Hi Guys,
Please see comments below regarding IDS model document dated 4/25/2012…
R.
IDS Model Document (4/25/2012) Comments:
------------------------------------
It seems like the use-cases in 3.2 are all complicated, and we've skipped over the basic scenarios. For instance, I think we need to add three relatively basic use-cases for secure printing/imaging:
1. Imaging Job Confidentiality
Bob would like to be able to generate an imaging job on device (A) and have it rendered on device (B). Device (A) and Device (B) are connected via an IP network (i.e., there is IP routability between device (A) and device(B) ). The contents of the imaging job are confidential and should not be disclosed to unauthorized parties capable of intercepting (either actively or passively) the job in transit from device (A) to device (B).
2. Tracking Imaging Device Usage
Bob would like to utilize an imaging device that is administratively controlled by Alice. Alice would like to unambiguously identify"who" is using the imaging device, based on identity credentials that have been previously issued to Bob.
3. Imaging Device Resource Access Control
Bob would like to utilize an imaging device administratively controlled by Alice. The imaging device is capable of multiple functions and consumes resources that Alice deems valuable. Alice would like to control which functions and consumables of the device Bob is capable of using,
3.2.3 This use-case is a bit like NAC -- is anyone doing this today?
3.2.4 This use-case seems contrived or overly complicated. It's actually two use-cases: confidentiality and pin-code job reception.
3.2.6 "Control the ability of a mobile device…" From my reading, there is no mobile device described in the text of the use-case. Suggest changing the name of this use-case to
"Support remote access to enterprise imaging devices"
3.2.7 "Audit Document Trail" is the name of a solution, not a use-case. I would suggest changing this to "Forensic Job Examination" -- I would cull the text of this section starting with "By automatically generating…" since we're not providing a solution and rationale for the solution. We're just isolating a use-case.
----------------------------------------
Section 5 - Declaration Models (not sure what this means), what about "Use Existing Standards" or something easy like this.
Also, in the first paragraph of section 5 (starting on line 421), I think we mean to say "…this standard recommends the use of existing languages and definitions to ADDRESS security requirements.
-------------------------------------------
8.1 User Roles (Table 1)
Haven't' we defined user roles somewhere else? I think there are existing standards or reference definitions for these roles somewhere -- could we reuse them?
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.