Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. RICOH IM 7000/8000/9000, SAVIN IM 7000/8000/9000, LANIER IM 7000/8000/9000, nashuatec IM 7000/8000/9000, Rex Rotary IM 7000/8000/9000, Gestetner IM 7000/8000/9000 Security Target Author: RICOH COMPANY, LTD. Date: 2024-1-22 Version: 2.00 Portions of RICOH IM 7000/8000/9000, SAVIN IM 7000/8000/9000, LANIER IM 7000/8000/9000, nashuatec IM 7000/8000/9000, Rex Rotary IM 7000/8000/9000, Gestetner IM 7000/8000/9000 Security Target are reprinted with written permission from IEEE, 445 Hoes Lane, Piscataway, New Jersey 08855, from U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std 2600.2™-2009), Copyright © 2010 IEEE. All rights reserved. Page 1 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table of Contents 1 ST Introduction..................................................................................................................... 6 1.1 ST Reference .................................................................................................................. 6 1.2 TOE Reference ............................................................................................................... 6 1.3 TOE Overview.............................................................................................................. 12 1.3.1 TOE Type................................................................................................................... 12 1.3.2 TOE Usage and Major Security Functions of TOE ................................................ 12 1.3.3 Hardware and Software Other than TOE That Is Necessary for the TOE .......... 13 1.4 TOE Description........................................................................................................... 14 1.4.1 Physical Boundary of TOE ....................................................................................... 14 1.4.2 Logical Boundary of TOE ......................................................................................... 22 1.4.2.1. Basic Functions.................................................................................................. 22 1.4.2.2. Security Function .............................................................................................. 24 2 Conformance Claim............................................................................................................. 27 2.1 CC Conformance Claim................................................................................................ 27 2.2 PP Claims..................................................................................................................... 27 2.3 Package Claims............................................................................................................ 27 2.4 Conformance Claim Rationale ..................................................................................... 28 2.4.1 Consistency Claim with TOE Type in PP................................................................ 28 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP......... 28 2.4.3 Consistency Claim with Security Requirements in PP.......................................... 29 3 Security Problem Definitions.............................................................................................. 31 3.1 Definition of Users ....................................................................................................... 31 3.2 Assets ........................................................................................................................... 31 3.2.1 User Data................................................................................................................... 32 3.2.2 TSF Data.................................................................................................................... 32 3.3 Threats ......................................................................................................................... 34 3.4 Organisational Security Policies.................................................................................. 34 3.5 Assumptions................................................................................................................. 35 4 Security Objectives.............................................................................................................. 36 4.1 Security Objectives for TOE......................................................................................... 36 Page 2 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 4.2 Security Objectives for Operational Environment ...................................................... 37 4.2.1 IT Environment......................................................................................................... 37 4.2.2 Non-IT Environment................................................................................................. 37 4.3 Security Objectives Rationale...................................................................................... 39 4.3.1 Correspondence Table of Security Objectives ......................................................... 39 4.3.2 Security Objectives Descriptions ............................................................................. 40 5 Extended Components Definition....................................................................................... 43 5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP) ....................... 43 6 Security Requirements........................................................................................................ 45 6.1 Security Functional Requirements.............................................................................. 48 6.1.1 Class FAU: Security audit........................................................................................ 48 6.1.1.1. FAU_GEN.1 Audit data generation.................................................................. 48 6.1.1.2. FAU_GEN.2 User identity association............................................................. 50 6.1.1.3. FAU_STG.1 Protected audit trail storage........................................................ 50 6.1.1.4. FAU_STG.4 Prevention of audit data loss ....................................................... 50 6.1.1.5. FAU_SAR.1 Audit review.................................................................................. 50 6.1.1.6. FAU_SAR.2 Restricted audit review................................................................ 50 6.1.2 Class FDP: User data protection ............................................................................. 50 6.1.2.1. FDP_ACC.1(a) Subset access control ............................................................... 50 6.1.2.2. FDP_ACC.1(b) Subset access control ............................................................... 51 6.1.2.3. FDP_ACF.1(a) Security attribute based access control .................................. 51 6.1.2.4. FDP_ACF.1(b) Security attribute based access control .................................. 54 6.1.2.5. FDP_RIP.1 Subset residual information protection........................................ 55 6.1.3 Class FIA: Identification and authentication ......................................................... 56 6.1.3.1. FIA_AFL.1 Authentication failure handling ................................................... 56 6.1.3.2. FIA_ATD.1 User attribute definition............................................................... 56 6.1.3.3. FIA_SOS.1 Verification of secrets .................................................................. 57 6.1.3.4. FIA_UAU.1 Timing of authentication.............................................................. 57 6.1.3.5. FIA_UAU.7 Protected authentication feedback.............................................. 57 6.1.3.6. FIA_UID.1 Timing of identification ................................................................. 57 6.1.3.7. FIA_USB.1 User-subject binding................................................................... 58 6.1.4 Class FMT: Security management........................................................................... 58 6.1.4.1. FMT_MOF.1 Management of security functions behaviour........................... 58 6.1.4.2. FMT_MSA.1(a) Management of security attributes ....................................... 58 6.1.4.3. FMT_MSA.1(b) Management of security attributes ....................................... 59 Page 3 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.1.4.4. FMT_MSA.3(a) Static attribute initialisation................................................. 60 6.1.4.5. FMT_MSA.3(b) Static attribute initialisation................................................. 60 6.1.4.6. FMT_MTD.1(a) Management of TSF data ...................................................... 61 6.1.4.7. FMT_MTD.1(b) Management of TSF data ...................................................... 61 6.1.4.8. FMT_SMF.1 Specification of Management Functions .................................... 62 6.1.4.9. FMT_SMR.1 Security roles............................................................................... 62 6.1.5 Class FPT: Protection of the TSF............................................................................. 63 6.1.5.1. FPT_STM.1 Reliable time stamps.................................................................... 63 6.1.5.2. FPT_TST.1 TSF testing..................................................................................... 63 6.1.5.3. FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces ......... 63 6.1.6 Class FTA: TOE access ............................................................................................. 63 6.1.6.1. FTA_SSL.3 TSF-initiated termination............................................................. 63 6.1.7 Class FTP: Trusted path/channels........................................................................... 63 6.1.7.1. FTP_ITC.1 Inter-TSF trusted channel ............................................................ 63 6.2 Security Assurance Requirements............................................................................... 64 6.3 Security Requirements Rationale................................................................................ 65 6.3.1 Tracing ....................................................................................................................... 65 6.3.2 Justification of Traceability...................................................................................... 66 6.3.3 Dependency Analysis ................................................................................................ 72 6.3.4 Security Assurance Requirements Rationale.......................................................... 74 7 TOE Summary Specification............................................................................................... 75 7.1 Audit Function ............................................................................................................. 75 7.2 Identification and Authentication Function ................................................................ 78 7.3 Document Access Control Function ............................................................................. 80 7.4 Use-of-Feature Restriction Function ........................................................................... 86 7.5 Network Protection Function....................................................................................... 86 7.6 Residual Data Overwrite Function.............................................................................. 87 7.7 Security Management Function .................................................................................. 88 7.8 Integrity Verification Function .................................................................................... 93 7.9 Fax Line Separation Function ..................................................................................... 94 8 Glossary............................................................................................................................... 95 Page 4 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. List of Figures Figure 1 : Example of TOE Environment ..................................................................................................... 13 Figure 2: Logical Boundary of the TOE........................................................................................................ 22 List of Tables Table 1 : Product Name and Model Code of the Target MFP .........................................................................7 Table 2 : Product Names of the Optional Products .........................................................................................7 Table 3 : Combinations of Target MFP and Optional Products.......................................................................7 Table 4 : Version and Part Number of Software and Hardware for Version E-2.00........................................8 Table 5 : Combinations to be Delivered........................................................................................................ 15 Table 6 : Guidance Documents for [English Version-1]................................................................................ 16 Table 7 : Guidance Documents for [English Version-2]................................................................................ 18 Table 8 : Guidance Documents for [English Version-3]............................................................................... 20 Table 9 : Package Reference ......................................................................................................................... 27 Table 10 : Definition of Users....................................................................................................................... 31 Table 11 : Asset Categories ........................................................................................................................... 32 Table 12 : Definitions of User Data .............................................................................................................. 32 Table 13 : TSF Data Categories .................................................................................................................... 32 Table 14 : Definitions of TSF Data ............................................................................................................... 32 Table 15 : Rationale for Security Objectives................................................................................................. 39 Table 16 : Terms Used in Section 6............................................................................................................... 45 Table 17 : List of Auditable Events............................................................................................................... 49 Table 18 : List of Subjects, Objects, and Operations among Subjects and Objects (a)................................. 51 Table 19 : List of Subjects, Objects, and Operations among Subjects and Objects (b)................................. 51 Table 20 : Subjects, Objects and Security Attributes (a)............................................................................... 51 Table 21 : Rules to Control Operations on Document Data and User Job Data (a) ...................................... 52 Table 22 : Rules to Authorise Operations on Document Data and User Job Data (a) ................................... 53 Table 23 : Rules to Deny Operations on Document Data and User Job Data (a).......................................... 54 Table 24 : Subjects, Objects and Security Attributes (b)............................................................................... 55 Table 25 : Rule to Control Operations on MFP Applications (b) .................................................................. 55 Table 26 : List of Authentication Events....................................................................................................... 56 Table 27 : List of Actions for Authentication Failure.................................................................................... 56 Table 28 : User Roles for Security Attributes (a) .......................................................................................... 58 Table 29 : User Roles for Security Attributes (b).......................................................................................... 59 Table 30 : Authorised Identified Roles Allowed to Overwrite Default Values.............................................. 60 Table 31 : List of TSF Data........................................................................................................................... 61 Table 32 : List of TSF Data........................................................................................................................... 62 Table 33 : List of Specification of Management Functions........................................................................... 62 Table 34 : TOE Security Assurance Requirements (EAL2+ALC_FLR.2).................................................... 64 Table 35 : Correspondence of Security Objectives and Functional Requirements........................................ 65 Table 36 : Results of Dependency Analysis of TOE Security Functional Requirements.............................. 72 Table 37 : List of Audit Events...................................................................................................................... 75 Page 5 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 38 : List of Audit Log Items ................................................................................................................ 76 Table 39 : Unlocking Administrators for Each User Role............................................................................. 79 Table 40 : Access Control Rules for Document Data.................................................................................... 81 Table 41 : Normal User Operations for Document Data............................................................................... 82 Table 42 : MFP Administrator Operations for Document Data..................................................................... 84 Table 43 : Encrypted Communications Provided by the TOE ...................................................................... 87 Table 44 : Management of TSF Data ............................................................................................................ 88 Table 45 : List of Static Initialisation for Security Attributes........................................................................ 90 Table 46 : Security Attributes for Each Case of Document Data Generation................................................ 91 Table 47 : Specific Terms Related to This ST............................................................................................... 95 Page 6 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 1 ST Introduction This section describes ST Reference, TOE Reference, TOE Overview and TOE Description. 1.1 ST Reference The following are the identification information of this ST. Title: RICOH IM 7000/8000/9000, SAVIN IM 7000/8000/9000, LANIER IM 7000/8000/9000, nashuatec IM 7000/8000/9000, Rex Rotary IM 7000/8000/9000, Gestetner IM 7000/8000/9000 Security Target Version: 2.00 Date: 2024-1-22 Author: RICOH COMPANY, LTD. 1.2 TOE Reference The identification information of the TOE, whose TOE type is digital multifunction product (hereinafter "MFP"), is shown below. TOE Names: RICOH IM 7000/8000/9000, SAVIN IM 7000/8000/9000, LANIER IM 7000/8000/9000, nashuatec IM 7000/8000/9000, Rex Rotary IM 7000/8000/9000, Gestetner IM 7000/8000/9000 Version: E-2.00 This TOE consists of a combination of the target MFP on which software and hardware are installed and optional products installed to configure the TOE. The target MFPs shown in Table 1 are the products for overseas market, and are identified by the product name and model code. Page 7 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 1 : Product Name and Model Code of the Target MFP No. Product Name Model Code 1 IM 7000 D0CZ-57 2 IM 7000 D0CZ-68 3 IM 7000 D0CZ-69 4 IM 8000 D0D0-57 5 IM 8000 D0D0-68 6 IM 8000 D0D0-69 7 IM 9000 D0D1-57 8 IM 9000 D0D1-68 9 IM 9000 D0D1-69 The target optional products are shown in Table 2, and are identified by the product name. Table 2 : Product Names of the Optional Products No. Optional Product Product Name 1 Fax Controller Unit Fax Option Type M44 Table 3 shows the combinations of the target MFP and the optional product that will be the TOE. For the target MFP, the optional Fax Controller Unit must be installed. Table 3 : Combinations of Target MFP and Optional Products No. MFP Optional Product Product Name Model Code Product Name 1 IM 7000 D0CZ-57 Fax Option Type M44 2 IM 7000 D0CZ-68 Fax Option Type M44 3 IM 7000 D0CZ-69 Fax Option Type M44 4 IM 8000 D0D0-57 Fax Option Type M44 5 IM 8000 D0D0-68 Fax Option Type M44 6 IM 8000 D0D0-69 Fax Option Type M44 7 IM 9000 D0D1-57 Fax Option Type M44 Page 8 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. MFP Optional Product Product Name Model Code Product Name 8 IM 9000 D0D1-68 Fax Option Type M44 9 IM 9000 D0D1-69 Fax Option Type M44 Table 4 shows the identification information of the software and hardware versions and part numbers installed in these MFPs. Software is identified by name, version, and part number. However, Keymicon is identified by name and version. Hardware is identified by name and version. Table 4 : Version and Part Number of Software and Hardware for Version E-2.00 Name of Software and Hardware for the MFP Version Part Number Software System/Copy 7.38.1 D0D15540M Network Support 19.55.1 D0D15552L Web Support 3.02 D0D15548N OSS Info 6.00 D0D15583F Fax 07.38.00 D0D15544F RemoteFax 07.38.00 D0D15545E Scanner 7.01 D0D15547J Web Uapl 3.01 D0D15549G NetworkDocBox 7.38 D0D15550H animation 2.00 D0D15551E Printer 7.38.1 D0D15554H RPCS 3.24.5 D0D15556A Font EXP 1.00 D2415581 PCL 1.02 D0D15557D IRIPS PS3 1.00 D0D15563A IRIPS PDF 1.04 D0D15560E IRIPS Font 1.20 D0CN5783 GraphicData 1.01 D0D15565C MovieData 1.00 D0D15566B MovieData2 1.00 D0D15567B Page 9 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Name of Software and Hardware for the MFP Version Part Number MovieData3 1.00 D0D15568B HelpData 0.04 D0D15569B Data Erase Onb 1.05 D2625244 GWFCU3.8-25(WW) (*1) 09.00.00 (*1) D0CN5755J (*1) PowerSaving Sys F.L3.25 D0D15543 CheetahSystem 7.38.1 D0D11494K appsite 3.05.03 D0D11471C bleservice 1.02 D0D11463B camelsl 2.04 D0D11497C cispluginble 4.0.1 D0D11476 cispluginkeystr 3.03.01 D0D11475A cispluginnfc 3.03.01 D0D11474A decolet 3.01.00 D0D11453B devicemanagemen 1.02.02 D0D11530B ecoinfo 1.02 D0D11459B faxinfo 1.02 D0D11457B helpservice 1.03 D0D11482C iccd 3.10.00 D0D11473D introductionset 3.00 D0D11478D iwnnimelanguage 2.8.2 D0BQ1456A iwnnimelanguage 2.8.2 D0BQ1454A iwnnimelanguage 2.8.2 D0BQ1455A iwnnimeml 2.8.201 D0BQ1453C kerberos 1.08.07 D0D11481D langswitcher 1.01 D0D11455A mediaappappui 1.02 D0D11469B mlpsmartdevicec 4.1.5 D0D11454B multidevicehub 1.00 D0D11492 optimorurcmf 1.1 D0BQ1499B Page 10 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Name of Software and Hardware for the MFP Version Part Number programinfoserv 1.01 D0D11464A remotesupport 2.04 D0D11498B rsisetup 1.0.22 D0D11531A simpleauth 3.08.00 D0D11452B simpledirectcon 1.22 D0D11477A simpleprinter 1.03 D0D11465C smartcopy 1.04 D0D11466D smartdocumentbo 1.04 D0D11532D smartfax 1.06 D0D11468E smartprtstoredj 1.03 D0D11470C smartscanner 1.04 D0D11467D smartscannerex 2.10 D0D11480B stopwidget 1.01 D0D11458A tonerstate 1.02 D0D11456B traywidget 1.02 D0D11472B voicecontrolser 1.00 D0D11496 Engine 1.08:01 D0CZ5127H ADF 01.060:02 D3HA5260E Hardware Ic Ctlr 03 No display Ic Key 01024704 No display (*1): Software for the Fax Controller Unit Name of Software for the Operation Panel Version Part Number Software Firmware 7.38.1 D0D11494K Keymicon 9.10 No display Application Site 3.05.03 D0D11471C Bluetooth Authentication Plugin 4.0.1 D0D11476 BluetoothService 1.02 D0D11463B Change Languages 1.01 D0D11455A Page 11 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Name of Software for the Operation Panel Version Part Number Cloud Settings 1.0.22 D0D11531A Copy 1.04 D0D11466D CSPF 3.01.00 D0D11453B DeviceManagemantService 1.02.02 D0D11530B Direct Connection 1.22 D0D11477A Document Server 1.04 D0D11532D Eco-friendly 1.02 D0D11459B Fax 1.06 D0D11468E Fax RX File 1.02 D0D11457B GraphicData 1.01 D0D15565C ICCardDispatcher 3.10.00 D0D11473D Installation Settings 3.00 D0D11478D iWnn IME 2.8.201 D0BQ1453C iWnn IME Korean Pack 2.8.2 D0BQ1456A iWnn IME Simplified Chinese Pack 2.8.2 D0BQ1454A iWnn IME Traditional Chinese Pack 2.8.2 D0BQ1455A KerberosService 1.08.07 D0D11481D LegacyUIData 2.00 D0D15551E Multi Device Hub 1.00 D0D11492 Print/Scan (Memory Storage Device) 1.02 D0D11469B Printer 1.03 D0D11465C ProgramInfoService 1.01 D0D11464A Proximity Card Reader Support Plugin 3.03.01 D0D11475A Quick Card Authentication Config. 3.08.00 D0D11452B Quick Print Release 1.03 D0D11470C Remote Panel Operation 2.04 D0D11497C RemoteConnect Support 1.1 D0BQ1499B RemoteSupportService 2.04 D0D11498B Page 12 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Name of Software for the Operation Panel Version Part Number RicohScanGUIService 2.10 D0D11480B Scanner 1.04 D0D11467D Smart Device Connector 4.1.5 D0D11454B Standard IC Card Plugin 3.03.01 D0D11474A Stop 1.01 D0D11458A Supply Information 1.02 D0D11456B Support Settings 1.03 D0D11482C Tray/Remaining Paper 1.02 D0D11472B VoiceControlService 1.00 D0D11496 Make clear to the sales representative that you purchase the MFP as CC-certified product. 1.3 TOE Overview This section defines TOE Type, and TOE Usage and Major Security Functions of the TOE. 1.3.1 TOE Type This TOE is an MFP, which is an IT product that has Copy Function, Document Server Function, Printer Function, Scanner Function, and Fax Function. 1.3.2 TOE Usage and Major Security Functions of TOE The TOE is an MFP which is assumed that it will be installed in an office and used in an environment where it is connected with a telephone line and the LAN as shown in Figure 1. The user uses each function (Copy Function, Document Server Function, Printer Function, Scanner Function, and Fax Function) by operating from the Operation Panel of the MFP or from the client computer connected by the LAN. Security Functions, such as Identification and Authentication, Access Control, Use-of-Feature Restriction, Residual Data Overwrite, and encrypted communication functions, are provided to prevent disclosure or alteration of assets, including document data handled by the TOE and setting information related to Security Functions, through unauthorised access to the TOE or communication data on the network. The TOE also provides a function to prevent unauthorised intrusion from telephone lines to the LAN. Events occurred on the TOE can be confirmed by the MFP administrator as audit log, and the MFP administrator can use the management functions from the Operation Panel or the client computer. In addition, the TOE verifies the integrity of the software configuration. The Stored Data Protection Function that encrypts the data written to the HDD is not included in the Security Functions to be evaluated. Page 13 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Figure 1 : Example of TOE Environment 1.3.3 Hardware and Software Other than TOE That Is Necessary for the TOE The following describes components other than TOE in the operational environment illustrated in Figure 1.  Client computer - By connecting to the LAN, a computer performs as a client of the TOE and users can remotely operate the MFP from the client computer. It is necessary to use a Web browser to operate various MFP settings and user data from the client computer. In order to temporarily save or store document data from the client computer, it is necessary to install the printer driver called PCL6 Driver (1.0.0.0 and later versions) provided by RICOH, which has a function that supports TLS (IPP over SSL). In addition, in order to store document data for fax transmission from the client computer, it is necessary to install the fax driver called LAN Fax Driver (11.5.0.0 and later versions) provided by RICOH, which has a function that supports TLS (IPP over SSL). For the client computer that receives e-mail, it is necessary to install a mail client that supports S/MIME.  SMB server Page 14 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. - A server that is used to send document data scanned by the Scanner Function of the TOE using the SMB protocol. The communication is protected by IPsec. It is necessary to use the folder transmission function.  FTP server - A server that is used to send document data scanned by the Scanner Function of the TOE using the FTP protocol. The communication is protected by IPsec. It is necessary to use the folder transmission function.  Mail server - A server that is used when the TOE sends e-mail. The server supports the SMTP protocol. It is necessary to use the e-mail transmission of attachments function.  syslog server - A server that can receive the audit log recorded by the TOE. The server uses the syslog protocol and has a TLS-enabled service installed. The audit log can be transferred to the syslog server as well. If the transfer setting is enabled, this server is used as a destination of the audit log. The TOE is connected to the LAN to use the network, and connected to the telephone line to send and receive data to and from external faxes. In order to connect the TOE to an external network, it is necessary to set up a firewall to protect the TOE from unauthorised access from the external network. Hardware and software other than TOE that was used in the TOE evaluation are shown below.  Client computer - OS: Windows 10 and Windows 11 - Printer driver: PCL6 Driver 1.0.0.0 - Fax driver: LAN Fax Driver 11.5.0.0 - Web browser: Microsoft Edge 107 - Mail client: Thunderbird 102.6.0  SMB server: Windows 10  FTP server: Windows 10 (IIS10) version V10.0.19041.804 Linux (Ubuntu 18.04) vsftpd 3.0.3  Mail server: Windows 10 P-Mail Server Manager version 1.91  syslog server: Linux (Ubuntu 20.04) rsyslogd 8.2001.0 1.4 TOE Description This section describes the physical boundary and the logical boundary of the TOE. 1.4.1 Physical Boundary of TOE The TOE consists of the MFP products in Table 1, optional products in Table 2, and guidance documents in Table 6, Table 7, and Table 8. Page 15 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. The version indicating the software of the Fax Controller Unit ((*1) in Table 4) is "F-09.00.00", and the configuration excluding the software of the Fax Controller Unit from the software and hardware version and part number configuration "E-2.00" in Table 4 is "E-2.00_NO_FAX". The target MFP product is the one equipped with hardware and software of a version listed in Table 5. The MFP product is the MFP on which the hardware and software that configure the versions shown in Table 5 (E-2.00_NO_FAX) run. "Fax Option Type M44, version F-09.00.00" must be installed on all MFPs. "Fax Option Type M44, version F-09.00.00" is a hardware board in which software is installed. A delivery company delivers the MFP and the optional product to users. Either guidance document set of [English Version-1] for North America, [English Version -2] for Europe, or [English Version-3] for Asia Pacific will be delivered. Some guidance documents are included in the MFP product, and others are delivered through the Web. Guidance documents will be delivered to users in the combinations described below. Table 5 : Combinations to be Delivered No. MFP Optional Product Guidance Document Remarks Product Name Model Code Version Product Name Version 1 IM 7000 D0CZ-57 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-1] SPDF is installed as standard 2 IM 7000 D0CZ-68 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-2] SPDF is installed as standard 3 IM 7000 D0CZ-69 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-3] SPDF is installed as standard 4 IM 8000 D0D0-57 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-1] SPDF is installed as standard 5 IM 8000 D0D0-68 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-2] SPDF is installed as standard Page 16 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. MFP Optional Product Guidance Document Remarks Product Name Model Code Version Product Name Version 6 IM 8000 D0D0-69 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-3] SPDF is installed as standard 7 IM 9000 D0D1-57 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-1] SPDF is installed as standard 8 IM 9000 D0D1-68 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-2] SPDF is installed as standard 9 IM 9000 D0D1-69 E-2.00_NO_FAX Fax Option Type M44 F-09.00.00 [English Version-3] SPDF is installed as standard Table 6, Table 7, and Table 8 show guidance documents, formats, and delivery methods for each guidance document set of [English Version 1], [English Version-2], and [English Version 3]. Table 6 : Guidance Documents for [English Version-1] No. Part Number Guidance Document Name Format Delivery Method 1 D0CM-7062 Safe Use of This Machine Brochure Included in the product 2 D0CM-7066 Notes for Users Brochure Included in the product 3 D0CM-7068 For Users of This Product Brochure Included in the product 4 D0CM-7070 SOFTWARE LICENSE AGREEMENT Brochure Included in the product 5 D219-7457 Notes to Users in the United States of America Brochure Included in the product 6 D219-7460 Note to users in Canada Brochure Included in the product Page 17 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. Part Number Guidance Document Name Format Delivery Method 7 D0D0-7390 Safety Information PDF Through the Web 8 D0D0-7431 User Guide Selected Version PDF Through the Web 9 D0D07450 Security Reference HTML Through the Web 10 D0D07433 Setup HTML Through the Web 11 D0D07434 Introduction and Basic Operations HTML Through the Web 12 D0D07435 Copy HTML Through the Web 13 D0D07436 Document Server HTML Through the Web 14 D0D07437 Fax HTML Through the Web 15 D0D07438 Scan HTML Through the Web 16 D0D07439 Printer HTML Through the Web 17 D0D07440 Maintenance HTML Through the Web 18 D0D07441 Troubleshooting HTML Through the Web 19 D0D07442 Settings HTML Through the Web 20 D0D07443 Specifications HTML Through the Web 21 D0D07444 Security HTML Through the Web 22 D0D07445 Driver Installation Guide HTML Through the Web 23 D0D07446 List of Newly Added Functions (Release Notes) HTML Through the Web Page 18 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. Part Number Guidance Document Name Format Delivery Method 24 D0D07447 Details of Newly Added Functions HTML Through the Web 25 D0E3-7531 2023.09.28 Notes on Security Functions PDF Through the Web 26 D0D0-7449 2023.12.15 Notes for Administrators: Using This Machine in a Network Environment Compliant with IEEE Std 2600.2TM -2009 PDF Through the Web 27 83NHEO- ENZ1.31 v252 Help HTML Through the Web Guidance documents to be delivered through the Web can be downloaded from the following URL. https://support.ricoh.com/services/device/ccmanual/IM_7000_8000_9000-re/en/Guidance_na.zip Hash value (SHA256): 017b6d07de80017334c1c9bfe051db98d6a526a4c35b0426109ed1a5d1fe92c6 Table 7 : Guidance Documents for [English Version-2] No. Part Number Guidance Document Name Format Delivery Method 1 D0BK-7070 Legal Requirements Brochure Included in the product 2 D0CM-7062 Safe Use of This Machine Brochure Included in the product 3 D0CM-7064 Notes for Users Brochure Included in the product 4 D0CM-7065 Notes for Users Brochure Included in the product 5 D0CM-7068 For Users of This Product Brochure Included in the product 6 D0CM-7070 SOFTWARE LICENSE AGREEMENT Brochure Included in the product 7 D0CM-7408 Notes for Users Brochure Included in the product 8 D0D0-7198 Notes for Users Brochure Included in the product Page 19 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. Part Number Guidance Document Name Format Delivery Method 9 D0D0-7389 Safety Information PDF Through the Web 10 D0D0-7431 User Guide Selected Version PDF Through the Web 11 D0D07450 Security Reference HTML Through the Web 12 D0D07433 Setup HTML Through the Web 13 D0D07434 Introduction and Basic Operations HTML Through the Web 14 D0D07435 Copy HTML Through the Web 15 D0D07436 Document Server HTML Through the Web 16 D0D07437 Fax HTML Through the Web 17 D0D07438 Scan HTML Through the Web 18 D0D07439 Printer HTML Through the Web 19 D0D07440 Maintenance HTML Through the Web 20 D0D07441 Troubleshooting HTML Through the Web 21 D0D07442 Settings HTML Through the Web 22 D0D07443 Specifications HTML Through the Web 23 D0D07444 Security HTML Through the Web 24 D0D07445 Driver Installation Guide HTML Through the Web 25 D0D07446 List of Newly Added Functions (Release Notes) HTML Through the Web Page 20 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. Part Number Guidance Document Name Format Delivery Method 26 D0D07447 Details of Newly Added Functions HTML Through the Web 27 D0E3-7531 2023.09.28 Notes on Security Functions PDF Through the Web 28 D0D0-7449 2023.12.15 Notes for Administrators: Using This Machine in a Network Environment Compliant with IEEE Std 2600.2TM -2009 PDF Through the Web 29 83NHEO- ENZ1.31 v252 Help HTML Through the Web Guidance documents to be delivered through the Web can be downloaded from the following URL. https://support.ricoh.com/services/device/ccmanual/IM_7000_8000_9000-re/en/Guidance_eu.zip Hash value (SHA256): 4ec993a1aa91f291579274a39bd131520b5ed4ebe362c15267c36be05a2e3b89 Table 8 : Guidance Documents for [English Version-3] No. Part Number Guidance Document Name Format Delivery Method 1 D0CM-7064 Notes for Users Brochure Included in the product 2 D0CM-7068 For Users of This Product Brochure Included in the product 3 D0CM-7069 Safe Use of This Machine Brochure Included in the product 4 D0CM-7070 SOFTWARE LICENSE AGREEMENT Brochure Included in the product 5 D0D0-7391 Safety Information PDF Through the Web 6 D0D0-7431 User Guide Selected Version PDF Through the Web 7 D0D07450 Security Reference HTML Through the Web 8 D0D07433 Setup HTML Through the Web Page 21 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. Part Number Guidance Document Name Format Delivery Method 9 D0D07434 Introduction and Basic Operations HTML Through the Web 10 D0D07435 Copy HTML Through the Web 11 D0D07436 Document Server HTML Through the Web 12 D0D07437 Fax HTML Through the Web 13 D0D07438 Scan HTML Through the Web 14 D0D07439 Printer HTML Through the Web 15 D0D07440 Maintenance HTML Through the Web 16 D0D07441 Troubleshooting HTML Through the Web 17 D0D07442 Settings HTML Through the Web 18 D0D07443 Specifications HTML Through the Web 19 D0D07444 Security HTML Through the Web 20 D0D07445 Driver Installation Guide HTML Through the Web 21 D0D07446 List of Newly Added Functions (Release Notes) HTML Through the Web 22 D0D07447 Details of Newly Added Functions HTML Through the Web 23 D0E3-7531 2023.09.28 Notes on Security Functions PDF Through the Web 24 D0D0-7449 2023.12.15 Notes for Administrators: Using This Machine in a Network Environment Compliant with IEEE Std 2600.2TM -2009 PDF Through the Web Page 22 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. Part Number Guidance Document Name Format Delivery Method 25 83NHEO- ENZ1.31 v252 Help HTML Through the Web Guidance documents to be delivered through the Web can be downloaded from the following URL. https://support.ricoh.com/services/device/ccmanual/IM_7000_8000_9000-re/en/Guidance_aa.zip Hash value (SHA256): 6e424fbaba04a2b20492a557a4191c3bee7b8cd3b008f3c3c5eea2bd484be3eb 1.4.2 Logical Boundary of TOE The logical boundary of the TOE is described below. Figure 2: Logical Boundary of the TOE 1.4.2.1. Basic Functions The overview of the Basic Functions is described as follows. The Copy Function, Printer Function, Scanner Function, Fax Function, and Document Server Function are MFP applications of the TOE, and the PP SFR Package function that each function has is shown in parentheses. Page 23 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Copy Function The Copy Function has a function to scan a paper document and then copy and print the scanned image data from the Operation Panel (F.CPY). Also, image to be copied and printed can be stored in the TOE (F.SCN and F.DSR). The document data stored at this time can be operated as a Document Server document from the Operation Panel or Web browser by using the Document Server Function. Printer Function The Printer Function temporarily saves the document data received from the printer driver by specifying a print method that is handled as temporary saving in the TOE. The document data is then printed, previewed, or deleted from the Operation Panel, or deleted from the Web browser as a temporary saved document (F.PRT). When the print method is specified as stored print in the printer driver, the document data received by the TOE from the printer driver can be stored in the TOE, and the stored document data can be printed, previewed, or deleted from the Operation Panel, or can be deleted from the Web browser as a stored print document (F.DSR. F.DSR and F.PRT only for printing). When the print method is specified as Document Server storage in the printer driver, the document data can be stored in the TOE from the printer driver (F.DSR). The document data stored at this time can be operated as a Document Server document from the Operation Panel or Web browser by using the Document Server Function. Scanner Function The Scanner Function has a function to scan a paper document and then send the scanned image data to FTP server or SMB server by using folder transmission, and to the mail server by using e-mail transmission of attachments from the Operation Panel. The data can also be previewed on the Operation Panel before sending (F.SCN). The scanned image of the paper document from the Operation Panel can be stored in the TOE (F.SCN and F.DSR). The stored document data can be sent by using the folder transmission or e-mail transmission of attachments functions, previewed, or deleted as a scanned document from the Operation Panel (F.DSR). The document data stored at this time can also be operated as a scanned document from the Web browser by using the Document Server Function. Fax Function The Fax Function consists of Fax Transmission Function and Fax Reception Function. The fax compliant with the G3 standard, which uses a telephone line, is the target of evaluation. The Fax Transmission Function has a function to send scanned image of paper documents as document data to external fax devices from the Operation Panel. The data can also be previewed on the Operation Panel before sending (F.FAX). Also, the scanned image of paper documents from the Operation Panel can be stored in the TOE (F.SCN and F.DSR), or the received document data from the fax driver can be stored in the TOE. The stored document data can be sent by fax transmission, previewed, or deleted as a fax transmission document from the Operation Panel (F.DSR). The document data stored at this time can also be operated as a fax transmission document from the Operation Panel or Web browser by using the Document Server Function. Page 24 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. The Fax Reception Function has a function to receive document data from external fax devices via a telephone line (F.FAX), and then store it in the TOE (F.DSR). The stored document data can be printed, previewed, or deleted as a fax reception document from the Operation Panel, or can be downloaded, previewed, or deleted from the Web browser (F.DSR. F.DSR and F.PRT only for printing). Document Server Function The Document Server Function stores the scanned image of paper documents in the TOE from the Operation Panel (F.SCN and F.DSR). As a Document Server document, the stored document data is printed, previewed, or deleted from the Operation Panel, or previewed or deleted from the Web browser (F.DSR. F.DSR and F.PRT only for printing). The document data stored by other functions also can be operated. (F.DSR for all. F.DSR and F.PRT only for printing). Those document data and operations are shown below. - Document Server documents (stored by the Copy Function or Printer Function) can be printed, previewed, or deleted from the Operation Panel, or previewed or deleted from the Web browser. - Fax transmission documents can be printed, previewed, or deleted from the Operation Panel, or can be sent by fax transmission, downloaded, previewed, or deleted from the Web browser. - Scanned documents can be sent by using folder transmission or e-mail transmission of attachments functions, downloaded, previewed, or deleted from the Web browser. Web Image Monitor Function The Web Image Monitor Function is a function for the TOE user to remotely control the TOE from the Web browser. It is sometimes referred to as "WIM". 1.4.2.2. Security Function The Security Functions are described as follows. Audit Function The Audit Function is to record a log that associates TOE use events and security-relevant events (hereinafter, "audit events") with user identification information as the audit log. Also, this function provides the recorded audit log in a format that can be audited. The recorded audit log can be downloaded and deleted only by the MFP administrator. The date and time to be recorded in the audit log are derived from the system clock of the TOE. The oldest audit log is overwritten with the newest audit log when there is insufficient space in the audit log files to append the newest audit log. The TOE can transfer the audit log to the syslog server. Identification and Authentication Function The Identification and Authentication Function is to verify whether a person who attempts to use the TOE is an authorised user by performing identification and authentication with login user name and login password, so that the TOE can allow only the authenticated users to operate the management functions and the MFP applications. This function includes the following functionality: Page 25 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. - Authentication feedback area protection function that displays a login password using dummy letters when entering the login password - Lockout function that prohibits users from logging in when the number of consecutive authentication failures reaches the threshold - A function for protection of the quality of login passwords that registers only passwords satisfying the conditions of the minimum character number of passwords and the required character type defined in advance by the MFP administrator - A function for automatic user logout when no operation is performed for a certain period of time from the logged-in state Document Access Control Function The Document Access Control Function is to authorise the operations for document data and user job data by the authorised TOE users who are authenticated by the Identification and Authentication Function. It allows user's operation on the document data and user job data based on the privileges for the user role, or the operation permissions for each user. Use-of-Feature Restriction Function The Use-of-Feature Restriction Function is to authorise the job execution of the MFP applications by the authorised TOE users who are authenticated by the Identification and Authentication Function based on the user role and the operation permissions for each user. Network Protection Function The Network Protection Function is to prevent information leakage due to network monitoring and detect alteration of communication details by providing encrypted communication when communicating with trusted IT products. Communication with the client computer when using WIM, printer driver, or fax driver is encrypted by TLS, and communication with SMB server and FTP server when using folder transmission is protected by IPsec. Also, communication with mail server when using e-mail transmission of attachments is protected by S/MIME, and communication with syslog server when the audit log transfer setting is enabled is encrypted by TLS. Residual Data Overwrite Function The Residual Data Overwrite Function is to overwrite random numbers or specific pattern data on the HDD and disable the reusing of the residual data included in deleted document data, temporary document data and their fragments on the HDD. Security Management Function The Security Management Function is to control operations for TSF data in accordance with user privileges allocated to each user or user role privileges allocated to the normal user, MFP administrator, and supervisor. In order to enable control, this function includes a function to maintain the user role of operating the Security Management Function and associate the user role with the authorised TOE user authenticated by the Page 26 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Identification and Authentication Function, and a function to set appropriate default values for the security attributes. Integrity Verification Function The Integrity Verification Function is a self-test function to verify that a part of TSF and the TSF executable code have a software configuration that maintains integrity during the MFP initial start-up. Fax Line Separation Function The Fax Line Separation Function is to restrict the input information from the telephone line to the LAN to only fax reception and prohibit forwarding of received faxes in order to prevent unauthorised intrusion into the LAN from the telephone line (same meaning as Fax Line in this function name). Page 27 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 2 Conformance Claim This section describes Conformance Claims. 2.1 CC Conformance Claim The CC conformance claim of this ST and TOE is as follows: - CC version for which this ST and TOE claim conformance Part 1: Introduction and general model April 2017 Version 3.1 Revision 5 CCMB-2017-04-001 Part 2: Security functional components April 2017 Version 3.1 Revision 5 CCMB-2017-04-002 Part 3: Security assurance components April 2017 Version 3.1 Revision 5 CCMB-2017-04-003 - Functional requirements: Part 2 extended - Assurance requirements: Part 3 conformance 2.2 PP Claims The PP to which this ST and TOE are demonstrable conformant is: PP Name/Identification: U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std 2600.2™-2009) Version: 1.0 Notes: This PP conforms to "IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std 2600- 2008, Operational Environment B", published in Common Criteria Portal, and also satisfies "CCEVS Policy Letter #20". 2.3 Package Claims The package conformance claims of this ST are described below. This ST and TOE claim augmentation of package: EAL2, and augment assurance components of ALC_FLR.2. It conforms to the package names described in the Package Reference below. Table 9 : Package Reference Title Package Version 2600.2-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment B 1.0, dated March 2009 Page 28 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 2600.2-SCN, SFR Package for Hardcopy Device Scan Functions, Operational Environment B 1.0, dated March 2009 2600.2-CPY, SFR Package for Hardcopy Device Copy Functions, Operational Environment B 1.0, dated March 2009 2600.2-FAX, SFR Package for Hardcopy Device Fax Functions, Operational Environment B 1.0, dated March 2009 2600.2-DSR, SFR Package for Hardcopy Device Document Storage and Retrieval (DSR) Functions, Operational Environment B 1.0, dated March 2009 2600.2-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment B 1.0, dated March 2009 2.4 Conformance Claim Rationale 2.4.1 Consistency Claim with TOE Type in PP The product type targeted by the PP is the Hardcopy devices (hereinafter, HCDs). The HCDs consist of the scanner device and print device, and have the interface to connect telephone line. The HCDs combine these devices and equip one or more functions of Printer (F.PRT), Scanner (F.SCN), Copy (F.CPY), or Fax (F.FAX) Function. Some HCDs have a non-volatile memory medium such as hard disk drive and the Document Server Function (F.DSR). The type of this TOE is MFP. As an MFP, the TOE equips a non-volatile memory medium, interface for connecting telephone line, scanner device, and print device, and has the Copy, Scanner, Printer, Fax, and Document Server Functions. These allow printing (F.PRT), scanning (F.SCN), copying (F.CPY), faxing (F.FAX), and saving/retrieving documents (F.DSR). It can be said that MFP (the type of this TOE) has the characteristics of HCDs and is consistent with the TOE type of the PP. 2.4.2 Consistency Claim with Security Problems and Security Objectives in PP Security Problem Definitions in section 3 of this ST defines all security problems of the PP, and Security Objectives in section 4 of this ST defines all security objectives of the PP. Described below are the rationale for these security problems and security objectives that conform to the PP. Although the PP is written in English, Security Problem Definitions in section 3 and Security Objectives in section 4 are translated from English into Japanese. When translating into Japanese, not all PP translation was literal, and some expressions were made comprehensible. This, however, does not mean that its description deviates from the requirements of the PP conformance. For those points mentioned above, the security problems and security objectives in this ST are consistent with those in the PP. Page 29 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 2.4.3 Consistency Claim with Security Requirements in PP The SARs of this TOE are consistent with the PP as no augmentation or deletion has been made for the contents of the PP. The SFRs for this TOE consist of the Common Security Functional Requirements, 2600.2-PRT, 2600.2-SCN, 2600.2-CPY, 2600.2-FAX, 2600.2-DSR, and 2600.2-SMI. The Common Security Functional Requirements are the indispensable SFR specified by the PP. 2600.2-PRT, 2600.2-SCN, 2600.2-CPY, 2600.2-FAX, 2600.2- DSR, and 2600.2-SMI are selected from the SFR Package specified by the PP. 2600.2-NVS is not selected because this TOE does not have any non-volatile memory medium that is detachable. Although the security requirements of this ST were partly augmented and instantiated over the security requirements of the PP, they are still consistent with the PP. Described below are the parts augmented and instantiated with the reasons for their consistency with the PP. Augmentation of FAU_STG.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2 FAU_STG.1, FAU_STG.4, FAU_SAR.1, and FAU_SAR.2 are augmented according to PP APPLICATION NOTE 7 in order for this TOE to maintain and manage the audit logs. Augmentation of FIA_AFL.1, FIA_UAU.7, and FIA_SOS.1 For the Identification and Authentication Function, this TOE augments FIA_AFL.1, FIA_UAU.7, and FIA_SOS.1 according to PP APPLICATION NOTE 38. Augmentation of FMT_MOF.1 This TOE satisfies the common security requirements in the PP for O.PROT.NO_ALT, and also augments FMT_MOF.1 that restricts the operation and suspension of management functions related to audit log settings to the MFP administrator. This augmentation is more restrictive than the requirements in the PP, because all TOEs that satisfy this ST also satisfy the PP without mitigating other requirements. Therefore, it conforms to the PP although FMT_MOF.1 is augmented. Consistency Claim of FAU_GEN.1 For auditable events related to FMT_SMR.1, although it is described as "Modifications to the group of users that are part of a role" in the audit information required in the PP, it is described as "No record because there is no function for modifications to the group of users" in this TOE. This is because user roles of this TOE cannot be changed to other roles. This is not an auditable event, and it can be said that it conforms to the PP. Regarding other auditable events, this TOE covers more auditable events than that required or recommended by the PP, but these are augmented while the audit information and levels required or recommended by the PP are satisfied, so it can be said that it conforms to the PP. Administrator Classification In this ST, U.ADMINISTRATOR is classified into MFP administrator and supervisor. The administrator classification is made to the extent that none of the roles deviates from the definition of U.ADMINISTRATOR in the PP as a user who is specifically allowed to manage the entire TOE or a part of it and whose actions affect the TOE security policy, so it can be said that it conforms to the PP. Page 30 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Consistency Rationale of FDP_ACF.1(a) In FDP_ACF.1(a), this ST also describes the access control rule for +CPY document data. CPY SFR Package in the PP does not require access control, but this access control rule is more restrictive in accordance with PP APPLICATION NOTE 88, so it can be said that it conforms to the PP. Therefore, FDP_ACF.1(a) in this ST satisfies FDP_ACF.1(a) in the PP. Page 31 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 3 Security Problem Definitions This section describes Users, Assets, Threats, Organisational Security Policies, and Assumptions. 3.1 Definition of Users This section defines the users related to the TOE. The users consist of normal users and administrators, and the administrator are divided into the MFP administrator and the supervisor. As described in Table 10, the users are classified according to their respective roles, and have user privileges based on the roles of normal users, MFP administrators, and a supervisor. Table 10 : Definition of Users Definition of Users Explanation User (U.USER) Normal user (U.NORMAL) A user who is allowed to use the TOE. A normal user is provided with a login user name, and can use the MFP applications. Administrator (U.ADMINISTRATOR) MFP administrator A user who has the privilege to manage the TOE, including: - Operation of configuration of normal user settings - Operation of setting information related to MFP device behaviour - Operation of audit logs - Operation of configuration of network settings - Access management of fax reception document - Unlocking locked-out normal users and a supervisor Supervisor A user who has the privilege to manage the TOE, including: - Changing login password of MFP administrators - Unlocking locked-out MFP administrators 3.2 Assets Assets to be protected by the TOE are user data, TSF data, and functions. Table 11 shows the definitions. Page 32 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 11 : Asset Categories Category Definition User data Data for the user created by the user, that does not affect the operation of the TSF. TSF data Data for the TOE created by the TOE, that may affect the operation of the TSF. Functions The MFP applications provided by the TOE to print (F.PRT), scan (F.SCN), copy (F.CPY), fax (F.FAX), and save and retrieve documents (F.DSR) to operate the user data. 3.2.1 User Data The user data is categorized into document data and user job data. Table 12 defines categories. Table 12 : Definitions of User Data Category Definition Document data (D.DOC) Paper documents, digitised documents, deleted documents, temporary documents, or their fragments managed by the TOE. User job data (D.FUNC) Information related to the user's document or document processing job. 3.2.2 TSF Data The TSF data is categorized into TSF protected data and TSF confidential data. Table 13 defines categories. Table 13 : TSF Data Categories Category Definition TSF protected data (D.PROT) This data must be protected from modifications by unauthorised persons. No security threat will occur even this data is exposed to the public. TSF confidential data (D.CONF) This data must be protected from modifications by unauthorised persons and reading by users without viewing permissions. The TSF data handled by this TOE for each category are shown below. Table 14 : Definitions of TSF Data Category TSF Data Description TSF protected data (D.PROT) Lockout settings Settings related to lockout policies. Date/time settings Settings related to date/time. Page 33 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Password quality settings Settings of the minimum character number and the combination of characters to be registered for user authentication regarding the password policy. Auto Logout settings Auto Logout settings for the Operation Panel and Auto Logout settings for the WIM. S/MIME user information Information required for e-mail transmission of attachments using S/MIME. This information consists of items set for each user (e-mail address and user certificate) and S/MIME setting (encryption setting). This information is registered and managed by the MFP administrator. Destination folder Destination information for the folder transmission function. This includes the path information to the destination server and the folder in the server, and information including identification and authentication information for user access. This information is registered and managed by the MFP administrator. Audit log settings Settings related to the transfer of audit logs. Cryptographic communication settings Settings related to TLS and IPsec communication with clients and servers. Signature verification key A signature verification key stored in the TOE for integrity verification of MFP Control Software by the signature. Login user name User identifier associated with any of the normal user, MFP administrator, or supervisor. The TOE identifies users by this identifier. User role Any role of normal user, MFP administrator, or supervisor who uses the TOE. Document data owner information The security attribute of the document data. The owner information of the document data (the login user name) is set. For the document data received via a telephone line (+DSR, Fax reception document), the list of login user names is set. List for users who have been granted access permission for the document data The security attribute of the document data (+DSR), excluding the document data received via a telephone line (Fax reception document). The information of the users (the login user names) who are allowed access (viewing) the document data is set. The document data owner can allow other normal users to read the document data. User job data owner information The security attribute of the user job data. The user job data owner information (the login user name) is set. Available function list The attribute given to normal users. The list of functions (MFP applications) that are allowed to be used is given to normal users. Function type MFP application attribute, such as Copy Function, Printer Function, Scanner Function, Fax Function, and Document Server Function. Page 34 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. TSF confidential data (D.CONF) Login password A password associated with each login user name. Audit log Audit log data in which occurred events are recorded. 3.3 Threats Defined and described below are the assumed threats related to the use of this TOE and the operational environment. The threats defined in this section are unauthorised persons with knowledge of published information about the TOE operations. Such attackers are capable of Basic level of attack potential. T.DOC.DIS Document data disclosure Document data managed by the TOE may be disclosed by unauthorised persons. T.DOC.ALT Document data alteration Document data managed by the TOE may be altered by unauthorised persons. T.FUNC.ALT User job data alteration User job data managed by the TOE may be altered by unauthorised persons. T.PROT.ALT Alteration of TSF protected data TSF protected data managed by the TOE may be altered by unauthorised persons. T.CONF.DIS Disclosure of TSF confidential data TSF confidential data managed by the TOE may be disclosed by unauthorised persons. T.CONF.ALT Alteration of TSF confidential data TSF confidential data managed by the TOE may be altered by unauthorised persons. 3.4 Organisational Security Policies The following organisational security policies are taken. P.USER.AUTHORIZATION User identification and authentication To maintain operational accountability and security, give users the authority to use the TOE only when authorized by the TOE owner. P.SOFTWARE.VERIFICATION Software verification To detect corruption of the executable code in TSF, implement procedures to self-test the executable code. Page 35 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. P.AUDIT.LOGGING Management of audit log records To maintain operational accountability and security, create and maintain records that provide audit trail of TOE use and security-relevant events, protect them from unauthorised disclosure and alteration, and make them viewable only by authorised persons. P.INTERFACE.MANAGEMENT Management of external interfaces To prevent unauthorised use of the external interfaces of the TOE, control the operation of those interfaces by the TOE and its IT environment. 3.5 Assumptions The assumptions related to this TOE operational environment are identified and described. A.ACCESS.MANAGED Access management The TOE is placed in a restricted or monitored environment that is protected from unauthorised access to the physical components of the TOE and data interfaces. A.USER.TRAINING User training Users of the TOE are aware of the security policies and procedures of their organisation, are trained to follow those policies and procedures, and gain competence to follow them. A.ADMIN.TRAINING Administrator training Administrators are aware of the security policies and procedures of their organisation, are trained to follow the guidance and documents of the manufacturer, gain competence to follow them, and are able to configure and operate the TOE properly according to those policies and procedures. A.ADMIN.TRUST Trusted administrator Administrators do not use their access rights for malicious purposes. Page 36 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 4 Security Objectives This section describes Security Objectives for TOE, Security Objectives for Operational Environment, and Security Objectives Rationale. 4.1 Security Objectives for TOE This section describes the security objectives for the TOE. O.DOC.NO_DIS Protection of document data disclosure The TOE shall protect document data from being disclosed by unauthorised persons. O.DOC.NO_ALT Protection of document data alteration The TOE shall protect document data from being altered by unauthorised persons. O.FUNC.NO_ALT Protection of user job data alteration The TOE shall protect user job data from being altered by unauthorised persons. O.PROT.NO_ALT Protection of TSF protected data alteration The TOE shall protect TSF protected data from being altered by unauthorised persons. O.CONF.NO_DIS Protection of TSF confidential data disclosure The TOE shall protect TSF confidential data from being disclosed by unauthorised persons. O.CONF.NO_ALT Protection of TSF confidential data alteration The TOE shall protect TSF confidential data from being altered by unauthorised persons. O.USER.AUTHORIZED User identification and authentication The TOE shall require identification and authentication of users, give users the access rights according to the security policies, and then ensure that users are allowed to use the TOE. O.INTERFACE.MANAGED Management of external interfaces by TOE The TOE shall manage the operation of external interfaces in accordance with the security policies. O.SOFTWARE.VERIFIED Software verification The TOE shall provide procedures to self-verify the executable code in the TSF. Page 37 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. O.AUDIT.LOGGED Management of audit log records The TOE shall record and manage events related to the TOE use and security, and prevent unauthorised disclosure and alteration. 4.2 Security Objectives for Operational Environment This section describes the security objectives for the operational environment. 4.2.1 IT Environment OE.AUDIT_STORAGE.PROTECTED Audit log protection in trusted IT products When exporting audit records from the TOE to another trusted IT product, the TOE owner shall ensure that the audit records are protected from unauthorized access, deletion, and alteration. OE.AUDIT_ACCESS.AUTHORIZED Audit log access control in trusted IT products When exporting audit records generated by the TOE from the TOE to another trusted IT product, the TOE owner shall ensure that those records can be accessed in order to detect potential security violations, and only by authorized persons. OE.INTERFACE.MANAGED Management of external interfaces in IT environment The IT environment shall provide protection against the unauthorised access to the TOE external interfaces. 4.2.2 Non-IT Environment OE.PHYSICAL.MANAGED Physical management The TOE shall be placed in a secure or monitored area that is protected from unauthorised physical access to the TOE. OE.USER.AUTHORIZED Assignment of user authority The TOE owner shall give users the authority to use the TOE according to the organisational security policies and procedures. OE.USER.TRAINED User training The TOE owner shall ensure that users of the TOE are aware of the security policies and procedures of their organisation, are trained to follow those policies and procedures, and gain competence to follow them. Page 38 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. OE.ADMIN.TRAINED Administrator training The TOE owner shall ensure that administrators are aware of the security policies and procedures of their organisation, are trained to follow the guidance and documents of the manufacturer, secure time to gain competence to follow them, and are able to configure and operate the TOE properly according to those policies and procedures. OE.ADMIN.TRUSTED Trusted administrator The TOE owner shall establish trust so that administrators will not use their access privilege for malicious purposes. OE.AUDIT.REVIEWED Log audit The TOE owner shall ensure that audit logs are reviewed at appropriate intervals for detecting security violations or unusual patterns of activity. Page 39 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 4.3 Security Objectives Rationale This section describes the rationale for security objectives. The security objectives are for upholding the assumptions, countering the threats, and enforcing the organisational security policies, which are defined. 4.3.1 Correspondence Table of Security Objectives Table 15 describes the correspondence between the security objectives, and the assumptions to be upheld, threats to be countered and organisational security policies to be enforced. Table 15 : Rationale for Security Objectives O.DOC.NO_DIS O.DOC.NO_ALT O.FUNC.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED OE.USER.AUTHORIZED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED OE.AUDIT_STORAGE.PROTCTED OE.AUDIT_ACCESS_AUTHORIZED OE.AUDIT.REVIEWED O.INTERFACE.MANAGED OE.PHYSICAL.MANAGED OE.INTERFACE.MANAGED OE.ADMIN.TRAINED OE.ADMIN.TRUSTED OE.USER.TRAINED T.DOC.DIS X X X T.DOC.ALT X X X T.FUNC.ALT X X X T.PROT.ALT X X X T.CONF.DIS X X X T.CONF.ALT X X X P.USER.AUTHORIZATION X X P.SOFTWARE.VERIFICATION X P.AUDIT.LOGGING X X X X P.INTERFACE.MANAGEMENT X X A.ACCESS.MANAGED X A.ADMIN.TRAINING X A.ADMIN.TRUST X A.USER.TRAINING X Page 40 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 4.3.2 Security Objectives Descriptions The following describes the rationale for each security objective being appropriate to satisfy the threats, assumptions, and organisational security policies. T.DOC.DIS T.DOC.DIS is countered by O.DOC.NO_DIS, O.USER.AUTHORIZED, and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. By O.DOC.NO_DIS, the TOE protects document data from being disclosed by unauthorised persons. T.DOC.DIS is countered by these objectives. T.DOC.ALT T.DOC.ALT is countered by O.DOC.NO_ALT, O.USER.AUTHORIZED, and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. By O.DOC.NO_ALT, the TOE protects document data from being altered by unauthorised persons. T.DOC.ALT is countered by these objectives. T.FUNC.ALT T.FUNC.ALT is countered by O.FUNC.NO_ALT, O.USER.AUTHORIZED, and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. By O.FUNC.NO_ALT, the TOE protects user job data from being altered by unauthorised persons. T.FUNC.ALT is countered by these objectives. T.PROT.ALT T.PROT.ALT is countered by O.PROT.NO_ALT, O.USER.AUTHORIZED, and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. By O.PROT.NO_ALT, the TOE protects TSF protected data from being altered by unauthorised persons. T.PROT.ALT is countered by these objectives. Page 41 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. T.CONF.DIS T.CONF.DIS is countered by O.CONF.NO_DIS, O.USER.AUTHORIZED, and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. By O.CONF.NO_DIS, the TOE protects TSF confidential data from being disclosed by unauthorised persons. T.CONF.DIS is countered by these objectives. T.CONF.ALT T.CONF.ALT is countered by O.CONF.NO_ALT, O.USER.AUTHORIZED, and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. By O.CONF.NO_ALT, the TOE protects TSF confidential data from being altered by unauthorised persons. T.CONF.ALT is countered by these objectives. P.USER.AUTHORIZATION P.USER.AUTHORIZATION is enforced by O.USER.AUTHORIZED and OE.USER.AUTHORIZED. By OE.USER.AUTHORIZED, the TOE owner gives users the authority to use the TOE according to the organisational security policies and procedures. By O.USER.AUTHORIZED, the TOE requires identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. P.USER.AUTHORIZATION is enforced by these objectives. P.SOFTWARE.VERIFICATION P.SOFTWARE.VERIFICATION is enforced by O.SOFTWARE.VERIFIED. By O.SOFTWARE.VERIFIED, the TOE provides procedures to self-verify the executable code in the TSF. P.SOFTWARE.VERIFICATION is enforced by this objective. P.AUDIT.LOGGING P.AUDIT.LOGGING is enforced by O.AUDIT.LOGGED, OE.AUDIT.REVIEWED, OE.AUDIT_STORAGE.PROTECTED, and OE.AUDIT_ACCESS.AUTHORIZED. By O.AUDIT.LOGGED, the TOE records and manages events related to the TOE use and security and prevents unauthorised disclosure or alteration. By OE.AUDIT.REVIEWED, the TOE owner ensures that audit logs are reviewed at appropriate intervals for detecting security violations or unusual patterns of activity. By OE.AUDIT_STORAGE.PROTECTED, when audit records are exported from the TOE to another trusted IT product, the TOE owner ensures to protect those records from unauthorised access, deletion, and alteration. By OE.AUDIT_ACCESS.AUTHORIZED, when audit records generated by the TOE are exported from the Page 42 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. TOE to another trusted IT product, the TOE owner detects potential security violations and ensures that only authorised persons can access those records. P.AUDIT.LOGGING is enforced by these objectives. P.INTERFACE.MANAGEMENT P.INTERFACE.MANAGEMENT is enforced by O.INTERFACE.MANAGED and OE.INTERFACE.MANAGED. By O.INTERFACE.MANAGED, the TOE manages the operation of the external interfaces in accordance with the security policies. By OE.INTERFACE.MANAGED, the IT environment provides protection against unauthorised access to the TOE external interfaces. P.INTERFACE.MANAGEMENT is enforced by these objectives. A.ACCESS.MANAGED A.ACCESS.MANAGED is upheld by OE.PHYSICAL.MANAGED. By OE.PHYSICAL.MANAGED, the TOE is placed in a secure or monitored area that is protected from unauthorised physical access to the TOE. A.ACCESS.MANAGED is upheld by this objective. A.ADMIN.TRAINING A.ADMIN.TRAINING is upheld by OE.ADMIN.TRAINED. By OE.ADMIN.TRAINED, the TOE owner ensures that administrators are aware of the security policies and procedures of their organisation, are trained to follow the guidance and documents of the manufacturer, secure time to gain competence to follow them, and are able to configure and operate the TOE properly according to those policies and procedures. A.ADMIN.TRAINING is upheld by this objective. A.ADMIN.TRUST A.ADMIN.TRUST is upheld by OE.ADMIN.TRUSTED. By OE.ADMIN.TRUSTED, the TOE owner establishes trust so that administrators will not use their access privilege for malicious purposes. A.ADMIN.TRUST is upheld by this objective. A.USER.TRAINING A.USER.TRAINING is upheld by OE.USER.TRAINED. By OE.USER.TRAINED, the TOE owner ensures that users of the TOE are aware of the security policies and procedures of their organisation, are trained to follow those policies and procedures, and gain competence to follow them. A.USER.TRAINING is upheld by this objective. Page 43 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 5 Extended Components Definition This section describes Extended Components Definition. 5.1 Restricted forwarding of data to external interfaces (FPT_FDI_EXP) Family behaviour This family defines requirements for the TSF to restrict direct forwarding of information from one external interface to another external interface. Many products are intended to receive information on specific external interfaces, and transform and process this information before it is transmitted on another external interface. However, some products may provide the capability for attackers to misuse external interfaces to violate the security of the TOE or devices that are connected to the TOE's external interfaces. Therefore, direct forwarding of unprocessed data between different external interfaces is forbidden unless explicitly allowed by an authorized administrative role. The family FPT_FDI_EXP has been defined to specify this kind of functionality. Component levelling: FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces provides for the functionality to require TSF controlled processing of data received over defined external interfaces before these data are sent out on another external interface. Direct forwarding of data from one external interface to another one requires explicit allowance by an authorized administrative role. Management: FPT_FDI_EXP.1 The following actions could be considered for the management functions in FMT: a) Definition of the role(s) that are allowed to perform the management activities b) Management of the conditions under which direct forwarding can be allowed by an administrative role c) Revocation of such an allowance Audit: FPT_FDI_EXP.1 The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST: There are no auditable events foreseen. Rationale: FPT_FDI_EXP: Restricted forwarding of data to external interfaces 1 Page 44 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Quite often, a TOE is supposed to perform specific checks and process data received on one external interface before such (processed) data are allowed to be transferred to another external interface. Examples are firewall systems but also other systems that require a specific work flow for the incoming data before it can be transferred. Direct forwarding of such data (i.e., without processing the data first) between different external interfaces is therefore a function that—if allowed at all—can only be allowed by an authorized role. It has been viewed as useful to have this functionality as a single component that allows specifying the property to disallow direct forwarding and require that only an authorized role can allow this. Since this is a function that is quite common for a number of products, it has been viewed as useful to define an extended component. The Common Criteria defines attribute-based control of user data flow in its FDP class. However, in this ST, the authors needed to express the control of both user data and TSF data flow using administrative control instead of attribute-based control. It is considered inappropriate to use FDP_IFF and FDP_IFC by applying refinement for this purpose. Therefore, the authors decided to define an extended component to address this functionality. This extended component protects both user data and TSF data, and it could therefore be placed in either the FDP or the FPT class. Since its purpose is to protect the TOE from misuse, the authors believed that it was most appropriate to place it in the FPT class. It did not fit well in any of the existing families in either class, and this led the authors to define a new family with just one member. FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to: No other components. Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: list of external interfaces] from being forwarded without further processing by the TSF to [assignment: list of external interfaces]. Page 45 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6 Security Requirements This section describes Security Functional Requirements, Security Assurance Requirements, and Security Requirements Rationale. The terms used in this section are defined below. Table 16 : Terms Used in Section 6 Classification of Term Name of Term Description of Term Subject Normal user process A process that acts on behalf of a normal user when the authentication of the normal user is successful. MFP administrator process A process that acts on behalf of an MFP administrator when the authentication of the MFP administrator is successful. Supervisor process A process that acts on behalf of a supervisor when the authentication of the supervisor is successful. Object Document data (D.DOC) Paper documents, digitised documents, deleted documents, temporary documents, or their fragments managed by the TOE. User job data (D.FUNC) Information related to the user's document or document processing job. MFP application General term for Copy Function, Printer Function, Scanner Function, Fax Function, and Document Server Function enforcing SFR package functions in PP (F.CPY, F.PRT, F.SCN, F.FAX, and F.DSR). F.CPY Copying: a function in which physical document input is duplicated to physical document output F.PRT Printing: a function in which electronic document input is converted to physical document output F.SCN Scanning: a function in which physical document input is converted to electronic document output F.FAX Faxing: a function in which physical document input is converted to a telephone-based document facsimile (fax) transmission, and a function in which a telephone-based document facsimile (fax) reception is converted to physical document output Page 46 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Classification of Term Name of Term Description of Term F.DSR Document storage and retrieval: a function in which a document is stored during one job and retrieved during one or more subsequent jobs Operation Read To perform print, download, fax transmission, e- mail transmission of attachments, folder transmission, preview, or fax reception. Delete To delete TSF data or objects. Modify To modify TSF data or objects. Query To refer to TSF data. Newly create To newly create TSF data. Change_default To change the default value of TSF data. Execute To execute MFP application jobs. Security attribute Login user name User identifier associated with any of the normal user, MFP administrator, or supervisor. The TOE identifies users by this identifier. User role Any role of normal user, MFP administrator, or supervisor who uses the TOE. Document data attribute The security attribute that identifies SFR package functions in PP. This is associated with the document data (D.DOC) and the user job data (D.FUNC). This attribute includes +PRT, +SCN, +CPY, +FAXOUT, +FAXIN, and +DSR. This is a security attribute that is not used in the TOE implementation. +PRT One of the document data attributes. It refers to data associated with a print job. +SCN One of the document data attributes. It refers to data associated with a scan job. +CPY One of the document data attributes. It refers to data associated with a copy job. +FAXOUT One of the document data attributes. It refers to data associated with an outbound (transmission) fax job. Page 47 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Classification of Term Name of Term Description of Term +FAXIN One of the document data attributes. It refers to data associated with an inbound (reception) fax job. +DSR One of the document data attributes. It refers to data associated with a job for saving and retrieving documents. Document data owner information The security attribute of the document data. The document data owner information (the login user name) is set. For the document data received via a telephone line (+DSR, Fax reception document), the list of login user names is set. List for users who have been granted access permission for the document data The security attribute of the document data (+DSR), excluding the document data received via a telephone line (Fax reception document). The information of the users (the login user names) who are allowed access (viewing) the document data is set. The document data owner can allow other normal users to read the document data. User job data owner information The security attribute of the user job data. The user job data owner information (the login user name) is set. Available function list The attribute given to normal users. The list of functions (MFP applications) that are allowed to be used is given to normal users. Function type MFP application attribute, such as Copy Function, Printer Function, Scanner Function, Fax Function, and Document Server Function. External entity Normal user A user who is allowed to use the TOE. A normal user is provided with a login user name, and can use the MFP applications. Page 48 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Classification of Term Name of Term Description of Term MFP administrator A user who has the privilege to manage the TOE, including: - Operation of configuration of normal user settings - Operation of setting information related to MFP device behaviour - Operation of audit logs - Operation of configuration of network settings - Access management of fax reception document - Unlocking locked-out normal users and a supervisor Supervisor A user who has the privilege to manage the TOE, including: - Changing login password of MFP administrators - Unlocking locked-out MFP administrators Other terms MFP Control Software A software component installed in the TOE. This component is stored in FlashROM. FCU Control Software A software component installed in the TOE. This component is stored in the FCU. Operation Panel Control Software A software component installed in the TOE. This component is stored in the Operation Panel Control Board of the Operation Panel. 6.1 Security Functional Requirements This section describes the TOE security functional requirements for fulfilling the security objectives defined in section 4.1. The security functional requirements are quoted from the requirement defined in the CC Part 2. The security functional requirements that are not defined in CC Part 2 are quoted as defined in the SMI SFR Package for extended security functional requirements defined in the PP. The part with assignment and selection defined in the [CC] is identified with [bold face and brackets]. 6.1.1 Class FAU: Security audit 6.1.1.1. FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; Page 49 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. b) All auditable events for the [selection: not specified] level of audit; and c) [assignment: auditable events of the TOE shown in Table 17]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: types of job for FDP_ACF.1(a), all login user names that attempted the user identification for FIA_UID.1, communicating devices with the trusted channel, lockout operation type, locked out user, and locked out user who is to be released]. Table 17 : List of Auditable Events Auditable Event Related SFR Download and deletion of audit logs FAU_STG.1 FAU_SAR.1 FAU_SAR.2 - Start and end of creating document data - Start and end of printing document data - Start and end of downloading document data - Start and end of sending document data by fax transmission - Start and end of sending document data by e-mail transmission of attachments - Start and end of sending document data by folder transmission - Start and end of deletion of document data - Deletion of user job data Those described above, "creating, printing, and downloading document data, sending document data by fax transmission, e-mail transmission of attachments, and folder transmission, deletion of document data, and deletion of user job data", correspond to the job types. FDP_ACF.1(a) Starting and releasing lockout FIA_AFL.1 Success and failure of login operations FIA_UAU.1 Success and failure of login operations. Also includes the user identification that is required by the PP as the additional information. FIA_UID.1 Use of the management functions in Table 33 FMT_SMF.1 FPT_STM.1 Termination of session by Auto Logout FTA_SSL.3 Failure of the trusted channel functions FTP_ITC.1 No record because there is no function for modifications to the group of users FMT_SMR.1 Page 50 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.1.1.2. FAU_GEN.2 User identity association Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 6.1.1.3. FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. FAU_STG.1.2 The TSF shall be able to [selection: prevent] unauthorised modifications to the stored audit records in the audit trail. 6.1.1.4. FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 Action in case of possible audit data loss Dependencies: FAU_STG.1 Protected audit trail storage FAU_STG.4.1 The TSF shall [selection: overwrite the oldest stored audit records] and [assignment: no other actions to be taken in case of audit storage failure] if the audit trail is full. 6.1.1.5. FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide [assignment: the MFP administrators] with the capability to read [assignment: all of log items] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.1.1.6. FAU_SAR.2 Restricted audit review Hierarchical to: No other components. Dependencies: FAU_SAR.1 Audit review FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. 6.1.2 Class FDP: User data protection 6.1.2.1. FDP_ACC.1(a) Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control Page 51 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. FDP_ACC.1.1(a) The TSF shall enforce the [assignment: user data access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects in Table 18]. Table 18 : List of Subjects, Objects, and Operations among Subjects and Objects (a) Subjects Object Operations Normal user process MFP administrator process Supervisor process Document data (D.DOC) Read Delete User job data (D.FUNC) Modify Delete 6.1.2.2. FDP_ACC.1(b) Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1(b) The TSF shall enforce the [assignment: TOE function access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects in Table 19]. Table 19 : List of Subjects, Objects, and Operations among Subjects and Objects (b) Subject - Normal user process - MFP administrator process - Supervisor process Object - MFP application Operation - Execute 6.1.2.3. FDP_ACF.1(a) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(a) The TSF shall enforce the [assignment: user data access control SFP] to objects based on the followings: [assignment: subjects or objects, and their corresponding security attributes shown in Table 20]. Table 20 : Subjects, Objects and Security Attributes (a) Category Subject or Object Security Attribute Subject Normal user process - Login user name - User role Subject MFP administrator process - Login user name - User role Page 52 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Category Subject or Object Security Attribute Subject Supervisor process - Login user name - User role Object Document data (D.DOC) - Document data attribute - Document data owner information - List for users who have been granted access permission for the document data Object User job data (D.FUNC) - Document data attribute - User job data owner information FDP_ACF.1.2(a) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules to control operations among objects and subjects shown in Table 21]. Table 21 : Rules to Control Operations on Document Data and User Job Data (a) Object Document Data Attribute Operation Subject Rule to Control Operations Document data (D.DOC) +PRT +SCN +FAXOUT +CPY Delete Normal user process Denied, except for his/her own documents. Document data (D.DOC) +PRT Read Normal user process Denied, except for his/her own documents. Document data (D.DOC) +SCN +FAXOUT +CPY Read Normal user process Denied, except for his/her own documents. (*1) Document data (D.DOC) +FAXIN Delete Read Normal user process Not allowed. (*1) Document data (D.DOC) +DSR Delete Normal user process Denied, except for his/her own documents. Document data (D.DOC) +DSR Read Normal user process Denied, except for his/her own documents. If the document data owner allows another user to read the document data, the authorized user can read the document data. User job data (D.FUNC) +PRT +SCN +FAXOUT +CPY +DSR Delete Normal user process Denied, except for his/her own user job data. Page 53 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Object Document Data Attribute Operation Subject Rule to Control Operations User job data (D.FUNC) +FAXIN Delete Normal user process Not allowed. (*1) User job data (D.FUNC) +PRT +SCN +FAXOUT +FAXIN +CPY +DSR Modify Normal user process Not allowed. (*1) (*1) No interface is provided. FDP_ACF.1.3(a) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules to authorise operations among objects and subjects shown in Table 22]. Table 22 : Rules to Authorise Operations on Document Data and User Job Data (a) Object Document Data Attribute Operation Subject Rule to Authorise Operations Document data (D.DOC) +PRT +SCN +FAXOUT +CPY Delete MFP administrator process Allowed. Document data (D.DOC) +DSR Delete Read MFP administrator process Allowed. Document data (D.DOC) +FAXIN Read MFP administrator process Allowed. User job data (D.FUNC) +PRT +SCN +FAXOUT +CPY +DSR Delete MFP administrator process Allowed. FDP_ACF.1.4(a) The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [assignment: rules to deny operations among objects and subjects shown in Table 23]. Page 54 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 23 : Rules to Deny Operations on Document Data and User Job Data (a) Object Document Data Attribute Operation Subject Rule to Deny Operations Document data (D.DOC) +FAXIN Delete MFP administrator process Not allowed. (*1) Document data (D.DOC) +PRT +SCN +FAXOUT +CPY Read MFP administrator process Not allowed. (*1) Document data (D.DOC) +PRT +SCN +FAXOUT +FAXIN +CPY +DSR Delete Read Supervisor process Not allowed. (*1) User job data (D.FUNC) +FAXIN Delete MFP administrator process Not allowed. (*1) User job data (D.FUNC) +PRT +SCN +FAXOUT +FAXIN +CPY +DSR Modify MFP administrator process Not allowed. (*1) User job data (D.FUNC) +PRT +SCN +FAXOUT +FAXIN +CPY +DSR Delete Modify Supervisor process Not allowed. (*1) (*1) No interface is provided. 6.1.2.4. FDP_ACF.1(b) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1(b) The TSF shall enforce the [assignment: TOE function access control SFP] to objects based on the following: [assignment: subjects or objects, and their corresponding security attributes shown in Table 24]. Page 55 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 24 : Subjects, Objects and Security Attributes (b) Category Subject or Object Security Attribute Subject Normal user process Login user name Available function list User role Subject MFP administrator process Login user name User role Subject Supervisor process Login user name User role Object MFP application Function type FDP_ACF.1.2(b) The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules to control operations among objects and subjects shown in Table 25]. Table 25 : Rule to Control Operations on MFP Applications (b) Object Operation Subject Rule to Control Operations MFP applications (F.CPY, F.PRT, F.SCN, F.FAX, F.DSR) Execute Normal user process Allows the execution of MFP applications whose function type matches those allowed in the available function list for normal user process. FDP_ACF.1.3(b) The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: authorise the execution of the MFP application if the user role of the MFP administrator process is MFP administrator]. FDP_ACF.1.4(b) The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [assignment: deny the execution of the MFP application if the user role of the supervisor process is supervisor]. 6.1.2.5. FDP_RIP.1Subset residual information protection Hierarchical to: No other components. Dependencies: No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: document data]. Page 56 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.1.3 Class FIA: Identification and authentication 6.1.3.1. FIA_AFL.1 Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [selection: an administrator configurable positive integer within [assignment: 1 to 5]] unsuccessful authentication attempts occur related to [assignment: the authentication events shown in Table 26]. Table 26 : List of Authentication Events Authentication Event User authentication using the Operation Panel User authentication using the WIM User authentication when document data is received from the printer driver and temporarily saved or stored User authentication when document data is received from the fax driver and stored FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [selection: met, surpassed], the TSF shall [assignment: perform actions shown in Table 27]. Table 27 : List of Actions for Authentication Failure Unsuccessfully Authenticated User Action for Authentication Failure Normal user The normal user is locked out during the lockout time set by the MFP administrator, or until the MFP administrator performs the release operation. Supervisor The supervisor is locked out during the lockout time set by the MFP administrator, until the MFP administrator performs the release operation, or until a given time elapses after the TOE restarts. MFP administrator The MFP administrator is locked out during the lockout time set by the MFP administrator, until the supervisor performs the release operation, or until a given time elapses after the TOE restarts. 6.1.3.2. FIA_ATD.1User attribute definition Hierarchical to: No other components. Dependencies: No dependencies. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: login user name, available function list, and user role] Page 57 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.1.3.3. FIA_SOS.1 Verification of secrets Hierarchical to: No other components. Dependencies: No dependencies. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [assignment: the following quality metrics]. (1) To use multiple character types of upper-case letters, lower-case letters, digits, and symbols. (The required number of types is set by the MFP administrator as the password complexity setting.) (2) Passwords must be single-byte alphanumeric letters and symbols with minimum character number of password (8 to 32 characters set by the MFP administrator) or more, and - Must be 128 characters or less for normal users - Must be 32 characters or less for MFP administrators and a supervisor 6.1.3.4. FIA_UAU.1 Timing of authentication Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FIA_UAU.1.1 The TSF shall allow [assignment: the viewing of the list of user job data, the viewing of WIM Help, the viewing of system status, the viewing of counter, the viewing of information of inquiries, and execution of fax reception] on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF- mediated actions on behalf of that user. 6.1.3.5. FIA_UAU.7 Protected authentication feedback Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication FIA_UAU.7.1 The TSF shall provide only [assignment: dummy letters displayed as authentication feedback] to the user while the authentication is in progress. 6.1.3.6. FIA_UID.1 Timing of identification Hierarchical to: No other components. Dependencies: No dependencies. FIA_UID.1.1 The TSF shall allow [assignment: the viewing of the list of user job data, the viewing of WIM Help, the viewing of system status, the viewing of counter, the viewing of information of inquiries, and execution of fax reception] on behalf of the user to be performed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing other TSF-mediated actions on behalf of that user. Page 58 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.1.3.7. FIA_USB.1 User-subject binding Hierarchical to: No other components. Dependencies: FIA_ATD.1 User attribute definition FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: login user name, available function list, and user role] FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: no rules for the initial association of attributes] FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: none] 6.1.4 Class FMT: Security management 6.1.4.1. FMT_MOF.1 Management of security functions behaviour Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MOF.1.1 The TSF shall restrict the ability to [selection: disable, enable] the function [assignment: syslog transfer function] to [assignment: the MFP administrator]. 6.1.4.2. FMT_MSA.1(a) Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(a)The TSF shall enforce the [assignment: user data access control SFP] to restrict the ability to [selection: delete, change_default, [assignment: newly create, modify]] the security attributes [assignment: security attributes in Table 28] to [assignment: the user roles with operation permission in Table 28]. Table 28 : User Roles for Security Attributes (a) Security Attribute Operation User Role with Operation Permission Login user name [When associated with a normal user] Newly create Modify Delete MFP administrator Login user name [When associated with an MFP administrator] Newly create MFP administrator Modify MFP administrator in question Page 59 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Security Attribute Operation User Role with Operation Permission Login user name [When associated with a supervisor] Modify Supervisor User role Modify No role with the operation permission Document data owner information [+PRT, +SCN, +FAXOUT, +FAXIN, +CPY] Modify No role with the operation permission Document data owner information [+DSR: Other than the document data received via a telephone line] Modify No role with the operation permission Document data owner information [+DSR: Document data received via a telephone line] Modify MFP administrator List for users who have been granted access permission for the document data Modify MFP administrator Document data owner (Normal user) Change_default MFP administrator User job data owner information Modify No role with the operation permission 6.1.4.3. FMT_MSA.1(b) Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(b)The TSF shall enforce the TOE function access control SFP [assignment: TOE function access control SFP] to restrict the ability to [selection: delete, [assignment: newly create, modify]] the security attributes [assignment: security attributes in Table 29] to [assignment: the user roles with operation permission in Table 29]. Table 29 : User Roles for Security Attributes (b) Security Attribute Operation User Role with Operation Permission Login user name [When associated with a normal user] Newly create Modify Delete MFP administrator Login user name [When associated with an MFP administrator] Newly create MFP administrator Modify MFP administrator in question Page 60 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Login user name [When associated with a supervisor] Modify Supervisor User role Modify No role with the operation permission Available function list Newly create Modify Delete MFP administrator Function type Modify No role with the operation permission 6.1.4.4. FMT_MSA.3(a) Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(a)The TSF shall enforce the [assignment: user data access control SFP] to provide [selection: restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2(a)The TSF shall allow the [assignment: authorised identified roles shown in Table 30] to specify alternative initial values to overwrite the default values when an object or information is created. Table 30 : Authorised Identified Roles Allowed to Overwrite Default Values Object Security Attribute Authorised Identified Role Document data (D.DOC) Document data owner information No authorised identified roles Document data (D.DOC) List for users who have been granted access permission for the document data Normal user who creates the document data (Allowed only when storing document data from the Operation Panel. There is no interface for overwriting default values when storing document data from the printer driver.) User job data (D.FUNC) User job data owner information No authorised identified roles 6.1.4.5. FMT_MSA.3(b) Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(b)The TSF shall enforce the [assignment: TOE function access control SFP] to provide [selection: restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2(b)The TSF shall allow the [assignment: no authorised identified roles] to specify alternative initial values to overwrite the default values when an object or information is created. Page 61 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.1.4.6. FMT_MTD.1(a) Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1(a)The TSF shall restrict the ability to [selection: delete, [assignment: newly create, modify]] the [assignment: list of TSF data in Table 31] to [assignment: the user roles in Table 31]. Table 31 : List of TSF Data Category TSF Data Operation User Role TSF protected data (D.PROT) Lockout settings Modify MFP administrator Date/time settings Modify MFP administrator Password quality settings Modify MFP administrator Auto Logout settings Modify MFP administrator S/MIME user information Newly create Modify Delete MFP administrator Destination folder Newly create Modify Delete MFP administrator Audit log settings Modify MFP administrator Cryptographic communication settings Modify MFP administrator TSF confidential data (D.CONF) Login password [When associated with a normal user] Newly create MFP administrator Modify Normal user in question MFP administrator Login password [When associated with an MFP administrator] Newly create MFP administrator Modify MFP administrator in question Supervisor Login password [When associated with a supervisor] Modify Supervisor 6.1.4.7. FMT_MTD.1(b) Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1(b)The TSF shall restrict the ability to [selection: query, [assignment: modify]] the [assignment: list of TSF data in Table 32] to [assignment: the user roles in Table 32]. Page 62 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 32 : List of TSF Data Category TSF Data Operation User Role TSF protected data (D.PROT) Signature verification key Modify No role with the operation permission TSF confidential data (D.CONF) Login password Query No role with the operation permission 6.1.4.8. FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment: management functions shown in Table 33] Table 33 : List of Specification of Management Functions Management Function Disable and enable the syslog transfer function Modify lockout settings Modify date/time settings Modify password quality settings Modify Auto Logout settings Newly create, modify, and delete S/MIME user information Newly create, modify, and delete destination folders Modify audit log settings Modify cryptographic communication settings Newly create and modify login passwords Newly create, modify, and delete login user names Modify document data (+DSR: Document data received via a telephone line) owner information Modify the list for users who have been granted access permission for the document data, and change the default value of it Newly create, modify, and delete the available function list 6.1.4.9. FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles [assignment: normal user, supervisor, and MFP administrator]. Page 63 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.1.5 Class FPT: Protection of the TSF 6.1.5.1. FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 6.1.5.2. FPT_TST.1 TSF testing Hierarchical to: No other components. Dependencies: No dependencies. FPT_TST.1.1 The TSF shall run a suite of self tests [selection: during initial start-up] to demonstrate the correct operation of [selection: [assignment: the MFP Control Software, FCU Control Software, and Operation Panel Control Software]]. FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the signature verification key]]. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: the stored TSF executable code]]. 6.1.5.3. FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to: No other components. Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on any external Interface from being forwarded without further processing by the TSF to any Sharedmedium Interface. 6.1.6 Class FTA: TOE access 6.1.6.1. FTA_SSL.3 TSF-initiated termination Hierarchical to: No other components. Dependencies: No dependencies. FTA_SSL.3.1 The TSF shall terminate the interactive session after [assignment: the time specified by the MFP administrator]. 6.1.7 Class FTP: Trusted path/channels 6.1.7.1. FTP_ITC.1 Inter-TSF trusted channel Hierarchical to: No other components. Page 64 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Dependencies: No dependencies. FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit [selection: the TSF, another trusted IT product] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [assignment: communication via the LAN of document data, user job data, TSF protected data, and TSF confidential data]. 6.2 Security Assurance Requirements The evaluation assurance level of this TOE is EAL2+ALC_FLR.2. Table 34 lists the assurance components of the TOE. ALC_FLR.2 was added to the set of components defined in evaluation assurance level 2 (EAL2). Table 34 : TOE Security Assurance Requirements (EAL2+ALC_FLR.2) Assurance Class Assurance Component ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing functional specification ADV_TDS.1 Basic design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ALC_FLR.2 Flaw reporting procedures ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis Page 65 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 6.3 Security Requirements Rationale This section describes the rationale for security requirements. If all security functional requirements are satisfied as below, the security objectives for TOE defined in "4 Security Objectives" are fulfilled. 6.3.1 Tracing Table 35 shows the relationship between the security functional requirements and security objectives for TOE. Items in bold provide the primal (P) fulfillment of the objectives, and items in standard typeface support (S) its fulfillment. Table 35 shows that each TOE security functional requirement fulfils at least one TOE security objective. Table 35 : Correspondence of Security Objectives and Functional Requirements O.DOC.NO_DIS O.DOC.NO_ALT O.FUNC.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED O.INTERFACE.MANAGED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED FAU_GEN.1 P FAU_GEN.2 P FAU_STG.1 P P FAU_STG.4 S FAU_SAR.1 P P FAU_SAR.2 P P FDP_ACC.1(a) P P P FDP_ACC.1(b) P FDP_ACF.1(a) P P P FDP_ACF.1(b) P FDP_RIP.1 P FIA_AFL.1 S FIA_ATD.1 S FIA_SOS.1 S FIA_UAU.1 P P FIA_UAU.7 S Page 66 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. O.DOC.NO_DIS O.DOC.NO_ALT O.FUNC.NO_ALT O.PROT.NO_ALT O.CONF.NO_DIS O.CONF.NO_ALT O.USER.AUTHORIZED O.INTERFACE.MANAGED O.SOFTWARE.VERIFIED O.AUDIT.LOGGED FIA_UID.1 S S S S S S P P S FIA_USB.1 P FPT_FDI_EXP.1 P FMT_MOF.1 P FMT_MSA.1(a) S S S P FMT_MSA.1(b) P S FMT_MSA.3(a) S S S FMT_MSA.3(b) S FMT_MTD.1(a) P P FMT_MTD.1(b) P P FMT_SMF.1 S S S S S S FMT_SMR.1 S S S S S S FPT_STM.1 S FPT_TST.1 P FTA_SSL.3 P P FTP_ITC.1 P P P P P P 6.3.2 Justification of Traceability This section describes below how the TOE security objectives are fulfilled by the TOE security functional requirements corresponding to the TOE security objectives. SFR items in bold provide the primal (P) fulfillment of the objectives, and SFR items in standard typeface support (S) its fulfillment. O.DOC.NO_DIS Protection of document disclosure O.DOC.NO_DIS is a security objective by which the TOE protects document data from being disclosed by unauthorised persons. To fulfil this security objective, it is required to implement the following SFRs. (1) FDP_ACC.1(a) FDP_ACC.1(a) defines the access control policy for document data. Page 67 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. (2) FDP_ACF.1(a) FDP_ACF.1(a) provides the access control functions in accordance with the access control policy for document data. (3) FDP_RIP.1 FDP_RIP.1 prevents deleted documents, temporary documents and their fragments from being read. (4) FTP_ITC.1 FTP_ITC.1 protects the document data sent and received by the TOE via the LAN. (5) FMT_MSA.1(a) FMT_MSA.1(a) restricts the management of security attributes to specific users. (6) FMT_MSA.3(a) FMT_MSA.3(a) manages the default security attributes when the document data is generated. (7) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. (8) FMT_SMR.1 FMT_SMR.1 maintains the authorised user roles. (9) FMT_SMF.1 FMT_SMF.1 performs the required management functions for the security functions. O.DOC.NO_DIS can be fulfilled by satisfying these security functional requirements. O.DOC.NO_ALT Protection of document alteration O.DOC.NO_ALT is a security objective by which the TOE protects document data from being altered by unauthorised persons. To fulfil this security objective, it is required to implement the following SFRs. (1) FDP_ACC.1(a) FDP_ACC.1(a) defines the access control policy for document data. (2) FDP_ACF.1(a) FDP_ACF.1(a) provides the access control functions in accordance with the access control policy for document data. (3) FTP_ITC.1 FTP_ITC.1 protects the document data sent and received by the TOE via the LAN. (4) FMT_MSA.1(a) FMT_MSA.1(a) restricts the management of security attributes to specific users. (5) FMT_MSA.3(a) FMT_MSA.3(a) manages the default security attributes when the document data is generated. (6) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. (7) FMT_SMR.1 FMT_SMR.1 maintains the authorised user roles. (8) FMT_SMF.1 FMT_SMF.1 performs the required management functions for the security functions. Page 68 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. O.DOC.NO_ALT can be fulfilled by satisfying these security functional requirements. O.FUNC.NO_ALT Protection of user job data alteration O.FUNC.NO_ALT is a security objective by which the TOE protects user job data from being altered by unauthorised persons. To fulfil this security objective, it is required to implement the following SFRs. (1) FDP_ACC.1(a) FDP_ACC.1(a) defines the access control policy for user job data. (2) FDP_ACF.1(a) FDP_ACF.1(a) provides the access control functions in accordance with the access control policy for user job data. (3) FTP_ITC.1 FTP_ITC.1 protects the user job data sent and received by the TOE via the LAN. (4) FMT_MSA.1(a) FMT_MSA.1(a) restricts the management of security attributes to specific users. (5) FMT_MSA.3(a) FMT_MSA.3(a) manages the default security attributes when the user job is generated. (6) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. (7) FMT_SMR.1 FMT_SMR.1 maintains the authorised user roles. (8) FMT_SMF.1 FMT_SMF.1 performs the required management functions for the security functions. O.FUNC.NO_ALT can be fulfilled by satisfying these security functional requirements. O.PROT.NO_ALT Protection of TSF protected data alteration O.PROT.NO_ALT is a security objective by which the TOE protects TSF protected data from being altered by unauthorised persons. To fulfil this security objective, it is required to implement the following SFRs. (1) FMT_MOF.1 FMT_MOF.1 allows only MFP administrators to manage the behaviour of the security functions. (2) FMT_MSA.1(a) and FMT_MSA.1(b) FMT_MSA.1(a) and FMT_MSA.1(b) restrict the management of security attributes to specific users. (3) FMT_MTD.1(a) and FMT_MTD.1(b) FMT_MTD.1(a) and FMT_MTD.1(b) restrict the operation of TSF protected data to authorised users. (4) FMT_SMF.1 FMT_SMF.1 performs the required management functions for the security functions. (5) FMT_SMR.1 FMT_SMR.1 maintains the authorised user roles. Page 69 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. (6) FTP_ITC.1 FTP_ITC.1 protects the TSF protected data sent and received by the TOE via the LAN. (7) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. O.PROT.NO_ALT can be fulfilled by satisfying these security functional requirements. O.CONF.NO_DIS Protection of TSF confidential data disclosure O.CONF.NO_DIS is a security objective by which the TOE protects TSF confidential data from being disclosed by unauthorised persons. To fulfil this security objective, it is required to implement the following SFRs. (1) FMT_MTD.1(b) FMT_MTD.1(b) restricts the operation of TSF confidential data to authorised users. (2) FMT_SMF.1 FMT_SMF.1 performs the required management functions for the security functions. (3) FMT_SMR.1 FMT_SMR.1 maintains the authorised user roles. (4) FTP_ITC.1 FTP_ITC.1 protects the TSF confidential data sent and received by the TOE via the LAN. (5) FAU_SAR.1 FAU_SAR.1 allows the MFP administrator to read audit logs in a format that can be audited. (6) FAU_SAR.2 FAU_SAR.2 prohibits persons other than the MFP administrator from reading the audit logs. (7) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. O.CONF.NO_DIS can be fulfilled by satisfying these security functional requirements. O.CONF.NO_ALT Protection of TSF confidential data alteration O.CONF.NO_ALT is a security objective by which the TOE protects TSF confidential data from being altered by unauthorised persons. To fulfil this security objective, it is required to implement the following SFRs. (1) FMT_MTD.1(a) FMT_MTD.1(a) restricts the operation of TSF confidential data to authorised users. (2) FMT_SMF.1 FMT_SMF.1 performs the required management functions for the security functions. (3) FMT_SMR.1 FMT_SMR.1 maintains the authorised user roles. (4) FTP_ITC.1 FTP_ITC.1 protects the TSF confidential data sent and received by the TOE via the LAN. (5) FAU_STG.1 FAU_STG.1 protects audit logs from alteration. Page 70 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. (6) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. O.CONF.NO_ALT can be fulfilled by satisfying these security functional requirements. O.USER.AUTHORIZED User identification and authentication O.USER.AUTHORIZED is a security objective by which the TOE requires user identification and authentication of users, gives users the access rights according to the security policies, and then ensures that users are allowed to use the TOE. To fulfil this security objective, it is required to implement the following SFRs. (1) FIA_UID.1 and FIA_UAU.1 FIA_UID.1 and FIA_UAU.1 identify and authenticate persons who attempt to use the TOE. (2) FIA_USB.1 FIA_USB.1 associates the security attributes with the user who is successfully identified and authenticated. (3) FIA_ATD.1 FIA_ATD.1 maintains each user's security attributes registered in the TOE before performing identification and authentication. (4) FDP_ACC.1(b) FDP_ACC.1(b) defines the access control policy that allows users to execute the MFP applications according to the operation permission and user role of MFP applications granted to the successfully identified and authenticated users. (5) FDP_ACF.1(b) FDP_ACF.1(b) provides the access control functions in accordance with the access control policy that allows users to execute the MFP applications according to the operation permission and user role of MFP applications granted to the successfully identified and authenticated users. (6) FIA_UAU.7 FIA_UAU.7 displays dummy letters as authentication feedback on the Operation Panel and prevents the login password from disclosure. (7) FIA_SOS.1 FIA_SOS.1 accepts only passwords that satisfy the quality metrics specified by the MFP administrator, and makes it difficult to guess the login password. (8) FIA_AFL.1 FIA_AFL.1 does not allow the user who have repeatedly failed authentication a certain number of times to access to the TOE for a certain period of time. (9) FTA_SSL.3 FTA_SSL.3 performs Auto Logout when the time specified by the MFP administrator has elapsed since the last operation of the user, terminates the inactive session, and enforces the authorisation. (10) FMT_MSA.1(b) FMT_MSA.1(b) restricts the management of security attributes to specific users. (11) FMT_MSA.3(b) FMT_MSA.3(b) sets security attributes to restrictive values. Page 71 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. O.USER.AUTHORIZED can be fulfilled by satisfying these security functional requirements. O.INTERFACE.MANAGED Management of external interfaces by TOE O.INTERFACE.MANAGED is a security objective by which the TOE manages the operation of the external interfaces in accordance with the security policies. To fulfil this security objective, it is required to implement the following SFRs. (1) FIA_UID.1 and FIA_UAU.1 FIA_UID.1 identifies persons who attempt to use the TOE, and FIA_UAU.1 authenticates the identified users. (2) FTA_SSL.3 FTA_SSL.3 performs Auto Logout when the time specified by the MFP administrator has elapsed since the last operation of the user, terminates the inactive session, and performs management of external interfaces. (3) FPT_FDI_EXP.1 FPT_FDI_EXP.1 prevents data received from an arbitrary external interface from being forwarded without further processing by the TSF to an arbitrary shared media interface. O.INTERFACE.MANAGED can be fulfilled by satisfying these security functional requirements. O.SOFTWARE.VERIFIED Software verification O.SOFTWARE.VERIFIED is a security objective by which the TOE provides procedures to self-verify the executable code in the TSF. To fulfil this security objective, it is required to implement the following SFRs. (1) FPT_TST.1 FPT_TST.1 verifies the signature verification key and executable code in the TSF, and performs self-tests for the MFP Control Software, FCU Control Software, and Operation Panel Control Software at the start-up. O.SOFTWARE.VERIFIED can be fulfilled by satisfying this security functional requirement. O.AUDIT.LOGGED Management of audit log records O.AUDIT.LOGGED is a security objective by which the TOE records and manages events related to the TOE use and security, and prevents unauthorised disclosure and alteration. To fulfil this security objective, it is required to implement the following SFRs. (1) FAU_GEN.1 and FAU_GEN.2 FAU_GEN.1 and FAU_GEN.2 record the events, which should be auditable, with the identification information of the occurrence factor. (2) FAU_STG.1 FAU_STG.1 protects audit logs from alteration. (3) FAU_STG.4 FAU_STG.4 overwrites the audit log with the oldest timestamp when an auditable event occurs while the audit log file is full. (4) FAU_SAR.1 Page 72 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. FAU_SAR.1 allows the MFP administrator to read audit logs in a format that can be audited. (5) FAU_SAR.2 FAU_SAR.2 prohibits persons other than the MFP administrator from reading the audit logs. (6) FPT_STM.1 FPT_STM.1 provides reliable time stamps. (7) FIA_UID.1 FIA_UID.1 identifies persons who attempt to use the TOE. O.AUDIT.LOGGED can be fulfilled by satisfying these security functional requirements. 6.3.3 Dependency Analysis Table 36 shows the results of dependency analysis in this ST for the TOE security functional requirements. Table 36 : Results of Dependency Analysis of TOE Security Functional Requirements TOE Security Functional Requirement Claimed Dependencies SFR for the ST Sufficiency FAU_GEN.1 FPT_STM.1 FPT_STM.1 OK FAU_GEN.2 FAU_GEN.1 FIA_UID.1 FAU_GEN.1 FIA_UID.1 OK FAU_STG.1 FAU_GEN.1 FAU_GEN.1 OK FAU_STG.4 FAU_STG.1 FAU_STG.1 OK FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 OK FAU_SAR.2 FAU_SAR.1 FAU_SAR.1 OK FDP_ACC.1(a) FDP_ACF.1 FDP_ACF.1(a) OK FDP_ACC.1(b) FDP_ACF.1 FDP_ACF.1(b) OK FDP_ACF.1(a) FDP_ACC.1 FMT_MSA.3 FDP_ACC.1(a) FMT_MSA.3(a) OK However, since the document data attributes are not used in the implementation, this security attribute is not required for FMT_MSA.3(a). FDP_ACF.1(b) FDP_ACC.1 FMT_MSA.3 FDP_ACC.1(b) FMT_MSA.3(b) OK FDP_RIP.1 None None OK FIA_AFL.1 FIA_UAU.1 FIA_UAU.1 OK FIA_ATD.1 None None OK FIA_SOS.1 None None OK FIA_UAU.1 FIA_UID.1 FIA_UID.1 OK FIA_UAU.7 FIA_UAU.1 FIA_UAU.1 OK Page 73 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. TOE Security Functional Requirement Claimed Dependencies SFR for the ST Sufficiency FIA_UID.1 None None OK FIA_USB.1 FIA_ATD.1 FIA_ATD.1 OK FPT_FDI_EXP.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 OK FMT_MOF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 OK FMT_MSA.1(a) [FDP_ACC.1 or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1(a) FMT_SMR.1 FMT_SMF.1 OK However, since no interface is provided to modify user roles, modify document data owner information (+PRT, +SCN, +FAXOUT, +FAXIN, +CPY), modify document data owner information (+DSR: document data other than that received via a telephone line), or modify user job data owner information, these management functions are not required for FMT_SMF.1. FMT_MSA.1(b) [FDP_ACC.1 or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1(b) FMT_SMR.1 FMT_SMF.1 OK However, since no interface is provided to modify user roles or modify function types, these management functions are not required for FMT_SMF.1. FMT_MSA.3(a) FMT_MSA.1 FMT_SMR.1 FMT_MSA.1(a) FMT_SMR.1 OK FMT_MSA.3(b) FMT_MSA.1 FMT_SMR.1 FMT_MSA.1(b) FMT_SMR.1 OK FMT_MTD.1(a) FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 OK FMT_MTD.1(b) FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 OK However, since no interface is provided to query login passwords or modify signature verification keys, these management functions are not required for FMT_SMF.1. FMT_SMF.1 None None OK FMT_SMR.1 FIA_UID.1 FIA_UID.1 OK FPT_STM.1 None None OK FPT_TST.1 None None OK Page 74 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. TOE Security Functional Requirement Claimed Dependencies SFR for the ST Sufficiency FTA_SSL.3 None None OK FTP_ITC.1 None None OK 6.3.4 Security Assurance Requirements Rationale This TOE is an MFP, which is a commercially available product. The MFP is assumed that it will be used in a general office and this TOE does not assume the attackers with Enhanced-Basic or higher level of attack potential. The evaluation of the TOE design (ADV_TDS.1) is adequate to show the validity of commercially available products. A high attack potential is required for the attacks that circumvent or alter the TSF, which is not covered in this evaluation. Dealing with attacks performed by an attacker possessing Basic attack potential (AVA_VAN.2) is therefore adequate for general needs. In order to securely operate the TOE continuously, it is important to appropriately remediate the flaw discovered after the start of the TOE operation according to flaw reporting procedure (ALC_FLR.2). Based on the terms and costs of the evaluation, the evaluation assurance level of EAL2+ALC_FLR.2 is appropriate for this TOE. Page 75 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 7 TOE Summary Specification This section describes the TOE summary specification for each security function. The security functions are described for each corresponding security functional requirement. 7.1 Audit Function The Audit Function is to record a log that associates TOE audit events with user identification information as the audit log. Also, this function provides the recorded audit log in a format that can be audited. The recorded audit log can be downloaded and deleted only by the MFP administrator. This function also includes a function to provide reliable time stamps and a control function used when the audit log is full. The audit log can also be transferred to and saved on the syslog server. FAU_GEN.1 The TOE records the audit log items, shown in Table 38, on the HDD in the TOE when audit events shown in Table 37 occur. Audit log items include basic log items and expanded log items. Basic log items are recorded whenever audit logs are recorded, and expanded log items are recorded only when audit events occur and the audit log items shown in Table 38 are recorded. Among the auditable events, the failure of the trusted channel functions refers to the failure of the function that performs communications via trusted channels. This function includes WIM communication, folder transmission, e-mail transmission of attachments, temporary saving and storing document data received from the printer driver, storing document data received from the fax driver, and syslog transfer. Therefore, logs of these communication failures are audit events. Table 37 : List of Audit Events Audit Event Start-up of the Audit Function Shutdown of the Audit Function Download and deletion of audit logs Success and failure of login operations Starting and releasing lockout Use of the management functions in Table 33 Termination of session by Auto Logout Failure of WIM communication Failure of folder transmission Failure of e-mail transmission of attachments Failure of temporary saving and storing document data received from the printer driver Failure of storing document data received from the fax driver Failure of syslog transfer Page 76 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Audit Event Deletion of user job data Creating (storing) document data Reading document data (print, download, fax transmission, e-mail transmission of attachments, and folder transmission) Deletion of document data Table 38 : List of Audit Log Items Audit Log Item Setting Values of Audit Log Item Audit Events to Record Audit Logs Basic Log Items Starting date/time of an event Values of the TOE system clock at an event occurrence - All auditable events shown in Table 37 Ending date/time of an event Values of the TOE system clock at an event termination Event types Audit event identity Subject identity Login user name of the user who caused the audit event Outcome Audit event outcome (*1) Expanded Log Items Job types Creation, print, download, fax transmission, e-mail transmission of attachments, folder transmission, deletion of document data, and deletion of user job data. (For deletion of user job data, the values are recorded in the cancellation details field.) - Start and end of creating document data - Start and end of printing document data - Start and end of downloading document data - Start and end of sending document data by fax transmission - Start and end of sending document data by e-mail transmission of attachments - Start and end of sending document data by folder transmission - Deletion of document data - Deletion of user job data Those described above, "creating, printing, and downloading document data, sending document data by fax transmission, e-mail transmission of attachments, and folder transmission, deletion of document data, and deletion of user job data", correspond to the job types. Login user name All login user names that attempted the user identification - Success and failure of login operations Page 77 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Audit Log Item Setting Values of Audit Log Item Audit Events to Record Audit Logs Communicating devices Communicating IP address - Failure of WIM communication - Failure of folder transmission - Failure of temporary saving and storing document data received from the printer driver - Failure of storing document data received from the fax driver - Failure of syslog transfer Communicating e-mail address for e-mail transmission of attachments - Failure of e-mail transmission of attachments Lockout operation type Information to identify starting lockout and releasing lockout - Starting and releasing lockout Locked out user Login user name of a user who is locked out - Starting and releasing lockout Locked out user who is to be released Login user name of a user who is released from lockout - Starting and releasing lockout (*1): Either "success" or "failure" will be recorded. If an audit event is "deletion of document data", only "success" will be recorded. For the following audit events, "failure" will be recorded. - Failure of WIM communication - Failure of folder transmission - Failure of temporary saving and storing document data received from the printer driver - Failure of storing document data received from the fax driver - Failure of syslog transfer - Failure of e-mail transmission of attachments FAU_GEN.2 The TOE records the login user name in the audit log so that it can identify who caused the audit event. FPT_STM.1 The date (year/month/day) and time (hour/minute/second) recorded in the audit log are derived from the system clock of the TOE. FAU_SAR.1 and FAU_SAR.2 The TOE provides the MFP administrators with all audit logs in a text format. The TOE allows the MFP administrator to download audit logs with the WIM only when the MFP administrator accesses it. The TOE does not provide an interface for downloading audit logs to all users except the MFP administrators. Page 78 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. FAU_STG.1 The TOE allows only the MFP administrators to delete audit logs. To delete audit logs, the WIM or the Operation Panel will be used. The TOE does not provide an interface for making partial changes to audit logs. FAU_STG.4 The TOE writes the newest audit log over the oldest audit log when there is insufficient space in the audit log files to append the newest audit log. 7.2 Identification and Authentication Function The Identification and Authentication Function is to verify whether a person who attempts to use the TOE is an authorised user based on the login user name and login password entered by the user, so that the TOE can allow only the authenticated users to use the TOE and reject the users when the authentication fails. The lockout function, password protection function, and Auto Logout function are also included in this function. FIA_UAU.1 and FIA_UID.1 The TOE identifies and authenticates a user with the login user name and login password. Before the Operation Panel or the WIM is used, the TOE displays the login screen and prompts the user to enter the login user name and login password. In addition, when the TOE receives a request from the printer driver or fax driver, the TOE receives the login user name and login password entered by a user at the same time as the request. The TOE performs identification and authentication by checking whether the login user name and login password entered by the user match the login user name and login password registered in the TOE in advance. If the identification and authentication is successful, the user is allowed to use the TOE. If it fails, the user is not allowed to use it. However, regarding the viewing of the list of user job data, WIM Help, system status, counter, and information of inquiries, and execution of fax reception, the identification and authentication is not required for the use of the TOE. FIA_USB.1 Based on the result of checking FIA_UAU.1 and FIA_UID.1, the TOE assigns the login user name, user role, and available function list to processes performed by the authorised user. FIA_ATD.1 The TOE retains the login user name, user role, and available function list based on settings for each user. The privilege is set for each user according to the role to which the user is classified at the time of registration. The login user name assigned to the user can be changed for each user. FTA_SSL.3 The TOE automatically logs out the users when they are logged in and do not operate the TOE for a certain period of time specified by the MFP administrator. The TOE works as follows depending on the interface to which the user is logged-in. Page 79 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. - In case of the Operation Panel, the user is logged out of the TOE when the time that elapses since their final operation reaches the Operation Panel Auto Logout time (10 to 999 seconds). - In case of the WIM, the user is logged out of the TOE when the time that elapses since their final operation reaches the WIM Auto Logout time (3 to 60 minutes). The TOE also performs identification and authentication for the requests from the printer driver and the fax driver. At this time, there is no continuous interactive session that shall be automatically logged out because the user is logged out when the reception of the document data is completed. FIA_UAU.7 Regarding login passwords entered by persons who attempt to use the Operation Panel or the WIM, the TOE does not display the entered letters, instead, it displays a sequence of dummy letters with same number of characters as the entered password on the login screen. FIA_AFL.1 If the user enters a wrong password in succession when logging in, the lockout function will work and the TOE will prohibit the user from logging in with that login user name. When the login fails due to entering a wrong password, the user is locked out when the number of attempts before lockout for the password (1 to 5 times) set by the MFP administrator is reached or exceeded. The number of authentication failures is added up even if the login destination (Operation Panel, WIM, printer driver, and fax driver) varies. With the locked-out login user name, authentication will fail even if the user enters the correct password. The user cannot use the TOE until the lockout is released after a certain period of time elapses or the MFP administrator or supervisor unlocks the lockout. If a user name is locked out, the user with that user name is not allowed to log in unless any of the following conditions is fulfilled. - For normal users, until the lockout time set by the MFP administrator elapses. - For locked out users listed in Table 39, until an unlocking administrator specified for each user role releases the lockout. - In case of the MFP administrator and supervisor, 60 seconds elapse since the MFP becomes executable after its power is turned off and then on. Table 39 : Unlocking Administrators for Each User Role User Role (Locked out User) Unlocking Administrator Normal user MFP administrator Supervisor MFP administrator MFP administrator Supervisor FIA_SOS.1 Login passwords for users can be registered only if these passwords meet the given conditions. Passwords cannot be registered if they do not satisfy the conditions. Page 80 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Usable characters and character types are as follows. The password complexity, which determines the conditions for the number of combination of characters (two or more types, or three or more types) is set by the MFP administrator. - Upper-case letters: [A-Z] (26 letters) - Lower-case letters: [a-z] (26 letters) - Numbers: [0-9] (ten digits) - Symbols: SP (spaces) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ¥ ] ^ _ ` { | } ~ (33 symbols) The conditions for registrable password length differ depending on normal users, MFP administrators, and a supervisor, as shown below. The minimum character number of login password (i.e. minimum password length) is set by the MFP administrator in the range of 8 to 32 characters. - For normal users: Equal to or longer than the minimum password length, and 128 characters or less - For MFP administrators and a supervisor: Equal to or longer than the minimum password length, and 32 characters or less FPT_FDI_EXP.1 The TOE inputs information after the TSF reliably identifies and authenticates the input information from the Operation Panel or the client computer via LAN interface. Therefore, the input information cannot be forwarded unless the TSF is involved in information identification and authentication. 7.3 Document Access Control Function The Document Access Control Function is to authorise the operations for document data and user job data by the authorised TOE users who are authenticated by Identification and Authentication Function. It allows user's operation on the document data and user job data based on the privileges for the user role, or the operation permissions for each user. FDP_ACC.1(a) and FDP_ACF.1(a) The TOE provides the Document Access Control Function by enforcing the user data access control SFPs. Rules of user data access control SFP are divided into (1) access control rule on document data and (2) access control rule on user job data. According to them, the TOE restricts the operations on document data and user job data by users. (1) Access control rule on document data Table 40 shows the access control rules for document data. The TOE restricts the operation of deleting or reading document data to normal users, MFP administrators, and supervisors. Table 41 shows normal user operations for document data, and Table 42 shows MFP administrator operations for document data. No interface is provided for the operations other than that described in Table 41 and Table 42. Page 81 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Table 40 : Access Control Rules for Document Data User Role Document Data Access Control Rule Normal user Document data (+PRT) Normal users who have the same login user name as the login user name registered in the document owner information are allowed read and delete operations. For the read operation, other normal users cannot display the document data, and they are not allowed the read operation. For the delete operation, other normal users can display the jobs related to a temporary document data, but they are not allowed the delete operation. Document data (+CPY, +SCN, +FAXOUT) Normal users who have the same login user name as the login user name registered in the document owner information are allowed read and delete operations. For the read operation, other normal users are not provided any interface for reading. For the delete operation, other normal users can display the jobs related to a temporary document data, but they are not allowed the delete operation. Document data (+FAXIN) No interface for operating the fax reception data is provided. Document data (+DSR) (Stored print document, Document Server document, Scanned document, Fax transmission document) Normal users who have the same login user name as the login user name registered in the document owner information are allowed read and delete operations. Also, normal users who have the same login user name as the login user name registered in the list for users who have been granted access permission for the document data are allowed the read operation. Other normal users cannot display the document data, and they are not allowed read and delete operations. Document data (+DSR) (Fax reception document) Normal users who have the same login user name as the login user name registered in the document owner information (Stored Reception File User) are allowed read and delete operations. Other normal users cannot display the document data, and they are not allowed read and delete operations. Page 82 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. User Role Document Data Access Control Rule MFP administrator Document data (+PRT, +CPY, +SCN, +FAXOUT) MFP administrators are allowed the delete operation for the document data. Document data (+FAXIN) Fax reception (fax reception job) is regarded as reception by the MFP administrator, and the MFP administrator is allowed the read operation. No interface for deleting fax reception data is provided. Document data (+DSR) (Stored print document) MFP administrators are allowed the delete operation for the document data. Document data (+DSR) (Document Server document, Scanned document, Fax transmission document) MFP administrators are allowed read and delete operations for the document data. Document data (+DSR) (Fax reception document) No interface for operating document data is provided. Supervisor Document data No interface for operating document data is provided. Table 41 : Normal User Operations for Document Data No. TOE Function (TOE Document Name) Operation Path Operations SFR Package Functions in PP 1 Copy Function Operation Panel Delete (*1) Copy and print F.CPY (+CPY) 2 Scanner Function Operation Panel Delete (*1) E-mail transmission of attachments Folder transmission Preview F.SCN (+SCN) Page 83 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. TOE Function (TOE Document Name) Operation Path Operations SFR Package Functions in PP 3 Scanner Function (Scanned document) Operation Panel Delete E-mail transmission of attachments Folder transmission Preview F.DSR (+DSR) 4 Fax Function Operation Panel Delete (*1) Fax transmission Preview F.FAX (+FAXOUT) 5 Fax Function (Fax transmission document) Operation Panel Delete Fax transmission Preview F.DSR (+DSR) 6 Fax Function (Fax reception document) Operation Panel Delete Print Preview F.DSR (+DSR) F.PRT (+PRT) 7 Fax Function (Fax reception document) WIM Delete Download Preview F.DSR (+DSR) 8 Printer Function (Temporary saved document) Operation Panel Delete (*1) Print Preview F.PRT (+PRT) 9 Printer Function (Temporary saved document) WIM Delete (*1) F.PRT (+PRT) 10 Printer Function (Stored print document) Operation Panel Delete Print Preview F.DSR (+DSR) F.PRT (+PRT) 11 Printer Function (Stored print document) WIM Delete F.DSR (+DSR) Page 84 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No. TOE Function (TOE Document Name) Operation Path Operations SFR Package Functions in PP 12 Document Server Function (Fax transmission document, Document Server document) Operation Panel Delete Print Preview F.DSR (+DSR) F.PRT (+PRT) 13 Document Server Function (Scanned document) WIM Delete E-mail transmission of attachments Folder transmission Download Preview F.DSR (+DSR) 14 Document Server Function (Fax transmission document) WIM Delete Fax transmission Download Preview F.DSR (+DSR) 15 Document Server Function (Document Server document) WIM Delete Preview F.DSR (+DSR) (*1) By cancelling the job, the temporary document data handled by the user job data will be deleted. Table 42 : MFP Administrator Operations for Document Data No . TOE Function (TOE Document) Operation Path Operations SFR Package Functions in PP 1 Copy Function Operation Panel Delete (*1) F.CPY (+CPY) 2 Scanner Function Operation Panel Delete (*1) F.SCN (+SCN) 3 Scanner Function (Scanned document) Operation Panel Delete F.DSR (+DSR) 4 Fax Function Operation Panel Delete (*1) F.FAX (+FAXOUT) Page 85 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. No . TOE Function (TOE Document) Operation Path Operations SFR Package Functions in PP 5 Printer Function (Temporary saved document) Operation Panel Delete (*1) F.PRT (+PRT) 6 Printer Function (Temporary saved document) WIM Delete (*1) F.PRT (+PRT) 7 Printer Function (Stored print document) Operation Panel Delete F.DSR (+DSR) 8 Printer Function (Stored print document) WIM Delete F.DSR (+DSR) 9 Document Server Function (Fax transmission document, Document Server document) Operation Panel Delete F.DSR (+DSR) 10 Document Server Function (Scanned document, Fax transmission document, Document Server document) WIM Delete Preview F.DSR (+DSR) (*1) By cancelling the job, the temporary document data handled by the user job data will be deleted. (2) Access control rule on user job data The TOE provides users with the interface for deleting user job data (cancelling the job). However, no interface for deleting user job data for fax reception (+FAXIN) is provided. No interface for modifying the user job data is provided. - For normal user: The normal user whose login user name matches the login user name registered in the user job data owner information is allowed to delete the user job data. Other normal users are allowed to display the user job data, but are not allowed to delete the user job data. Page 86 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. - For MFP administrator: MFP administrators are allowed to delete the user job data. - For supervisor: No interface for operating the user job data is provided. 7.4 Use-of-Feature Restriction Function The Use-of-Feature Restriction Function is to authorise the job execution of MFP applications based on the roles of authorised users who are identified and authenticated and the operation permissions for each user. FDP_ACC.1(b) and FDP_ACF.1(b) The TOE provides the Use-of-Feature Restriction Function by enforcing the TOE function access control SFP that determines whether the job execution of MFP applications provided by the TOE is authorised for normal users and the additional rules for MFP administrators and a supervisor. The TOE verifies the role for an authorised user who attempts to start executing the job of MFP applications (Copy Function, Printer Function, Scanner Function, Document Server Function, and Fax Function) provided by the TOE. If the user role is normal user, only the job execution for the MFP applications whose function type matches those in available function list is permitted. If the user role is MFP administrator, the job execution for MFP applications is permitted. If the user role is supervisor, the job execution for MFP applications is not permitted. 7.5 Network Protection Function The Network Protection Function is to prevent information leakage due to network monitoring and detect alteration by providing encrypted communication when communicating with trusted IT products. Communication with the client computer when using WIM, printer driver, or fax driver is encrypted by TLS, and communication with SMB server and FTP server when using folder transmission is protected by IPsec. Also, communication with mail server when using e-mail transmission of attachments is protected by S/MIME, and communication with syslog server when the audit log transfer setting is enabled is encrypted by TLS. FTP_ITC.1 The TOE provides different encrypted communications depending on communicating devices when the TOE communicates with trusted IT products (WIM communication, folder transmission, e-mail transmission of attachments, temporary saving or storing document data received from the printer driver, storing document data received from the fax driver, and transfer to the syslog server). The TOE allows the client computer's Web browser, printer driver, or fax driver to initiate encrypted communication. The TOE can initiate encrypted communication with the mail server, SMB server, FTP server, or syslog server. Table 43 shows the encrypted communications provided by the TOE. When using the WIM, encrypted communication with the client computer is performed by specifying a URL for which encrypted communication is valid on a Web browser. When using the Printer Function, encrypted communication with the client computer (IPP over SSL) is performed when document data is sent from the printer driver to the TOE. When using the Fax Function, encrypted communication with the client computer (IPP over SSL) is performed when document data is sent from the fax driver to the TOE. When using the e- Page 87 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. mail transmission of attachments, encrypted communication with the mail server (S/MIME) is performed. When using the folder transmission, encrypted communication with the FTP server or SMB server (IPsec) is performed. When using the syslog transfer function, encrypted communication with the syslog server protected by TLS is performed by using the syslog protocol. Table 43 : Encrypted Communications Provided by the TOE Communicating Device Encrypted Communication Provided by the TOE Protocol Cryptographic Algorithms Client computer (*1) TLS1.2 AES (128 bits, 256 bits) TLS1.3 AES (128 bits, 256 bits), ChaCha20 (256 bits) FTP server IPsec AES (128 bits, 192 bits, 256 bits) SMB server IPsec AES (128 bits, 192 bits, 256 bits) Mail server S/MIME AES (128 bits, 256 bits) syslog server TLS1.2 AES (128 bits, 256 bits) TLS1.3 AES (128 bits, 256 bits), ChaCha20 (256 bits) (*1) When the communication uses the printer driver or fax driver, the TLS version of the supporting protocol depends on the OS version of the client computer. 7.6 Residual Data Overwrite Function The Residual Data Overwrite Function is to overwrite random numbers or specific pattern data on the HDD and disable the reusing of the residual data included in deleted document data, temporary document data and their fragments on the HDD. FDP_RIP.1 Methods to delete the HDD area through overwriting include sequential overwriting and batch overwriting. For sequential overwriting, the TOE constantly monitors the information on a residual data area, and overwrites the area if any existing residual data is discovered. When the user deletes document data, the TOE overwrites the area on the HDD where the digital image data of the document data is stored with random numbers. Also, when the job is complete, the TOE overwrites the area on the HDD where temporary document data that are created while the job is executed or the fragments of those temporary document data are stored with random numbers. For batch overwriting, the TOE collectively overwrites the HDD. The TOE overwrites the HDD with the method specified by the MFP administrator. Batch overwriting methods include NSA, DoD, random number, BSI/VSITR, and Secure Erase methods. The NSA method overwrites twice with random numbers and once with Null(0). The DoD method overwrites once with a certain value, once with its complement, and further with random numbers to be verified afterwards. The random number method overwrites three to nine times with random numbers. The MFP administrator specifies the number of times to overwrite when the TOE is installed. The BSI/VSITR method Page 88 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. overwrites data with 00, FF, 00, FF, 00, FF, AA in this order. The Secure Erase method overwrites data using the ATA command "secure erase". 7.7 Security Management Function The Security Management Function is to control operations for TSF data in accordance with user privileges allocated to each user or user role privileges allocated to the normal user, MFP administrator, and supervisor. In order to enable control, this function includes a function to maintain the user role of operating the Security Management Function and associate the user role with the authorised TOE user authenticated by the Identification and Authentication Function, and a function to set appropriate default values for the security attributes. FMT_SMR.1 The TOE user has the role of normal user, MFP administrator, or supervisor. The role is associated with the login user name registered in the TOE. The TOE associates the logged-in user with the role corresponding to the login user name. FMT_SMF.1, FMT_MOF.1, FMT_MSA.1(a), FMT_MSA.1(b), FMT_MTD.1(a), and FMT_MTD.1(b) The TOE performs the following management functions: - The TOE provides only the MFP administrators with an interface for setting the syslog transfer function to stop or operate. - The TOE restricts operations on the TSF data according to the role of the user. As shown in Table 44, it allows users who have privilege corresponding to the role for which operations are allowed to operate the TSF Data. Table 44 : Management of TSF Data Category TSF Data Operations User Role with Operation Permission Operation Interface TSF protected data Lockout settings Modify MFP administrator WIM Date/time settings Modify MFP administrator Operation Panel WIM Password quality settings Modify MFP administrator Operation Panel WIM Auto Logout settings Modify MFP administrator Operation Panel WIM S/MIME user information Newly create Modify Delete MFP administrator Operation Panel (*3) WIM Page 89 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Category TSF Data Operations User Role with Operation Permission Operation Interface Destination folder Newly create Modify Delete MFP administrator Operation Panel WIM Audit log settings Modify MFP administrator Operation Panel WIM Cryptographic communication settings Modify MFP administrator Operation Panel WIM Signature verification key Modify (*1) None None Login user name [When associated with a normal user] Newly create Modify Delete MFP administrator Operation Panel WIM Login user name [When associated with an MFP administrator] Newly create MFP administrator Operation Panel WIM Modify MFP administrator in question Login user name [When associated with a supervisor] Modify Supervisor Operation Panel WIM User role Modify (*1) None None Document data owner information [+PRT, +SCN, +FAXIN, +FAXOUT, +CPY] Modify (*1) None None Document data owner information [Other than +DSR and Fax reception document] Modify (*1) None None Document data owner information [+DSR, Fax reception document] Modify MFP administrator Operation Panel WIM List for users who have been granted access permission for the document data Modify MFP administrator Document data owner (Normal user) Operation Panel (*4) WIM Change_default MFP administrator Operation Panel WIM User job data owner information Modify (*1) None None Available function list Newly create Modify Delete MFP administrator Operation Panel WIM Function type Modify (*1) None None Page 90 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Category TSF Data Operations User Role with Operation Permission Operation Interface TSF confidential data Login password [When associated with a normal user] Newly create MFP administrator Operation Panel WIM Modify Normal user in question MFP administrator Query (*2) None Login password [When associated with an MFP administrator] Newly create MFP administrator Operation Panel WIM Modify MFP administrator in question Supervisor Query (*2) None Login password [When associated with a supervisor] Modify Supervisor Operation Panel WIM Query (*2) None (*1) No interface is provided for modification. (*2) No interface is provided for query. (*3) The operation that can be performed from the Operation Panel is only the operation of the e-mail addresses that is the item set for each user, included in the S/MIME user information. (*4) For Stored print document, the list for users who have been granted access permission for the document data cannot be operated by using the Operation Panel. It can be operated only by using WIM. FMT_MSA.3(a) and FMT_MSA.3(b) Table 45 shows the list of static initialisation for security attributes, and Table 46 shows security attributes for each case of document data generation. The TOE sets default values of security attributes for objects according to the rules described in Table 45 and Table 46 when those objects are generated. Overwriting the default values of the security attributes is allowed only in limited cases, and "None" is indicated when no overwriting interface is provided. Table 45 : List of Static Initialisation for Security Attributes Object Security Attribute Default Value Overwriting Default Value Document data Document data owner information See Table 46. See Table 46. List for users who have been granted access permission for the document data See Table 46. See Table 46. User job data User job data owner information Login user names of normal users who created the user job data. None Page 91 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Object Security Attribute Default Value Overwriting Default Value MFP application Function type Values that identify each function (Copy Function, Scanner Function, Printer Function, Fax Function, and Document Server Function) among the MFP applications. None Table 46 : Security Attributes for Each Case of Document Data Generation Case of Document Data Generation Security Attribute Default Value Overwriting Default Value Scans a paper document, and then copies and prints scanned image data from the Operation Panel by using the Copy Function (F.CPY) Document data owner information Login user names of normal users who created the document data. None Scans a paper document and performs folder transmission or e-mail transmission of attachments from the Operation Panel by using the Scanner Function (F.SCN) Document data owner information Login user names of normal users who created the document data. None Scans a paper document and performs fax transmission from the Operation Panel by using the Fax Function (F.FAX) Document data owner information Login user names of normal users who created the document data. None Receives the document data and temporarily saves it in the TOE from the printer driver by using the Printer Function (F.PRT) Document data owner information Login user names of normal users who created the document data. None Receives the document data via a telephone line by using the Fax Function (F.FAX) None None None Receives the document data via a telephone line and stores it by using the Fax Function (F.DSR) Document data owner information The list that fax reception document owner information (the login user names) is set (Stored Reception File User) None Scans a paper document and stores it from the Operation Panel by using the Scanner Document data owner information Login user names of normal users who created the document data. None Page 92 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Case of Document Data Generation Security Attribute Default Value Overwriting Default Value Function (F.SCN and F.DSR) List for users who have been granted access permission for the document data Default values in the list for users who have been granted access permission for the document data (the list of login user names) for the document data creator The values that the document data creator has allowed access (viewing) (the list of login user names) can be overwritten from the Operation Panel. Scans a paper document and stores it from the Operation Panel by using the Fax Function (F.SCN and F.DSR) Document data owner information Login user names of normal users who created the document data. None List for users who have been granted access permission for the document data Default values in the list for users who have been granted access permission for the document data (the list of login user names) for the document data creator The values that the document data creator has allowed access (viewing) (the list of login user names) can be overwritten from the Operation Panel. Receives the document data and stores it from the fax driver by using the Fax Function (F.DSR) Document data owner information Login user names of normal users who created the document data. None List for users who have been granted access permission for the document data Default values in the list for users who have been granted access permission for the document data (the list of login user names) for the document data creator None Scans a paper document and stores it from the Operation Panel by using the Document Server Function (F.SCN and F.DSR), or scans a paper document and stores it by using the Copy Function (F.SCN and F.DSR) Document data owner information Login user names of normal users who created the document data. None List for users who have been granted access permission for the document data Default values in the list for users who have been granted access permission for the document data (the list of login user names) for the document data creator The values that the document data creator has allowed access (viewing) (the list of login user names) can be overwritten from the Operation Panel. Receives the document data and stores it from the printer driver specifying the print Document data owner information Login user names of normal users who created the document data. None Page 93 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Case of Document Data Generation Security Attribute Default Value Overwriting Default Value method as Document Server storage or stored print by using the Printer Function (F.DSR) List for users who have been granted access permission for the document data Default values in the list for users who have been granted access permission for the document data (the list of login user names) for the document data creator None 7.8 Integrity Verification Function The Integrity Verification Function is a self-test function to verify that a part of TSF and the TSF executable code have a software configuration that maintains integrity during the MFP initial start-up. The objects whose integrity is verified here are the executable codes and signature verification keys of the MFP Control Software, FCU Control Software, and Operation Panel Control Software. FPT_TST.1 The TOE verifies the integrity of the Operation Panel Control Software during the initial start-up by comparing the hash value of the Operation Panel Control Software with the correct value or verifying the signature. If the obtained hash value does not match the correct value, or if the signature cannot be verified, the TOE will display an error message on the Operation Panel and will not accept the operation. The TOE verifies the integrity of the MFP Control Software during the initial start-up by comparing the hash value of the MFP Control Software with the correct value or verifying the signature of the MFP Control Software. As the signature verification key is used for verifying the signature of the MFP Control Software, the TOE also verifies the integrity of the signature verification key. The hash-verified part of the MFP Control Software is verified first. If the hash value obtained from the signature verification key does not match the correct value, the TOE will display an error message on the Operation Panel and will not accept the operation. If the hash value obtained from the signature verification key matches the correct value, the TOE will perform verification using the signature of the MFP Control Software. If the hash value obtained from the MFP Control Software does not match the correct value, or if the signature cannot be verified, the TOE will display an error message on the Operation Panel and will not accept the operation. If the hash values obtained in the Operation Panel Control Software and in the MFP Control Software match the correct values, and if the signature can be verified, the TOE becomes available. The TOE outputs the information used for integrity verification so that the integrity of the FCU Control Software can be verified. To check the integrity of the FCU Control Software, the information the TOE outputs will be compared with the information described in the guidance documents, so that the integrity of the FCU Control Software can be verified. Page 94 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 7.9 Fax Line Separation Function The Fax Line Separation Function is to restrict the input information from the telephone line to only fax reception and prohibit forwarding of received fax data in order to prevent unauthorised intrusion into the LAN from the telephone line. FPT_FDI_EXP.1 The TOE restricts the input information from the telephone line so that only fax data can be received. If any communication that does not comply with the fax protocol with the G3 standard is performed, the line is disconnected. Since the TOE is set to prohibit forwarding of received fax data when the TOE is installed, received fax data will not be forwarded. Page 95 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. 8 Glossary In this section, the meanings of specific terms used in this ST are defined below. Table 47 : Specific Terms Related to This ST Term Definition Lockout A type of behaviour to deny login of particular users. Auto Logout function A function for automatic user logout if no access is attempted from the Operation Panel or the WIM for the predetermined period of time. Also called Auto Logout. HDD An abbreviation of hard disk drive. In this document, unless otherwise specified, "HDD" indicates the HDD installed on the TOE. Job A sequence of operations of each TOE function (Copy Function, Scanner Function, Printer Function, Document Server Function, Fax Transmission Function, and Fax Reception Function) from beginning to end. MFP application General term for Copy Function, Printer Function, Scanner Function, Fax Function, and Document Server Function enforcing F.CPY, F.PRT, F.SCN, F.FAX, and F.DSR. Copy Function One of the MFP applications. It enforces the SFR package functions for F.CPY and F.DSR. Scanner Function One of the MFP applications. It enforces the SFR package functions for F.SCN and F.DSR. Printer Function One of the MFP applications. It enforces the SFR package functions for F.PRT and F.DSR. Fax Function One of the MFP applications. It enforces the SFR package functions for F.FAX and F.DSR. Document Server Function One of the MFP applications. It enforces the SFR package function for F.DSR. Temporary saved document The document data received from the printer driver by specifying the print method that is handled as temporary saving and temporarily saved in the TOE. The document data attribute corresponds to +PRT. Stored print document Among the document data stored in the TOE, it refers to the document data that is received and stored by specifying the print method as stored print from the printer driver. The document data attribute corresponds to +DSR. Document Server document Among the document data stored in the TOE, it refers to the document data that is stored in the TOE after scanning paper documents from the Operation Panel by using the Copy Function or the Document Server Function, and the document data that is received from the printer driver by specifying the print method as Document Server storage. The document data attribute corresponds to +DSR. Scanned document Among the document data stored in the TOE, it refers to the document data that is stored after scanning paper documents from the Operation Panel by using the Scanner Function. The document data attribute corresponds to +DSR. Page 96 of 96 Copyright (c) 2024 RICOH COMPANY, LTD. All rights reserved. Term Definition Fax transmission document Among the document data stored in the TOE, it refers to the document data that is stored after scanning paper documents from the Operation Panel by using the Fax Function, and the document data that is received and stored from the fax driver. The document data attribute corresponds to +DSR. Fax reception document Among the document data stored in the TOE, it refers to the document data that is received from the external fax via a telephone line and stored in the TOE. The document data attribute corresponds to +DSR. Stored Reception File User A list that is set with the owner information (the login user names) of fax reception documents. There is one list for all fax reception documents. Operation Panel A unit that consists of a LCD touch screen and key switches. The Operation Panel is used by users to operate the TOE. Folder transmission A function that scans paper documents from the Operation Panel by using the Scanner Function and then sends scanned image data or stored scanned document from the MFP via networks to a shared folder in an SMB server by using SMB protocol, or sends document data to a folder in an FTP server by using FTP protocol. IPsec protects the communication for enforcing this function. E-mail transmission of attachments A function that scans paper documents from the Operation Panel by using the Scanner Function and then sends scanned image data or the stored scanned document in e-mail format. S/MIME protects the communication for enforcing this function. SPDF A type of Auto Document Feeder (ADF) that feeds the originals set on the device one by one to the exposure glass. When scanning both sides of the original, both sides are scanned simultaneously. TOE owner An individual or organisation indirectly involved with the TOE and is responsible for protecting the TOE assets and establishing related security policies.