Mike,
At the IDS Meeting last Thursday we were asked to look at the PWG Security web page and make some suggested changes from an IDS perspective. Let me begin by saying that at the beginning we may have gotten a little carried away in wordsmithing the first two paragraphs of the introduction, but the rest of the comments are general and hopefully helpful.
Anyway, here are the comments:
1.
Second paragraph, 1st sentence - need to spell out the abbreviation for DPA (Document Printing Application) and give the full reference for both ISO DPA (should be ISO/IEC 10175 Document Printing Application) and IEEE P2600 (which actually should be IEEE 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and System Security)
2. We felt the 2nd paragraph, 1st sentence needed to be written in its entirety to add references to IETF and the HCD iTC and to add proper capitalization of 'Printer' and 'Multi-Function Device' .
3. 1st Paragraph,3rd Sentence - Change the sentence to read "Where appropriate, we liaise with other standards organizations including...."
4. 2nd paragraph, 2nd sentence - Remove the "In conjunction with these security-oriented documents," beginning the sentence and just begin with "The PWG..."
5. Section on Security Lifecycle
* Change the 1st sentence, 1st paragraph to read "Security requires engineering best practices and standards."
* In the 2nd sentence, remove the words "updates", "timely" and "todays"
1. Basic Security Functions
We discussed this a lot and compared your list to the list of security functions in the HCD cPP. The ones that I thought were missing and we should consider adding dealt with self-test (testing a subset of the functionality during power up or reboot), strong cryptography (ensuring that only known and vetted cryptographic algorithms are used) and trusted operation (which covers things like secure boot)
In the end we decided that the following should be added to your list:
* Platform Integrity Verification: Secure Boot, Self-Test
Also, add the following to Protection of Data at Rest - TSG Self-Encrypting Drive Standads (OPAL)
1. Safety By Design
We felt the title should really be "Reliability BY Design".
We also felt this section need more explanatory wording describing what the topic is about
2. Privacy
You should add pointers to the NIST SPs and other NIST documents that discuss privacy.
Note: My comment after the meeting - maybe also add pointers to the EU documents because they are really "heavy" into privacy as well as some states sch as California.
You should also cover sensitive data and PII here
3. Resources
Common Log Format has a bad link - Bill thinks it is because you pointed to an older version; it should be PWG 5110.3-2015
Check your resource list against the standards you reference in the Basic Security Functions section
Some other resources you should add:
* IPP Standards
* HCD cPP and HCD SD
* Applicable IETF Standards (talk to IRA)
Remove "Business Case for NAC and Hardcopy Devices" - it is very old and per Ira should be deprecated
That is the list we have. If you have questions let me know.
Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20231023/da86997d/attachment.html>