[IDS] PWG Security Web Page

[IDS] PWG Security Web Page

Michael Sweet msweet at msweet.org
Wed Dec 20 00:26:49 UTC 2023 

Alan,

Finally getting around to making these changes and had some questions...


> On Oct 23, 2023, at 11:06 AM, Alan Sukert <ansukert49 at outlook.com> wrote:
> 
> Mike,
> 
> At the IDS Meeting last Thursday we were asked to look at the PWG Security web page and make some suggested changes from an IDS perspective. Let me begin by saying that at the beginning we may have gotten a little carried away in wordsmithing the first two paragraphs of the introduction, but the rest of the comments are general and hopefully helpful.
> 
> Anyway, here are the comments:
>> Second paragraph, 1st sentence - need to spell out the abbreviation for DPA (Document Printing Application) and give the full reference for both ISO DPA (should be ISO/IEC 10175 Document Printing Application) and IEEE P2600 (which actually should be IEEE 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and System Security)
>     • We felt the 2nd paragraph, 1st sentence needed to be written in its entirety to add references to IETF and the HCD iTC and to add proper capitalization of 'Printer' and 'Multi-Function Device' .

OK, so I can definitely add a link to the HCD iTC.  What IETF reference(s) did you want?

Proposed text:

The PWG has helped to develop ISO/IEC 10175-3:2000 Document Printing Application (DPA), IEEE 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and System Security (P2600), and most recently the HCD iTC Collaborative Protection Profile for Hardcopy Devices to define standards and best practices for the secure and safe use of a Printer, Multi-Function Device (MFD), and/or Imaging Service throughout its lifecycle. The PWG has also defined standards for identifying and protecting personally identifying information (PII), including best practices for obtaining explicit consent before collecting or using this information and a standard that supports printing through untrusted intermediaries.

>     • 1st Paragraph,3rd Sentence - Change the sentence to read "Where appropriate, we liaise with other standards organizations including...."
>     • 2nd paragraph, 2nd sentence - Remove the "In conjunction with these security-oriented documents," beginning the sentence and just begin with "The PWG..."


>     • Section on Security Lifecycle
>     • Change the 1st sentence, 1st paragraph to read "Security requires engineering best practices and standards."
>     • In the 2nd sentence, remove the words "updates", "timely" and "todays"

So:

Security requires engineering best practices and standards. Network products require regular and trusted firmware/software to address customer issues, changes to best practices and standards, and fixes for security vulnerabilities.

I think the missing "updates" here makes the sentence confusing...  Here it is with updates added:

Security requires engineering best practices and standards. Network products require regular and trusted firmware/software UPDATES to address customer issues, changes to best practices and standards, and fixes for security vulnerabilities.

Thoughts?

>     • Platform Integrity Verification: Secure Boot, Self-Test
> Also, add the following to Protection of Data at Rest - TSG Self-Encrypting Drive Standads (OPAL)
>     • Safety By Design
> We felt the title should really be "Reliability BY Design".
> We also felt this section need more explanatory wording describing what the topic is about

Yes, the "..." is a placeholder for more text, presumably that you and I come up with... :)

>     • Privacy
> You should add pointers to the NIST SPs and other NIST documents that discuss privacy. 

Anything beyond SP800 and the Privacy Framework?

> Note: My comment after the meeting - maybe also add pointers to the EU documents because they are really "heavy" into privacy as well as some states sch as California.

Done!

> You should also cover sensitive data and PII here

That would be the first bullet, right?

>     • Resources
> Common Log Format has a bad link - Bill thinks it is because you pointed to an older version; it should be PWG 5110.3-2015

Fixed ('.' instead of '-' before the 5110.3 in the link...)

> Check your resource list against the standards you reference in the Basic Security Functions section
> Some other resources you should add:
>     • IPP Standards

Done!

>     • HCD cPP and HCD SD

Best link?

>     • Applicable IETF Standards (talk to IRA)
> Remove "Business Case for NAC and Hardcopy Devices" - it is very old and per Ira should be deprecated

Done!

...

Please see my updates:

    https://www.pwg.org/security

(we still don't have a direct link to the page...)

________________________
Michael Sweet

More information about the ids mailing list