide, OMJ050004F06 03 - Filing Box Guide, OMJ07010700 00 - TopAccess Guide, OMJ07010400 00 - Network Management Guide, OMJ050010C0 03 - Network Fax Guide, OMJ07010000 03 - Scan Guide, OMJ07011000 00 Documents attached to the TOE (English Version) are listed below. - e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 Quick Start Guide, OME070095A0 02 - Data Overwrite Kit (Operator's Manuals in six languages), OMM050045C0 03 - Operator's Manual for Basic Function (North America), OME040117C0 07 - Operator's Manual for Basic Function (Europe), OME040118G0 07 - Operator's Manual for Basic Function (Asia), OME050093E0 05 - User Functions Guide, OME040120E0 05 - GD-1170 Operator's Manual for Facsimile Function, OME050083B0 02 - Printing Guide, OME050003E0 05 - e-Filing Guide, OME07010600 00 - TopAccess Guide, OME07010300 00 - Network Administration Guide, OME050009B0 02 - Network Fax Guide, OME070097000 00 - Scanning Guide, OME07010900 00 CRP-C0178-01 9 2. Conduct and Results of Evaluation by Evaluation Facility 2.1 Evaluation Methods Evaluation was conducted by using the evaluation methods prescribed in CEM in accordance with the assurance requirements in CC Part 3. Details for evaluation activities are report in the Evaluation Technical Report. It described the description of overview of the TOE, and the contents and verdict evaluated by each work unit prescribed in CEM. 2.2 Overview of Evaluation Conducted The history of evaluation conducted was present in the Evaluation Technical Report as follows. Evaluation has started on 2008-02 and concluded by completion the Evaluation Technical Report dated 2008-07. The evaluation facility received a full set of evaluation deliverables necessary for evaluation provided by developer, and examined the evidences in relation to a series of evaluation conducted. Additionally, the evaluation facility directly visited the development and manufacturing sites on 2005-10,2005-11 and 2006-01 and examined procedural status conducted in relation to each work unit for configuration management, delivery and operation and lifecycle by investigating records and staff hearing. Further, the evaluation facility executed sampling check of conducted testing by developer and evaluator testing by using developer testing environment at developer site on 2008-05. Concerns found in evaluation activities for each work unit were all issued as Observation Report and were reported to developer. These concerns were reviewed by developer and all problems were solved eventually. As for concerns indicated during evaluation process by the Certification Body, the certification review was sent to the evaluation facility. These were reflected to evaluation after investigation conducted by the evaluation facility and the developer. 2.3 Product Testing Overview of developer testing evaluated by evaluator and evaluator testing conducted by evaluator are as follows. 2.3.1 Developer Testing 1) Developer Test Environment Test configuration performed by the developer is showed in the Table 2-1. CRP-C0178-01 10 Table 2-1: Developer test configuration TOE Version Item Japanese English ROM T390SY0J329 T390SY0U329, T390SY0E329 System Software VTR58.900 VTR58.900 TOE V2.0 UI data frame V0310.000 0 V0310.000 0 Equipments Specification Digital Multi Function Peripheral (MFP) e-STUDIO850 Option of MFP GP-1060 PC for the tests OptiPlex GX100(DELL), OPTIPLEX 350(DELL) Mail server SuperMicro 5013C-MT Model P4SCT+ Circuit board for debug, Serial cable Circuit board for serial communications connecting with logic circuit board of digital multifunction peripheral 6LA70328000 PWB-F-SERIAL-IF-360 and DSUB9 pin serial cross cable FAX e-STUDIO350 with SuperG3 FAX telephone exchange emulator EXCEL7000 Equipments Specification WIA Scan Driver Application Windows FAX and Scan Version 6.0 (included in Windows Vista) Mailer AL-MaiL32 Version1.13 Web Browser Microsoft Internet Explorer Version 6.0 Service Pack 1 Printer Driver e-STUDIO850 Series Printer Driver Version 4.4.63.0 Fax Driver e-STUDIO850 Serires N/W-Fax Driver Version 2.1.8 2) Outlining of Developer Testing Outlining of the testing performed by the developer is as follow. a. Test configuration Developer testing was performed at the same TOE testing environment with the TOE configuration identified in ST. b. Testing Approach For the testing, following approach was used. (1) Operation from Operation Panel + Monitoring of Programming Status Confirming Key inputting operation on Operation Panel and Content of Display, attaching special Hardware(JIG) to print board inside Product which CRP-C0178-01 11 is communicated in RS232C(Serial Communication) is connected to PC. Only Developer can construct it, and it provides various functions for an analyze and it is possible to monitor the programming status. File making into HDD, and File transforming, Overwriting Operation can be confirmed. (2) Operation from Remote PC + Monitoring of Programming Status Confirming operation from WEB Browser on Remote PC, or the result of receiving FAX or E-mail. Additionally, attaching special Hardware(JIG) to print board inside Product which is communicated in RS232C(Serial Communication) is connected to PC. Only Developer can construct it, and it provides various functions for an analyze and it is possible to monitor the programming status. File making into HDD, and File transforming, Overwriting Operation can be confirmed. c. Scope of Testing Performed Testing is performed about 105 items by the developer. A coverage analysis was performed and verified that the security functions and external interfaces described in the functional specification have been all tested. A depth analysis was performed and verified that the subsystems and subsystem interfaces described in the high-level design have been all thoroughly tested. d. Result The developer testing results provide evidence that the expected test results match the actual test results. The evaluator confirmed the legitimacy of the developer testing approach and tested items, and consistencies between the testing approaches described in the test plan and the actual test results. 2.3.2 Evaluator Testing 1) Evaluator Test Environment The evaluator used the same test configuration as the test configuration used by the developer, plus an additional tool for penetration testing against the developer test configuration. - Thunderbird 2.0.0.14 as for Mailer - Firefox 2.0.0.14 as for Web Browser - Nmap 4.65.0.0 as for Tool utilizing in penetration test 2) Outlining of Evaluator Testing Outlining of testing performed by the evaluator is as follow. a. Test configuration Evaluator testing was performed at the same TOE testing environment with the TOE configuration identified in ST. b. Testing Approach The same testing approaches as those of the developer testing were used. c. Scope of Testing Performed CRP-C0178-01 12 The evaluator performed a total of 31 test items, 6 test items uniquely devised by the evaluator and 25 test items by sampling the developer testing. The test items performed by the evaluator took the following into account. (1) Covering all scenarios including the test items of the developer testing. (2) Including one more tests in the test items for each interface at least. The penetration testing comprised 4 tests to confirm that there were no publicly-known vulnerabilities that the developer was not considering existed. d. Result The evaluator successfully completed all the tests and observed the behavior of the TOE security functions. The evaluator confirmed that the actual test results match the expected test results, and that there are no obvious exploitable vulnerabilities in the TOE. 2.4 Evaluation Result The evaluator had the conclusion that the TOE satisfies all work units prescribed in CEM by submitting the Evaluation Technical Report. CRP-C0178-01 13 3. Conduct of Certification The following certification was conducted based on each materials submitted by evaluation facility during evaluation process. 1. Contents pointed out in the Observation Report shall be adequate. 2. Contents pointed out in the Observation Report shall properly be reflected. 3. Evidential materials submitted were sampled, its contents were examined, and related work units shall be evaluated as presented in the Evaluation Technical Report. 4. Rationale of evaluation verdict by the evaluator presented in the Evaluation Technical Report shall be adequate. 5. The Evaluator's evaluation methodology presented in the Evaluation Technical Report shall conform to the CEM. Concerns found in certification process were prepared as certification review, which were sent to evaluation facility. The Certification Body confirmed such concerns pointed out in Observation Report and certification review were solved in the ST and the Evaluation Technical Report. CRP-C0178-01 14 4. Conclusion 4.1 Certification Result The Certification Body verified the Evaluation Technical Report, the Observation Report and the related evaluation evidential materials submitted and confirmed that all evaluator action elements required in CC Part 3 are conducted appropriately to the TOE. The Certification Body verified the TOE is satisfied the EAL3 assurance requirements prescribed in CC Part 3. 4.2 Recommendations None CRP-C0178-01 15 5. Glossary The abbreviations used in this report are listed below. CC: Common Criteria for Information Technology Security Evaluation CEM: Common Methodology for Information Technology Security Evaluation EAL: Evaluation Assurance Level PP: Protection Profile SOF: Strength of Function ST: Security Target TOE: Target of Evaluation TSF: TOE Security Functions The glossaries used in this report are listed below. MFP (Multi Function Peripherals): Digital copier: A single multi-functional peripheral device which integrates several functions such as copy, print, and fax. e-STUDIO: MFPs where the TOE is installed, i.e., e-STUDIO520/600/720/850, e-STUDIO523/603/723/853. HDD: Hard Disk Drive User document data: e-STUDIO user's document data digitized utilizing the e-STUDIO General Functions. Note that data received by the e-STUDIO using its fax function is not user document data of the e-STUDIO users but the data of a person who has sent it. e-Filing Box, Shared folder: A temporary area where the e-STUDIO users stores and refers their user document data. The e-STUDIO users delete user document data stored themselves. Such user document data is automatically deleted from an area after a specified effective period expires and this data is no longer recognized as assets to be protected. GP-1060: A product installed in the e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 to enable the Data Overwrite Function, a security function of the System Software Users: Users who utilize the e-STUDIO General Functions Administrators: Administrators make each setting of the e-STUDIO General Functions (including copy, network, and fax settings) and ask service engineers to execute the forcible Data Overwrite function to the HDD. Service Engineers: Service engineers perform service maintenance operations such as installation of the e-STUDIO (including installation of the GP-1060). CRP-C0178-01 16 6. Bibliography [1] e-STUDIO520/600/720/850,e-STUDIO523/603/723/853 System Software Security Target Version 3.3 (22 July,2008) TOSHIBA TEC CORPORATION [2] IT Security Evaluation and Certification Scheme, May 2007, Information-technology Promotion Agency, Japan CCS-01 [3] IT Security Certification Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-02 [4] Evaluation Facility Approval Procedure, May 2007, Information-technology Promotion Agency, Japan CCM-03 [5] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001 [6] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002 [7] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003 [8] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Version 2.3 August 2005 CCMB-2005-08-001 (Translation Version 1.0 December 2005) [9] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements Version 2.3 August 2005 CCMB-2005-08-002 (Translation Version 1.0 December 2005) [10] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements Version 2.3 August 2005 CCMB-2005-08-003 (Translation Version 1.0 December 2005) [11] ISO/IEC 15408-1:2005 - Information Technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model [12] ISO/IEC 15408-2:2005 - Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements [13] ISO/IEC 15408-3:2005 - Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements [14] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004 [15] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology Version 2.3 August 2005 CCMB-2005-08-004 (Translation Version 1.0 December 2005) [16] ISO/IEC 18045:2005 Information technology - Security techniques - Methodology for IT security evaluation [17] e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 System Software V2.0, CRP-C0178-01 17 System Software for e-STUDIO520/600/720/850,e-STUDIO523/603/723/853 V2.0 Evaluation Technical Report Version 1.1, July 24, 2008, Electronic Commerce Security Technology Laboratory Inc. Evaluation Center 1/2 Issue Date: 2012-08-17 Document No.: SRP-C0178-01 This is to report that surveillance has been conducted on the following Target of Evaluation (hereinafter referred to as “TOE”), based on IT Security Certification Procedure (CCM-02) 8.1. It is recommended to use as a reference along with the Certification Report. TOE: Certification No. C0178 Sponsor TOSHIBA TEC CORPORATION Name of the TOE [Japanese] e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 System Software [English] System Software for e-STUDIO520/600/720/850, e-STUDIO523/603/723/853 Version of the TOE V2.0 PP Conformance None Assurance Package EAL3 Developer TOSHIBA TEC CORPORATION Evaluation Facility Electronic Commerce Security Technology Laboratory Inc. Evaluation Center Surveillance Number: JISEC-SV12-001 Report on Surveillance Conducted:  Surveillance Result In regard to this surveillance, it is confirmed by the Evaluation Facility that consumers are able to safely use the TOE; therefore, it is concluded that the certification of this TOE is maintained.  Surveillance Summary As for the contents of the following “Announcement”, which was released by the developer regarding this TOE, surveillance has been conducted from 2012-04 to 2012-07 in order to determine whether it is appropriate to maintain its certification. http://www.toshibatec.co.jp/page.jsp?id=2330 Surveillance Report 2/2 According to the “Announcement”, there is a possibility that the administrator page of the web-based management utility “TopAccess” site could be accessed without passwords by using the released vulnerability. As a result of surveillance, it was verified in the previous evaluation under the responsibility of the Evaluation Facility that the access to the administrator page of “TopAccess” does not affect the security functions of the TOE. The details are described as follows; From the administrator page of “TopAccess”, it is possible to change the time and date of MFP clock as well as the expiration date for storing user document data, etc. The previous evaluation did not examine whether it is possible to change those by using the released vulnerability when accessing the administrator page of “TopAccess”. Although the TOE has a function to automatically delete the stored user document data after passing the expiration date, it specifies that the residual data after being deleted is no longer recognized as an asset to be protected. As with other functions which can be used from the administrator page of “TopAccess”, it is reported that the previous evaluation by the Evaluation Facility verified there was no effect on the security functions of the Target of Evaluation. Translation notes: English information can be found at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1239