Hi Nancy,
Thank you for your suggestion. I think the six points are valid and
reasonable. However, as with Ira's suggestion for internationalization, I do
have problems with the reference to "future Imaging Services". It is my
understanding that the requirements document and the specifications apply
to the Service models and operations, not an MFD. I therefore suggest the
following rewording of the first paragraph.
"Imaging Services may contain, process, and/or communicate sensitive data
that site policy requires be protected against confidentiality and integrity
threats. Imaging Services include resources and also interact with and
access external resources, which may pose security threats to these
resources. The specification of Imaging Services should consider the
following security measures in protecting sensitive data, operational
security and interfacing resource and network security: "
The six points would then follow.
Comments?
Bill Wagner
From: mfd-bounces at pwg.org [mailto:mfd-bounces at pwg.org] On Behalf Of
Nancy.Chen at okidata.com
Sent: Friday, July 16, 2010 2:00 PM
To: mfd at pwg.org
Subject: [MFD] Security Consideration for MFD Requirements document
Hi All,
Here is my suggested text with Ira's agreement. Also thanks for Ira's minor
editorial changes.
"An MFD is a network device which is subject to many threats to the
confidentiality and integrity of sensitive data transmitted over the network
as well as data at rest within the MFD. Many MFDs today also have the
ability to interact with and access external resources, which poses security
threats to other resources on the network. The design of future Imaging
Services should consider the following security measures in protecting MFD
data and operational security as well as its surrounding network resource
security:
(1) Include the ability to use industry standard network security protocols
to authenticate users' right to MFD operations that have direct or indirect
impacts on the confidentiality and integrity of the sensitive data at rest
according to the local site security policy.
(2) Include the ability to use industry standard secure network protocols to
transmit sensitive data over the network according to the local site
security policy.
(3) Include the ability to use Industry standard cryptographic algorithms
compliant to the local site policy to protect internal MFD data at rest.
(4) Include security state attributes that can be monitored and/or validated
by Industry standard network access protocols to prevent or minimize the
threats that the MFD can pose to other network resources if these security
state attributes are compromised.
(5) Include service operation and internal data access control policies in
order to support the local site security policy.
(6) Include the ability to generate and store audit log records in Industry
standard formats for all security related events in accordance with the
local site security policy."
-Nancy
----------------------------------------------------------------------------
----------------------
Nancy Chen, PWG Vice-Chair
Principal Engineer
Solutions and Technology
Oki Data
2000 Bishops Gate Blvd.
Mt. Laurel, NJ 08054
Phone: (856)222-7006
Email: Nancy.Chen at okidata.com
--
This message has been scanned for viruses and
dangerous content by <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/mfd/attachments/20100719/2a942c76/attachment-0001.html>