Security Target: st_vid10422
Xerox WorkCentre™ 7755/7765/7775
Security Target
Version 2.0
Prepared by:
Xerox Corporation
1350 Jefferson Road
Rochester, New York 14623
Computer Sciences Corporation
7231 Parkway Drive
Hanover, Maryland 21076
Document Version 2.0, Revision 2.0
Xerox WorkCentre™ 7755/7765/7775 Security Target
©2009 Xerox Corporation. All rights reserved. Xerox and the sphere of connectivity design are
trademarks of Xerox Corporation in the United States and/or other counties.
All copyrights referenced herein are the property of their respective owners. Other company trademarks
are also acknowledged.
Document Version: 2.0 (November 2013).
ii

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Table of Contents
1.
SECURITY TARGET INTRODUCTION ..................................................................... 6
1.1.
ST AND TOE IDENTIFICATION ............................................................................................... 6
1.2.
TOE OVERVIEW ................................................................................................................. 7
1.2.1. Usage and Major Security Features .......................................................................... 7
1.2.2. TOE Type ................................................................................................................. 11
1.2.3. Required Non-TOE Hardware, Software and Firmware .......................................... 11
1.3.
TOE DESCRIPTION............................................................................................................ 11
1.3.1. Physical Scope of the TOE ....................................................................................... 11
1.3.2. Logical Scope of the TOE ......................................................................................... 13
1.4.
EVALUATED CONFIGURATION ............................................................................................. 19
2.
CONFORMANCE CLAIMS ...................................................................................... 20
2.1.
2.2.
2.3.
2.4.
3.
COMMON CRITERIA CONFORMANCE CLAIMS ......................................................................... 20
PROTECTION PROFILE CLAIMS ............................................................................................. 20
PACKAGE CLAIMS ............................................................................................................. 21
RATIONALE ..................................................................................................................... 21
SECURITY PROBLEM DEFINITION ....................................................................... 23
3.1.
DEFINITIONS.................................................................................................................... 23
3.1.1. Users ....................................................................................................................... 23
3.1.2. Objects (Assets) ...................................................................................................... 23
3.1.3. Operations .............................................................................................................. 25
3.1.4. Channels ................................................................................................................. 25
3.2.
ASSUMPTIONS ................................................................................................................. 26
3.3.
THREATS......................................................................................................................... 26
3.3.1. Threats Addressed by the TOE ................................................................................ 26
3.3.2. Threats Addressed by the IT Environment .............................................................. 27
3.4.
ORGANIZATIONAL SECURITY POLICIES................................................................................... 27
4.
SECURITY OBJECTIVES ....................................................................................... 29
4.1.
4.2.
4.3.
4.4.
5.
EXTENDED COMPONENTS DEFINTION .............................................................. 36
5.1.
6.
SECURITY OBJECTIVES FOR THE TOE .................................................................................... 29
SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ................................................... 30
SECURITY OBJECTIVES FOR THE NON-IT ENVIRONMENT ........................................................... 30
RATIONALE FOR SECURITY OBJECTIVES ................................................................................. 31
FPT_FDI_EXP RESTRICTED FORWARDING OF DATA TO EXTERNAL INTERFACES ............................. 36
SECURITY REQUIREMENTS ................................................................................. 39
6.1.
CONVENTIONS ................................................................................................................. 39
6.2.
TOE SECURITY POLICIES .................................................................................................... 39
6.2.1. Information Flow Control Policy (TSP_FLOW) ......................................................... 40
6.2.2. SSLSec SFP (TSP_SSL) .............................................................................................. 40
6.2.3. IP Filter SFP (TSP_FILTER)........................................................................................ 40
6.2.4. IPSec SFP (TSP_IPSEC) ............................................................................................. 41
6.2.5. SNMPSec SFP (TSP_SNMP) ..................................................................................... 41
3

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.2.6. PrivUserAccess SFP (TSP_FMT) ............................................................................... 41
6.2.7. User Access Control SFP (UAC_SFP) (IEEE Std. 2600.2-2009).................................. 41
6.2.8. TOE Function Access Control SFP (TF_SFP) (IEEE Std. 2600.2-2009) ....................... 43
6.3.
SECURITY FUNCTIONAL REQUIREMENTS ................................................................................ 44
6.3.1. Class FAU: Security audit ........................................................................................ 45
6.3.2. Class FCO: Communication ..................................................................................... 47
6.3.3. Class FCS: Cryptographic support ........................................................................... 47
6.3.4. Class FDP: User data protection ............................................................................. 52
6.3.5. Class FIA: Identification and authentication ........................................................... 58
6.3.6. Class FMT: Security management .......................................................................... 60
6.3.7. Class FPR: Privacy ................................................................................................... 66
6.3.8. Class FPT: Protection of the TSF .............................................................................. 66
6.3.9. Class FTA: TOE access ............................................................................................. 67
6.3.10.
Class FTP: Trusted paths/channels..................................................................... 67
6.4.
TOE SECURITY ASSURANCE REQUIREMENTS ........................................................... 69
6.5.
EXPLICITLY STATED REQUIREMENTS FOR THE TOE .................................................................. 69
6.5.1. FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces (IEEE Std.
2600.2-2009) ......................................................................................................................... 70
6.6.
RATIONALE FOR SECURITY FUNCTIONAL REQUIREMENTS .......................................................... 70
6.7.
RATIONALE FOR SECURITY ASSURANCE REQUIREMENTS ......................................... 78
6.8.
RATIONALE FOR DEPENDENCIES ................................................................................ 78
6.8.1. Security Functional Requirement Dependencies ..................................................... 78
6.8.2. Security Assurance Requirement Dependencies ..................................................... 81
7.
TOE SUMMARY SPECIFICATION.......................................................................... 83
7.1.
TOE SECURITY FUNCTIONS ....................................................................................... 83
7.1.1. Image Overwrite (TSF_IOW) ................................................................................... 83
7.1.2. Information Flow Security (TSF_FLOW) .................................................................. 84
7.1.3. Authentication (TSF_ AUT) ..................................................................................... 85
7.1.4. Network Identification (TSF_NET_ID) ..................................................................... 85
7.1.5. Security Audit (TSF_FAU) ........................................................................................ 86
7.1.6. Cryptographic Operations (TSF_FCS) ...................................................................... 86
7.1.7. User Data Protection – SSL (TSF_FDP_SSL) ............................................................. 87
7.1.8. User Data Protection – IPSec (TSF_FDP_IPSec)....................................................... 87
7.1.9. User Data Protection – Disk Encryption (TSF_FDP_UDE) ........................................ 88
7.1.10.
User Data Protection – IP Filtering (TSF_FDP_FILTER) ....................................... 88
7.1.11.
Network Management Security (TSF_NET_MGMT) .......................................... 88
7.1.12.
Security Management (TSF_FMT) ...................................................................... 89
8.
GLOSSARY (NORMATIVE) .................................................................................... 92
9.
ACRONYMS (INFORMATIVE) ................................................................................ 97
10.
BIBLIOGRAPHY (INFORMATIVE).......................................................................... 99
4

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
List of Figures
Figure 1: Architectural Diagram of the TOE ...................................................................................8
Figure 2: Xerox WorkCentre™ 7755/7765/7775 ...........................................................................9
List of Tables
Table 1: Models and capabilities ....................................................................................................8
Table 2: Evaluated Software/Firmware version ...........................................................................12
Table 3: System User and Administrator Guidance .....................................................................13
Table 4: Users ...............................................................................................................................23
Table 5: User Data ........................................................................................................................24
Table 6: TSF Data .........................................................................................................................24
Table 7: TSF Data Categorization ................................................................................................24
Table 8: SFR Package Functions for IEEE Std. 2600.2-2009 ......................................................25
Table 9: Assumptions for the TOE ...............................................................................................26
Table 10: Threats to User Data for the TOE .................................................................................27
Table 11: Threats to TSF Data for the TOE .................................................................................27
Table 12: Organizational Security Policies for the TOE ..............................................................28
Table 13: Security Objectives for the TOE...................................................................................29
Table 14: Security Objectives for the IT Environment .................................................................30
Table 15: Security Objectives for the Non-IT Environment ........................................................30
Table 16: Completeness of Security Objectives ...........................................................................31
Table 17: Sufficiency of Security Objectives ...............................................................................32
Table 18: User Access Control SFP...............................................................................................41
Table 19: Attributes Definition ......................................................................................................42
Table 20: TOE Security Functional Requirements ........................................................................44
Table 21: Audit Data Requirements ..............................................................................................46
Table 22: IEEE 2600.2 Security Assurance Requirements ...........................................................69
Table 23: Completeness of Security Functional Requirements .....................................................70
Table 24: Sufficiency of Security Functional Requirements .........................................................73
Table 25: SFR Dependencies Satisfied ..........................................................................................78
Table 26: EAL2 (Augmented with ALC_FLR.3) SAR Dependencies Satisfied...........................82
Table 27: Acronyms .......................................................................................................................97
5

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
1. SECURITY
TARGET
INTRODUCTION
This Chapter presents Security Target (ST) identification information and
an overview of the ST. An ST contains the information technology (IT)
security requirements of an identified Target of Evaluation (TOE) and
specifies the functional and assurance security measures offered by that
TOE to meet stated requirements. An ST principally defines:
a) A security problem expressed as a set of assumptions about
the security aspects of the environment, a list of threats that
the product is intended to counter, and any known rules with
which the product must comply (Chapter 3, TOE Security
Environment).
b) A set of security objectives and a set of security
requirements to address the security problem (Chapters 4, 5
and 6, Security Objectives, Extended Components
Definition, and IT Security Requirements, respectively).
c) The IT security functions provided by the TOE that meet the
set of requirements (Chapter 7, TOE Summary
Specification).
The structure and content of this ST comply with the requirements
specified in the Common Criteria (CC), Part 1, Annex A, and Part 3,
Chapter 11.
1.1.
ST and TOE Identification
This section provides information needed to identify and control this ST
and its associated TOE. This ST targets Evaluation Assurance Level
(EAL) 2 augmented with ALC_FLR.3.
Xerox WorkCentre™ 7755/7765/7775 Security Target
2.0
Revision 2.0
November 25, 2013
CSC Security Testing/Certification Laboratories, Xerox
Corporation
ST Title:
ST Version:
Revision Number:
Publication Date:
Authors:
6

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Xerox WorkCentre™ 7755/7765/7775 (see Section 1.3.1 for
software version numbers)
CSC Security Testing/Certification Laboratories
Xerox, Multi Function Device, Image Overwrite,
WorkCentre™, Color, Mono, Hardcopy, Paper, Document,
Printer, Scanner, Copier, Facsimile, Fax, Document Server,
Document Storage and Retrieval, Nonvolatile storage,
Residual data, Temporary data, Disk overwrite, Network
interface, Shared communications medium, Multifunction
Device, Multifunction Product, All-In-One, MFD, MFP,
Network, Office, ISO/IEC 15408, Common Criteria,
Protection Profile, Security Target
TOE Identification:
ST Evaluator:
Keywords:
1.2.
TOE Overview
1.2.1.
Usage and Major Security Features
The product is a multi-function device (MFD) that copies and prints in
monochrome (black and white) and full color, with scan-to-email, workflow
scan (including “scan-to-mailbox1”), and FAX options.
A standard
component of the TOE is the Image Overwrite Security package. This
function forces any temporary image files created during a copy, print,
scan or Fax jobs to be overwritten when those files are no longer needed.
For reference, the architecture of the TOE is illustrated in Figure 1:
Architectural Diagram of the TOE below:
1
In Xerox terminology, the terms “mailbox” and “folder” are used interchangeably, both referring to logical place
holders under which files are stored.
7

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Figure 1: Architectural Diagram of the TOE
The optional Xerox Embedded Fax accessory, when purchased and
installed, provides local analog fax capability over PSTN connections.
Table 1 shows the configurations and printing speeds available in the
various models of the TOE.
Table 1: Models and capabilities
(X – included in all configurations; O – product options ordered separately)
WorkCentre
™ 7755
WorkCentre
™ 7765
WorkCentre
™ 7775
2
Print
Copy
x
x
x
x
x
x
Workflow Embedde Scan 2 Print Speed Print Speed
2
Scan
d Fax
email
(Color)
(Mono)
Up to 55
x
o
x
Up to 40 ppm
ppm
Up to 65
x
o
x
Up to 50 ppm
ppm
x
o
x
Up to 50 ppm Up to 75ppm
Embedded FAX jobs are not spooled to the HDDs.
8

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
An optional Finisher, which is not part of the TOE, provides “after print”
services such as document collation and stapling. The hardware included
in the TOE is shown in the figure below. This figure also shows an
optional Finisher connected to the TOE at the right side of the picture and
an optional Paper Feeder at the left side of the picture, neither of which
are part of the TOE.
Figure 2: Xerox WorkCentre™ 7755/7765/7775
* Also shown are an optional Paper Feeder (left) and Finisher (right).
The TOE stores temporary image data created during a copy, print,
workflow scan, scan-to-email, internet fax and LanFax job on the single
shared HDD. This temporary image data consists of the original data
submitted and additional files created during a job. All partitions of the
HDD used for spooling temporary files are encrypted. The encryption key
is created dynamically on each power-up.
The TOE provides an Image Overwrite function to enhance the security of
the MFD. The Image Overwrite function overwrites temporary document
image data at the completion of each job; also upon deletion of each job
or of a workflow scan/fax file/mailbox in the following cases: at the
instruction of the owner; after a reboot; once the TOE is turned back on
after a power failure/unorderly shutdown; or on demand of the TOE
system administrator.
The optional Xerox Embedded Fax accessory provides analog FAX
capability over Public Switched Telephone Network (PSTN) connections
9

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
and also enables LanFax jobs, if purchased by the consumer. A separate
non-volatile memory resource is dedicated to embedded fax, and the
image files written to this memory are zeroized at the completion of a fax
job.
Xerox’s Workflow Scanning Accessory is part of the TOE configuration.
This accessory allows documents to be scanned at the device with the
resulting image being sent via email, transfered to a remote (SSL scan)
repository or kept in a private (scan) mailbox.
All models of the TOE support auditing. The TOE generates audit logs that
track events/actions (e.g., print/scan/fax job submission) to identified
users. The audit logs, which are stored locally in a 15000 entry circular
log, are available to TOE administrators and can be exported for viewing
and analysis. SSL must be configured in order for the system
administrator to download the audit records; the downloaded audit records
are in comma separated format so that they can be imported into an
application such as Microsoft Excel™.
All models of the TOE support network security. The system administrator
can enable and configure the network security support, as well as 802.1x
device authentication. Filtering rules can be specified for IPv4 based on
both address and port number. Additional network security support is
based on SSL. When SSL support is enabled on the device, the following
network security features can be enabled/configured: HTTPS support over
both IPv4 and IPv6 (for both the device’s Web UI and secure workflow
scan data transfer); system administrator download of the device’s audit
log; IPSec support for IPP, lpr and port 9100 print jobs over IPv4 or IPv6;
secure remote authentication (if supported by the remote authentication
server) and secure network device management through SNMPv3. Scanto-email and FAX data are not protected from sniffing by the IPSec or SSL
support. The transmission of LanFax data over the Ethernet connection is
protected by IPSec, but the transmission over the PSTN is not. IPSec and
SNMPv3 can only be activated if SSL has been enabled and an SSLbased certificate (either “self-signed” or generated by an external
Certificate Authority) has been loaded into the TOE via the Web UI. Once
this has occurred SSL could be disabled; however, the TOE would no
longer be in its evaluated configuration.
The TOE controls and restricts the information flow from the external
interfaces to the network controller (which covers the information flow to
and from the internal network).
The TOE requires users and system administrators to authenticate before
granting access to user (copy, print, fax etc) or system administration
functions via the Web User Interface (Web UI) or the Local User Interface
(LUI). The user or system administrator must enter a username and
password at either the Web User Interface or the Local User Interface.
10

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
The password will be obscured3 as it is being entered. The TOE provides
for user identification and authorization as configured by the system
administrator.
The TOE restricts (normal) users’ access to the documents. A user can
only access his/her own documents.
The TOE can integrate with an IPv4 or IPv6 network with native support
for dhcp/dhcpv6.
The TOE supports the Common Access Card (CAC) standard and other
methods (refer to chapter 1.3.2.3) for remote authentication.
1.2.2.
TOE Type
The TOE is a multi-function device (MFD) that provides copy and print
(monochrome and color), document scanning (monochrome and color)
and optional FAX services.
1.2.3.
Required Non-TOE Hardware, Software and
Firmware
The TOE does not require any additional hardware, software or firmware
in order to function as a multi-function device, however, the network
security and fax flow features are only useful in environments where the
TOE is connected to a network or PSTN. TSF_NET_ID is only available
when one of the following remote authentication services is present on the
network that the TOE is connected to: LDAP or Kerberos. CAC based
TSF_NET_ID requires CAC compliant smart cards and smart card
readers.
1.3.
TOE Description
This section provides context for the TOE evaluation by identifying the
logical and physical scope of the TOE, as well as its evaluated
configuration.
1.3.1.
Physical Scope of the TOE
The TOE is a Multi-Function Device (Xerox WorkCentre™
7755/7765/7775) that consists of a printer, copier, scanner, FAX (when
purchased by the consumer), and email, as well as all Administrator and
User guidance. The difference between the three models is their printing
3
The LUI obscures input with the asterisk character. The specific character used to obscure input at the WebUI
is browser dependent.
11

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
speed. The hardware included in the TOE is shown in Figure 2 above.
This figure also shows an optional Finisher connected to the TOE at the
right side of the picture and an optional Paper Feeder at the left side of the
picture, neither of which are part of the TOE. The optional FAX card is not
shown in this figure4.
The various software and firmware (“Software”) that comprise the TOE are
listed in Table 2. A system administrator can ensure that they have a TOE
by printing a configuration sheet and comparing the version numbers
reported on the sheet to the table below.
Table 2: Evaluated Software/Firmware version
WorkCentre™ 7755/7765/7775
Software/Firmware
Item
System Software
061.090.221.36202
Network Controller Software
061.091.36121.LL
UI Software
5
061.091.34920
Marking Engine Software
008.035.000
Copy Controller Software
061.091.35740
DADH Software
012.003.003
Finisher Software (Options)
•
C-Finisher
017.019.000
•
D-Finisher
013.013.000
FAX Software
003.010.004
Scanner Software
011.050.008
The UI software controls the User Interface. Copy Controller software
controls the Copy Controller and is able to interface with all other software
components. Marking Engine software controls the marking engine that
prints to paper. DADH software controls the input tray. Finisher software
controls the optional Finisher attachment. FAX software resides on the
FAX board and controls some fax functions. Scanner software controls
some scan functions. The Copy Controller software and Network
Controller software reside on a single controller.
4
For installation, the optional FAX card must be fitted into the machine. After powering on the machine, the Fax
Install window pops up on the Local UI with step by step instructions for installation.
5
Requires patch LLWC77xxV1.dlm
12

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
NOTE: For the remainder of this Security Target, the terms “Network
Controller” and “Copy Controller” will refer to the “Network
Controller” and “Copy Controller” software subsystems.
A customer of the TOE can determine whether the Xerox Embedded Fax
accessory, Xerox Workflow Scan accessory and Image Overwrite Security
Package6 are installed by reviewing the TOE configuration report. A
consumer of the TOE can also determine that they have the evaluated
version of the TOE by reviewing the TOE configuration report and
comparing the version numbers to the content of Table 2, above.
The Administrator and User guidance included in the TOE are listed in
Table 3. A system administrator or user can ensure that they have the
appropriate guidance by comparing the software version number to the
version numbers listed in the table below.
Table 3: System User and Administrator Guidance
Title
Document Number
Date
Xerox WorkCentre
7755/7765/7775 System
Administrator Guide v1.0
None
September 2009
Xerox WorkCentre
7755/7765/7775 User Guide
None
September 2009
Secure Installation and Operation of
Your WorkCentre™ 7755/7765/7775
v1.3
None
November 2012


The TOE’s physical interfaces include a power port, an Ethernet port, USB
ports, serial ports, FAX ports (if the optional FAX card is installed), Local
User Interface (LUI) with keypad, a document scanner, a document feeder
and a document output.
1.3.2.
Logical Scope of the TOE
The logical scope of the TOE includes all software and firmware that are
installed on the product (see Table 2). The TOE logical boundary is
composed of the security functions provided by the product.
The following security functions are controlled by the TOE:


Image Overwrite (TSF_IOW)
Authentication (TSF_ AUT)
6
Xerox Embedded Fax accessory, Xerox Workflow Scan accessory and Image Overwrite Security Package are
a part of the Network Controller or Copy Controller software package and do not have individual version
identifiers.
13

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target










Network Identification (TSF_NET_ID)
Security Audit (TSF_FAU)
Cryptographic Operations (TSF_FCS)
User Data Protection – SSL (TSF_FDP_SSL)
User Data Protection – IP Filtering (TSF_FDP_FILTER)
User Data Protection – IPSec (TSF_FDP_IPSec)
Network Management Security (TSF_NET_MGMT)
Information Flow Security (TSF_ FLOW)
Security Management (TSF_FMT)
User Data Protection – Disk Encryption (TSF_FDP_UDE)
1.3.2.1.
Image Overwrite (TSF_IOW)
The TOE has an “Immediate Image Overwrite” (IIO) function that
overwrites files created during job processing. This IIO process
automatically starts for all abnormally terminated copy, print, or scan jobs
stored on the HDD and fax jobs stored on the fax card flash memory prior
to coming “on line” when any of the following occurs: a reboot or once the
MFD is turned back on after a power failure/unorderly shutdown.
The TOE also has an “On-Demand Image Overwrite” (ODIO) function that
overwrites the hard drive(s) and embedded fax card flash memory ondemand of the system administrator. The ODIO function operates in two
modes: full ODIO and standard ODIO. A standard ODIO overwrites all
files written to temporary storage areas of the HDD and zeroizes the
temporary storage areas of the fax card flash memory. A full ODIO
overwrites those files as well as the Fax mailbox/dial directory and Scanto-mailbox data.
Contents stored on the hard disk are overwritten using a three pass
overwrite procedure. Contents of the embedded fax card flash memory
are overwritten using a single-pass zeroization method.
LanFax jobs are overwritten (using three pass overwrite) on the shared
hard disk after the image is transferred from the Network Controller to
Copy Controller, and zeroized on the fax card flash memory once the
image has been sent.
14

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
1.3.2.2.
Authentication (TSF_AUT)
A user must authenticate by entering a username and password prior to
being granted access to the Local UI or the Web UI. While the user is
typing the password, the TOE obscures7 each character entered.
Upon successful authentication, users are granted access based on their
role and predefined privileges. Only a system administrator is allowed full
access to the TOE including all the system administration functions. Each
common user’s access is determined by which function (copy, scan, print,
fax etc.) they have permission for.
If configured for local authentication the system requires the system
administrator to enter a username and password for each user. The
system will authenticate the user against an internal database.
By default, the Local UI will terminate any session that has been inactive
for 60 minutes. By default, the Web UI will terminate any session that has
been inactive for 15 minutes. The system administrator can configure
both the Local UI and Web UI session timeouts to terminate an inactive
session after some other period of time.
1.3.2.3.
Network Identification (TSF_NET_ID)
As an alternative to TSF_AUT, the TOE allows user name and password
for a user to be validated by a designated authentication server (a trusted
remote IT entity). The user is not required to login to the network; account
information entered at Local UI or Web UI of the TOE is authenticated at
the server instead of the TOE. The remote authentication services
supported by the TOE in the evaluated configuration are: CAC
authentication, LDAP v4, Kerberos v5 (Solaris) and Kerberos v5 (Windows
2000/2003).
The TOE maintains the username from a successful authentication during
the context of the job, and this value is entered into the audit log as the
user name.
By default, the Local UI will terminate any session that has been inactive
for 60 minutes. By default, the Web UI will terminate any session that has
been inactive for 15 minutes. The system administrator can configure
both the Local UI and Web UI session timeouts to terminate an inactive
session after some other period of time.
1.3.2.4.
Security Audit (TSF_FAU)
The TOE generates audit logs that track events/actions (e.g.,
copy/print/scan/fax job completion) to identified users. The audit logs,
7
The LUI obscures input with the asterisk character. The specific character used to obscure input at the WebUI
is browser dependent
15

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
which are stored locally in a 15000 entry circular log, are available to TOE
administrators and can be exported for viewing and analysis. SSL must be
configured in order for the system administrator to download the audit
records; the downloaded audit records are in comma separated format so
that they can be imported into an application such as Microsoft Excel™.
1.3.2.5.
Cryptographic Operations (TSF_FCS)
The TOE utilizes data encryption (AES, RSA, RC4, DES, TDES) and
cryptographic checksum generation and secure hash computation (MD5
and SHA-1), as provided by the OpenSSL cryptographic libraries, to
support secure communication between the TOE and remote trusted
products. Those packages include provisions for the generation and
destruction of cryptographic keys and checksum/hash values and meet
the following standards: AES-256-FIPS-197, 3DES – FIPS-42-2, FIPS-74,
FIPS-81; MD5 – RFC1321; SHA-1 – FIPS-186, SSLv3, and SNMPv3.
NOTE: The strength of the cryptographic algorithms supported by
the TOE is not part of the evaluation. The following table identifies
relevant FIPS certificates.
Cryptographic
Operations
Cryptographic
Algorithm
Key
Sizes
(bits)
Standards / CAVP*
Triple DES (CBC)
168
FIPS 46-3 (cert #826
and #1174)
AES (CBC)
256
FIPS 197 (cert #1131
and #1821)
Digital signature generation
and verification
RSA
1024
Message digest
SHA-1
N/A
FIPS 180-3 (cert #1599)
Message authentication
HMAC
160
FIPS 198 (cert #644 and
#1076)
Symmetric encryption and
decryption
FIPS 186-3 (cert #914)
*Cryptographic Algortithm Validation Program (CAVP) certificates
1.3.2.6.
User Data Protection – SSL (TSF_FDP_SSL)
The TOE provides support for SSL through the use of the OpenSSL
cryptographic libraries, and allows the TOE to act as either an SSL server
or SSL client, depending on the function the TOE is performing. SSL must
be enabled before setting up either IPSec, SNMPv3, or before the system
administrator can retrieve the audit log. The SSL functionality also permits
the TOE to be securely administered from the Web UI, as well as being
used to secure the connection between the TOE and the repository server
when utilizing the remote scanning option. If the system administratormanaged function is enabled, then the TOE creates and enforces the
informal security policy model, “All communications to the Web server will
utilize SSL (HTTPS).” As provided for in the SSLv3 standard, the TOE will
16

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
negotiate with the client to select the encryption standard to be used for
the session, to include operating in backward-compatible modes for clients
that do not support SSLv3. SSL does not protect scan-to-email, LanFax
or FAX data. The HTTPS web server supports both IPv4 and IPv6
protocols.
1.3.2.7.
User Data Protection – IPSec (TSF_FDP_IPSec)
Printing clients initiate the establishment of a security association with the
MFD. Thereafter, all IP-based traffic to and from this destination will
pass through IPSec until either end powers down, or resets, after which
IPSec must be reestablished. The use of IPSec for communication with a
particular destination is based on the presumed address of the printing
client. IPSec does not protect scan-to-email or FAX data. The
transmission of LanFax data over the Ethernet connection is protected by
IPSec, but the transmission over the PSTN is not. The TOE implements
IPSec for both IPv4 and IPv6; however, IPSec is not available for
AppleTalk or IPX.
Note: The TOE cannot enforce the IPSec (TSF_FDP_IPSec) security
function when it is configured for AppleTalk or IPX networks.
1.3.2.8.
User Data Protection – Disk Encryption
(TSF_FDP_UDE)
The TOE utilizes data encryption (AES) and cryptographic checksum
generation and secure hash computation (SHA-1), as provided by the
Loop_AES cryptographic libraries, to support encryption and decryption of
designated portions of the hard disk(s) where user files may be stored.
Those packages include provisions for the generation and destruction of
cryptographic keys and meet the following standards: AES-256-FIPS-197.
AES data encryption and its associated cryptographic keys are used to
encrypt and decrypt all areas of the hard drive where user jobs are
temporarily stored for processing.
NOTE: the strength of the cryptographic algorithms supported by the
TOE is not part of the evaluation.
1.3.2.9.
User Data Protection – IP Filtering
(TSF_FDP_FILTER)
The TOE provides the ability for the system administrator to configure a
network information flow control policy based on a configurable rule set.
The information flow control policy (IPFilter SFP) is generated by the
system administrator specifying a series of rules to “accept,” “deny,” or
“drop” packets. These rules include a listing of IP addresses that will be
allowed to communicate with the TOE. The IP Filter supports the
construction of IPv4 filtering policies. Additionally, rules can be generated
17

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
specifying filtering options based on port number given in the received
packet. IP Filtering is not available for IPv6, AppleTalk or IPX; however,
the effect of IP Filtering can be accomplished for IPv6 by configuring
IPSec associations.
1.3.2.10.
Network Management Security (TSF_NET_MGMT)
The TOE supports SNMPv3 as part of its security solution (SNMPSec
SFP). The SNMPv3 protocol is used to authenticate each SNMP
message, as well as provide encryption of the data as described in RFC
3414.
1.3.2.11.
Information Flow Security (TSF_FLOW)
The TOE controls and restricts the data/information flow from the Local
User Interface (LUI), document scanner and document feeder to the
network controller hardware or software (which covers the information flow
to and from the internal network). All data and/or commands received from
these interfaces are processed and in most cases transformed by the
copy controller before submitted to the network controller. The network
controller further processes the data before sending them to the internal
network.
The TOE controls and restricts the information flow between the PSTN
port of the optional FAX processing board (if installed) and the network
controller hardware or software. Data and/or commands cannot be sent to
the internal network via the PSTN. A direct connection from the internal
network to external entities by using the telephone line of the TOE is also
denied.
If the optional FAX board is not installed, an information flow from or to the
FAX port is not possible at all.
1.3.2.12.
Security Management (TSF_FMT)
Only authenticated system administrators can enable or disable the
Immediate Image Overwrite function, change the system administrator
password, and start an On Demand Image Overwrite operation.
While IIO can be disabled, doing so will remove the TOE from its
evaluated configuration.
Additionally, only authenticated system administrators can assign
authorization privileges to users, establish a recurrence schedule for “On
Demand Image Overwrite, enable/disable SSL support, enable/disable
and configure IPSec, enable/disable and configure SNMPv3, create/install
X.509 certificates, enable/disable and download the audit log,
enable/disable and configure (rules) IP filtering, configure inactive session
18

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
timeout settings, enable/disable disk encryption, enable/disable use of
Common Access Cards, verify TOE software binary code integrity, or
enable/disable and configure 802.1x.
User’s access to the TOE functions, Job or Image Data stored inside the
TOE is restricted, in accordance with the applicable TOE Security Policies.
The TOE is capable of verifying the integrity of the TSF at the request of
the administrator.
1.4.
Evaluated Configuration
In its evaluated configuration, IIO and ODIO (the Image Overwrite Security
Package) are installed and enabled on the TOE; SSL is enabled on the
TOE; and User Authorization is enabled on the TOE. The FAX (Xerox
Embedded Fax accessory) option, if purchased by the consumer, is
installed and enabled on the TOE. The LanFax option is included in the
evaluated configuration of the TOE. USB Direct Printing is not included in
the evaluated configuration of the TOE.
In its evaluated configuration, the following options should be disabled:

Network Accounting

Copy/Print, Store and Reprint

SMart eSolutions

Xerox Extensible Interface Platform (EIP)

USB direct printing
Please see http://www.xerox.com/information-security/product/enus.html
for more specific information about maintaining the security of this TOE.
19

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
2. CONFORMANCE
CLAIMS
This section describes the conformance claims of this Security Target.
2.1.
Common Criteria Conformance Claims
The Security Target is based upon:



Common Criteria for Information Technology Security Evaluation, Part 1:
Introduction and General Model; Version 3.1, Revision 1, CCMB-2006-09001,
Common Criteria for Information Technology Security Evaluation, Part 2:
Security Functional Components; Version 3.1, Revision 2, CCMB-2007-09002,
Common Criteria for Information Technology Security Evaluation, Part 3:
Security Assurance Components; Version 3.1, Revision 2, CCMB-2007-09003
referenced hereafter as [CC].
This Security Target claims the following CC conformance:

Part 2 extended

Part 3 conformant

Evaluation Assurance Level (EAL) 2+
2.2.
Protection Profile Claims
This Security Target claims demonstrable conformance to the “U.S. Government
Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2-2009)” Protection
Profile dated 26 February 2010 (IEEE 2600.2™-2009). 8
8
The Hardcopy Device, IEEE Std. 2600.2™-2009, was Validated/Certified by BSI (Bundesamt für Sicherheit in der
Informationstechnik ) in Germany. NIAP has reviewed this PP and has determined that it is acceptable, with additional functional
requirements defined in NIAP CCEVS Policy #20, as an Approved U.S. Government PP. This Security Target claims demonstrable
conformance to both IEEE Std. 2600.2™-2009 and NIAP CCEVS Policy #20.
20

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
2.3.
Package Claims
This Security Target claims conformance to the EAL2 package augmented with
ALC_FLR.3, and the following additional packages from the “U.S. Government
Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2-2009)” Protection
Profile dated 26 February 2010:






2.4.
2600.2-PRT, SFR Package for Hardcopy Device Print Functions, Operational
Environment B
2600.2-SCN, SFR Package for Hardcopy Device Scan Functions, Operational
Environment B
2600.2-CPY, SFR Package for Hardcopy Device Copy Functions, Operational
Environment B
2600.2-FAX, SFR Package for Hardcopy Device Fax Functions, Operational
Environment B
2600.2-DSR, SFR Package for Hardcopy Device Document Storage and
Retrieval Functions, Operational Environment B
2600.2-SMI, SFR Package for Hardcopy Device Shared-medium Interface
Functions, Operational Environment B
Rationale
The TOE type in this ST (multifunction or hardcopy device) is the same as the TOE type
for IEEE 2600.2.
The Security Problem Definition (Threats, Assumptions and Organizational Security
Policies) and Objectives have been copied directly from IEEE Std. 2600.2-2009 and
have not been modified. One security objective for the TOE
(O.AUDIT_STORAGE.PROTECTED) has been added in accordance to application
notes 7 from IEEE Std. 2600.2-2009. Only one security objective for the IT environment
(OE.USER.AUTHENTICATED) has been added in accordance to application notes 37,
42 and 43 from IEEE Std. 2600.2-2009. The statement of Security Requirements
contains the SFRs from IEEE Std. 2600.2-2009 as well as additional SFRs that are
taken from CC Part 2. By including all of the SFRs from IEEE Std. 2600.2-2009 and
including additional SFRs (none of which conflict with each other), the statement of
Security Requirements is necessarily at least as strict as the statement in IEEE Std.
2600.2-2009, if not more strict. The rationales for objectives, threats, assumptions,
organizational security policies and security requirements have been copied from IEEE
Std. 2600.2-2009 and have been augmented to address the requirements that have
been added from CC Part 2.
The IEEE Std. 2600.2-2009 statement of Common Security Functional Requirements
has been augmented with additional (including iterated) SFRs from CC Part 2:
21

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Family
Audit
Cryptographic Support
User Data Protection
Identification and
Authentication
Security Management
Augmentation
FAU_SAR.1, FAU_SAR.2, FAU_STG.1, FAU_STG.4
FCS_CKM.1 (SSL), FCS_CKM.2 (SSL 1), FCS_CKM.2 (SSL 2),
FCS_COP.1 (SSL), FCS_CKM.1 (IPSEC), FCS_COP.1 (IPSEC 1),
FCS_COP.1 (IPSEC 2), FCS_CKM.1 (SNMP), FCS_COP.1 (SNMP),
FCS_CKM.1 (UDE), FCS_CKM.4
FDP_ACC.1 (MGMT), FDP_ACF.1 (MGMT)
FIA_UAU.7
FMT_MOF.1 (FMT 1), FMT_MOF.1 (FMT 2)
The following packages from IEEE Std. 2600.2-2009 have been augmented with
additional (including iterated) SFRs from CC Part 2:
Package
PRT
SCN
CPY
FAX
DSR
SMI
Augmentation
FDP_RIP.1 (IOW 2)
FCS_COP.1(UDE)
FDP_IFC.1 (FILTER), FDP_IFF.1 (FILTER), FDP_UCT.1 (IPSEC),
FDP_UIT.1 (IPSEC), FDP_UCT.1 (SSL), FDP_UIT.1 (SSL), FDP_UCT.1
(SNMP), FDP_UIT.1 (SNMP), FTP_TRP.1 (IPSEC), FTP_TRP.1 (SSL),
FTP_TRP.1 (SNMP)
22

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
3. SECURITY
PROBLEM
DEFINITION
The Security Problem Definition describes assumptions about the operational
environment in which the TOE is intended to be used and represents the conditions for
the secure operation of the TOE.
Note: The content in this section appears exactly as it does in IEEE Std. 2600.2-2009
and is copied here for completeness.
3.1.
Definitions
3.1.1.
Users
Users are entities that are external to the TOE and which interact with the TOE. There
may be two types of Users: Normal and Administrator.
Table 4: Users
Designation
U.USER
U.NORMAL
U.ADMINISTRATO
R
3.1.2.
Definition
Any authorized User.
A User who is authorized to perform User Document Data processing
functions of the TOE
A User who has been specifically granted the authority to manage some
portion or all of the TOE and whose actions may affect the TOE security
policy (TSP). Administrators may possess special privileges that provide
capabilities to override portions of the TSP.
Objects (Assets)
Objects are passive entities in the TOE, that contain or receive information, and upon
which Subjects perform Operations. In this Security Target, Objects are equivalent to
TOE Assets. There are three types of Objects: User Data, TSF Data, and Functions.
3.1.2.1.
User Data
User Data are data created by and for Users and do not affect the operation of the TOE
Security Functionality (TSF). This type of data is composed of two objects: User
Document Data, and User Function Data.
23

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Table 5: User Data
Designation
D.DOC
Definition
User Document Data consists of the information contained in a user’s document. This
includes the original document itself in either hardcopy or electronic form, image data,
or residually-stored data created by the hardcopy device while processing an original
document and printed hardcopy output.
D.FUNC
User Function Data are the information about a user’s document or job to be processed
by the TOE.
3.1.2.2.
TSF Data
TSF Data is data created by and for the TOE and might affect the operation of the TOE.
This type of data is composed of two objects: TSF Protected Data and TSF Confidential
Data. The TSF Data assets for this TOE has been categorized according to whether
they require protection from unauthorized alteration (TSF Protected Data) or protection
from both unauthorized disclosure and unauthorized alteration (TSF Confidential Data).
The data assets have been identified and categorized in Table 6: TSF Data and Table
7: TSF Data Categorization below.
Table 6: TSF Data
Designation
D.PROT
Definition
TSF Protected Data are assets for which alteration by a User who is neither an
Administrator nor the owner of the data would have an effect on the operational
security of the TOE, but for which disclosure is acceptable.
D.CONF
TSF Confidential Data are assets for which either disclosure or alteration by a User
who is neither an Administrator nor the owner of the data would have an effect on
the operational security of the TOE.
Table 7: TSF Data Categorization
TSF Protected Data
Configuration data
Device and network status information and
configuration settings
Device service and diagnostic data
TSF Confidential Data
Audit Log
Cryptographic keys (SNMPv3 – privacy key,
IPSec)
X.509 Certificate (SSL)
User IDs and Passwords
User Access Permissions
SNMPv3 authentication key
802.1x Credentials and Configuration
IP filter table (rules)
Email address for fax forwarding
Application Note: IEEE Std. 2600.2-2009 defines D.PROT and D.CONF, and requires
the ST author to categorize all TSF data as one of these two types: data that should be
protected, but does not affect the operational security of the TOE if it is disclosed
24

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
(D.PROT), and data that does affect the operational security of the TOE if it is disclosed
(D.CONF).
3.1.2.3.
Functions
Functions perform processing, storage, and transmission of data that may be present in
HCD products. These functions are used by SFR packages, and are identified and
defined in the table below.
Table 8: SFR Package Functions for IEEE Std. 2600.2-2009
Designation
F.PRT
F.SCN
F.CPY
F.FAX
F.DSR
F.SMI
3.1.3.
Definition
Printing: a function in which electronic document input is converted to physical
document output
Scanning: a function in which physical document input is converted to electronic
document output
Copying: a function in which physical document input is duplicated to physical
document output
Faxing: a function in which physical document input is converted to a telephone-based
document facsimile (fax) transmission, and a function in which a telephone-based
document facsimile (fax) reception is converted to physical document output
Document storage and retrieval: a function in which a document is stored during one
job and retrieved during one or more subsequent jobs
Shared-medium interface: a function that transmits or receives User Data or TSF Data
over a communications medium which, in conventional practice, is or can be
simultaneously accessed by multiple users, such as wired network media and most
radio-frequency wireless media
Operations
Operations are a specific type of action performed by a Subject on an Object. In this
Security Target, five types of operations are considered: those that result in disclosure
of information (Read), those that result in alteration of information (Create, Modify,
Delete), and those that invoke a function (Execute).
3.1.4.
Channels
Channels are the mechanisms through which data can be transferred into and out of the
TOE. In this Security Target, four types of Channels are allowed:
Private Medium Interface: mechanisms for exchanging information that use (1) wired
or wireless electronic methods over a communications medium which, in conventional
practice, is not accessed by multiple simultaneous Users; or, (2) Operator Panel and
displays that are part of the TOE. It is an input-output channel.
25

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Shared-medium Interface: mechanisms for exchanging information that use wired or
wireless network or non-network electronic methods over a communications medium
which, in conventional practice, is or can be simultaneously accessed by multiple Users.
It is an input-output channel.
Original Document Handler: mechanisms for transferring User Document Data into
the TOE in hardcopy form. It is an input channel.
Hardcopy Output Handler: mechanisms for transferring User Document Data out of
the TOE in hardcopy form. It is an output channel.
In practice, at least one input channel and one output channel would be present in any
HCD configuration, and at least one of those channels would be either an Original
Document Handler or a Hardcopy Output Handler.
3.2.
Assumptions
The Security Objectives and Security Functional Requirements defined in subsequent
sections of this Security Target are based on the condition that all of the assumptions
described in this section are satisfied.
Table 9: Assumptions for the TOE
Assumption
A.ACCESS.MANAGED
A.USER.TRAINING
A.ADMIN.TRAINING
A.ADMIN.TRUST
Definition
The TOE is located in a restricted or monitored environment that provides
protection from unmanaged access to the physical components and data
interfaces of the TOE.
TOE Users are aware of the security policies and procedures of their
organization, and are trained and competent to follow those policies and
procedures.
Administrators are aware of the security policies and procedures of their
organization, are trained and competent to follow the manufacturer’s
guidance and documentation, and correctly configure and operate the TOE in
accordance with those policies and procedures.
Administrators do not use their privileged access rights for malicious
purposes.
3.3.
Threats
3.3.1.
Threats Addressed by the TOE
This security problem definition addresses threats posed by four categories of threat
agents:
a) Persons who are not permitted to use the TOE who may attempt to use the TOE
26

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
b) Persons who are authorized to use the TOE who may attempt to use TOE
functions for which they are not authorized.
c) Persons who are authorized to use the TOE who may attempt to access data in
ways for which they not authorized.
d) Persons who unintentionally cause a software malfunction that may expose the
TOE to unanticipated threats.
The threats and policies defined in this Security Target address the threats posed by
these threat agents.
This section describes threats to assets described in Section 3.1.2.
Table 10: Threats to User Data for the TOE
Threat
T.DOC.DIS
T.DOC.ALT
T.FUNC.ALT
Affected
Asset
D.DOC
D.DOC
D.FUNC
Description
User Document Data may be disclosed to unauthorized persons
User Document Data may be altered by unauthorized persons
User Function Data may be altered by unauthorized persons
Table 11: Threats to TSF Data for the TOE
Threat
T.PROT.ALT
T.CONF.DIS
T.CONF.ALT
Affected
Asset
D.PROT
D.CONF
D.CONF
Description
3.3.2.
Threats Addressed by the IT Environment
TSF Protected Data may be altered by unauthorized persons
TSF Confidential Data may be disclosed to unauthorized persons
TSF Confidential Data may be altered by unauthorized persons
There are no threats addressed by the IT Environment.
3.4.
Organizational Security Policies
This section describes the Organizational Security Policies (OSPs) that apply to the
TOE. OSPs are used to provide a basis for security objectives that are commonly
desired by TOE Owners in this operational environment, but for which it is not practical
to universally define the assets being protected or the threats to those assets.
27

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Table 12: Organizational Security Policies for the TOE
Name
P.USER.AUTHORIZATION
Definition
To preserve operational accountability and security, Users
will be authorized to use the TOE only as permitted by the
TOE Owner
To detect corruption of the executable code in the TSF,
procedures will exist to self-verify executable code in the
TSF
To preserve operational accountability and security, records
that provide an audit trail of TOE use and security-relevant
events will be created, maintained, and protected from
unauthorized disclosure or alteration, and will be reviewed
by authorized personnel
To prevent unauthorized use of the external interfaces of
the TOE, operation of those interfaces will be controlled by
the TOE and its IT environment
P.SOFTWARE.VERIFICATION
P.AUDIT.LOGGING
P.INTERFACE.MANAGEMENT
28

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
4. SECURITY
OBJECTIVES
The purpose of the security objectives is to detail the planned response to a
security problem or threat. Threats can be directed against the TOE or the
security environment or both, therefore, the CC identifies two categories of
security objectives:

Security objectives for the TOE, and

Security objectives for the environment.
Note: The content in this section appears exactly as it does in IEEE Std. 2600.22009 and is copied here for completeness.
4.1.
Security Objectives for the TOE
This section describes the security objectives that the TOE shall fulfill.
Table 13: Security Objectives for the TOE
Objective
O.DOC.NO_DIS
O.DOC.NO_ALT
O.FUNC.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.CONF.NO_ALT
O.USER.AUTHORIZED
O.INTERFACE.MANAGED
O.SOFTWARE.VERIFIED
O.AUDIT.LOGGED
O.AUDIT_STORAGE.PROTECTED
Definition
The TOE shall protect User Document Data from unauthorized
disclosure.
The TOE shall protect User Document Data from unauthorized
alteration.
The TOE shall protect User Function Data from unauthorized
alteration.
The TOE shall protect TSF Protected Data from unauthorized
alteration.
The TOE shall protect TSF Confidential Data from unauthorized
disclosure.
The TOE shall protect TSF Confidential Data from unauthorized
alteration.
The TOE shall require identification and authentication of
Users, and shall ensure that Users are authorized in
accordance with security policies before allowing them to use
the TOE.
The TOE shall manage the operation of external interfaces in
accordance with security policies.
The TOE shall provide procedures to self-verify executable
code in the TSF.
The TOE shall create and maintain a log of TOE use and
security-relevant events, and prevent its unauthorized
disclosure or alteration.
The TOE shall ensure that internal audit records are protected
from unauthorized access, deletion and modifications.
29

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objective
O.AUDIT_ACCESS.AUTHORIZED
Definition
The TOE shall ensure that internal audit records can be
accessed in order to detect potential security violations, and
only by authorized persons
4.2.
Security Objectives for the
Operational Environment
This section describes the security objectives that must be fulfilled by IT methods
in the IT environment of the TOE.
Table 14: Security Objectives for the IT Environment
Objective
OE.AUDIT_STORAGE.PROTECTED
OE.AUDIT_ACCESS.AUTHORIZED
OE.INTERFACE.MANAGED
OE.USER.AUTHENTICATED
Definition
If audit records are exported from the TOE to another trusted
IT product, the TOE Owner shall ensure that those records are
protected
from
unauthorized
access, deletion and
modifications.
If audit records generated by the TOE are exported from the
TOE to another trusted IT product, the TOE Owner shall
ensure that those records can be accessed in order to detect
potential security violations, and only by authorized persons
The IT environment shall provide protection from unmanaged
access to TOE external interfaces.
The IT environment shall provide support for user identification
and authentication and protect the user credentials in transit
when TOE operates in remote identification and authentication
mode.
4.3.
Security Objectives for the NonIT Environment
This section describes the security objectives that must be fulfilled by non-IT
methods in the non-IT environment of the TOE.
Table 15: Security Objectives for the Non-IT Environment
Objective
OE.PHYSICAL.MANAGED
Definition
The TOE shall be placed in a secure or monitored area that
provides protection from unmanaged physical access to the TOE.
30

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objective
OE.USER.AUTHORIZED
Definition
The TOE Owner shall grant permission to Users to be authorized to
use the TOE according to the security policies and procedures of
their organization.
The TOE Owner shall ensure that Users are aware of the security
policies and procedures of their organization, and have the training
and competence to follow those policies and procedures.
The TOE Owner shall ensure that TOE Administrators are aware of
the security policies and procedures of their organization, have the
training, competence, and time to follow the manufacturer’s
guidance and documentation, and correctly configure and operate
the TOE in accordance with those policies and procedures.
The TOE Owner shall establish trust that TOE Administrators will
not use their privileged access rights for malicious purposes.
The TOE Owner shall ensure that audit logs are reviewed at
appropriate intervals for security violations or unusual patterns of
activity.
OE.USER.TRAINED
OE.ADMIN.TRAINED
OE.ADMIN.TRUSTED
OE.AUDIT.REVIEWED
4.4.
Rationale for Security Objectives
This section demonstrates that each threat, organizational security policy, and
assumption are mitigated by at least one security objective for the TOE, and that
those security objectives counter the threats, enforce the policies, and uphold the
assumptions.
Table 16: Completeness of Security Objectives
Threats. Policies, and
Assumptions
T.DOC.DIS
T.DOC.ALT
T.FUNC.ALT
T.PROT.ALT
T.CONF.DIS
T.CONF.ALT
P.USER.AUTHORIZATION
O.DOC.NO_DIS
O.DOC.NO_ALT
O.FUNC.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.CONF.NO_ALT
O.USER.AUTHORIZED
OE.USER.AUTHORIZED
O.SOFTWARE.VERIFIED
O.AUDIT.LOGGED
O.AUDIT_STORAGE.PROTECTED
O.AUDIT_ACCESS.AUTHORIZED
OE.AUDIT_STORAGE.PROTECTED
OE.AUDIT_ACCESS.AUTHORIZED
OE.AUDIT.REVIEWED
OE.INTERFACE.MANAGED
OE.USER.AUTHENTICATED
OE.PHYISCAL.MANAGED
OE.INTERFACE.MANAGED
OE.ADMIN.TRAINED
OE.ADMIN.TRUSTED
OE.USER.TRAINED
Objectives
X
X
X
X
X
X
X
X
X
X
X X
X
X
X
X
X
X
X
X
31

Copyright 2013 Xerox Corporation, All rights reserved
X
X
X
X
X
X
X
Xerox WorkCentre™ 7755/7765/7775 Security Target
Threats. Policies, and
Assumptions
P.SOFTWARE.VERIFICATION
P.AUDIT.LOGGING
P.INTERFACE.MANAGEMENT
A.ACCESS.MANAGED
A.ADMIN.TRAINING
A.ADMIN.TRUST
A.USER.TRAINING
O.DOC.NO_DIS
O.DOC.NO_ALT
O.FUNC.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.CONF.NO_ALT
O.USER.AUTHORIZED
OE.USER.AUTHORIZED
O.SOFTWARE.VERIFIED
O.AUDIT.LOGGED
O.AUDIT_STORAGE.PROTECTED
O.AUDIT_ACCESS.AUTHORIZED
OE.AUDIT_STORAGE.PROTECTED
OE.AUDIT_ACCESS.AUTHORIZED
OE.AUDIT.REVIEWED
OE.INTERFACE.MANAGED
OE.USER.AUTHENTICATED
OE.PHYISCAL.MANAGED
OE.INTERFACE.MANAGED
OE.ADMIN.TRAINED
OE.ADMIN.TRUSTED
OE.USER.TRAINED
Objectives
X
X X X X X X
X
X
X
X
X
X
Table 17: Sufficiency of Security Objectives
Threats. Policies, and Assumptions
T.DOC.DIS
Summary
User Document Data
may be disclosed to
unauthorized persons
T.DOC.ALT
User Document Data
may be altered by
unauthorized persons
Objectives and rationale
O.DOC.NO_DIS protects D.DOC
from unauthorized disclosure
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization
O.DOC.NO_ALT protects D.DOC
from unauthorized alteration
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
32

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Threats. Policies, and Assumptions
Summary
T.FUNC.ALT
User Function Data
may be altered by
unauthorized persons
T.PROT.ALT
TSF Protected Data
may be altered by
unauthorized persons
T.CONF.DIS
TSF Confidential Data
may be disclosed to
unauthorized persons
T.CONF.ALT
TSF Confidential Data
may be altered by
unauthorized persons
Objectives and rationale
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization
O.FUNC.NO_ALT protects
D.FUNC from unauthorized
alteration
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization
O.PROT.NO_ALT protects
D.PROT from unauthorized
alteration
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization
O.CONF.NO_DIS protects D.CONF
from unauthorized disclosure
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization
O.CONF.NO_ALT protects
D.CONF from unauthorized
alteration
33

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Threats. Policies, and Assumptions
Summary
P.USER.AUTHORIZATION
Users will be
authorized to use the
TOE
P.SOFTWARE.VERIFICATION
Procedures will exist to
self-verify executable
code in the TSF
An audit trail of TOE
use and securityrelevant events will be
created, maintained,
protected, and
reviewed.
P.AUDIT.LOGGING
P.INTERFACE.MANAGEMENT
Operation of external
Objectives and rationale
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization
O.USER.AUTHORIZED
establishes user identification and
authentication as the basis for
authorization to use the TOE
OE.USER.AUTHORIZED
establishes responsibility of the
TOE Owner to appropriately grant
authorization
OE.USER.AUTHENTICATED
establishes alternative (remote)
means for user identification and
authentication as the basis for
authorization to use the TOE
O.SOFTWARE.VERIFIED provides
procedures to self-verify executable
code in the TSF
O.AUDIT.LOGGED creates and
maintains a log of TOE use and
security-relevant events, and
prevents unauthorized disclosure
or alteration
O.AUDIT_STORAGE.PROTECTE
D protects internal audit records
from unauthorized access, deletion
and modifications
O.AUDIT_ACCESS.AUTHORIZED
establishes responsibility of, the
TOE to provide appropriate access
to internal audit records
OE.AUDIT_STORAGE.PROTECT
ED protects exported audit records
from unauthorized access, deletion
and modifications
OE.AUDIT_ACCESS.AUTHORIZE
D establishes responsibility of, the
TOE Owner to provide appropriate
access to exported audit records
OE.AUDIT.REVIEWED establishes
responsibility of the TOE Owner to
ensure that audit logs are
appropriately reviewed
O.INTERFACE.MANAGED
34

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Threats. Policies, and Assumptions
Summary
interfaces will be
controlled by the TOE
and its IT environment.
A.ACCESS.MANAGED
The TOE environment
provides protection
from unmanaged
access to the physical
components and data
interfaces of the TOE.
TOE Users are aware
of and trained to follow
security policies and
procedures
Administrators do not
use their privileged
access rights for
malicious purposes.
Administrators are
aware of and trained to
follow security policies
and procedures
A.ADMIN.TRAINING
A.ADMIN.TRUST
A.USER.TRAINING
Objectives and rationale
manages the operation of external
interfaces in accordance with
security policies
OE.INTERFACE.MANAGED
establishes a protected
environment for TOE external
interfaces
OE.PHYSICAL.MANAGED
establishes a protected physical
environment for the TOE
OE.ADMIN.TRAINED establishes
responsibility of the TOE Owner to
provide appropriate Administrator
training.
OE.ADMIN.TRUST establishes
responsibility of the TOE Owner to
have a trusted relationship with
Administrators.
OE.USER.TRAINED establishes
responsibility of the TOE Owner to
provide appropriate User training.
35

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
5. EXTENDED
COMPONENTS
DEFINTION
This Security Target defines components that are extensions to Common Criteria 3.1
Release 2, Part 2.
5.1. FPT_FDI_EXP Restricted forwarding of
data to external interfaces
Family behaviour:
This family defines requirements for the TSF to restrict direct forwarding of information
from one external interface to another external interface.
Many products receive information on specific external interfaces and are intended to
transform and process this information before it is transmitted on another external
interface. However, some products may provide the capability for attackers to misuse
external interfaces to violate the security of the TOE or devices that are connected to
the TOE’s external interfaces. Therefore, direct forwarding of unprocessed data
between different external interfaces is forbidden unless explicitly allowed by an
authorized administrative role. The family FPT_FDI_EXP has been defined to specify
this kind of functionality.
Component leveling:
FPT_FDI_EXP.1 Restricted forwarding of data to external
interfaces
1
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces, provides for the
functionality to require TSF controlled processing of data received over defined external
interfaces before this data is sent out on another external interface. Direct forwarding of
data from one external interface to another one requires explicit allowance by an
authorized administrative role.
Management:
FPT_FDI_EXP.1
The following actions could be considered for the management functions in FMT:
36

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
a) definition of the role(s) that are allowed to perform the management activities;
b) management of the conditions under which direct forwarding can be allowed by
an administrative role;
c) revocation of such an allowance.
Audit:
FPT_FDI_EXP.1
The following actions should be auditable if FAU_GEN Security Audit Data Generation
is included in the PP/ST:
a) There are no auditable events foreseen.
Rationale:
Quite often a TOE is supposed to perform specific checks and process data received on
one external interface before such (processed) data is allowed to be transferred to
another external interface. Examples are firewall systems but also other systems that
require a specific work flow for the incoming data before it can be transferred. Direct
forwarding of such data (i. e. without processing the data first) between different
external interfaces is therefore a function that – if allowed at all – can only be allowed by
an authorized role.
It has been viewed as useful to have this functionality as a single component that allows
specifying the property to disallow direct forwarding and require that only an authorized
role can allow this. Since this is a function that is quite common for a number of
products, it has been viewed as useful to define an extended component.
The Common Criteria defines attribute-based control of user data flow in its FDP class.
However, in this Security Target, the authors needed to express the control of both user
data and TSF data flow using administrative control instead of attribute-based control. It
was found that using FDP_IFF and FDP_IFC for this purpose resulted in SFRs that
were too unwieldy for refinement in a Security Target. Therefore, the authors decided to
define an extended component to address this functionality.
This extended component protects both user data and TSF data, and could therefore be
placed in either the FDP or FPT class. Since its purpose is to protect the TOE from
misuse, the authors believed that it was most appropriate to place it in the FPT class. It
did not fit well in any of the existing families in either class, and this lead the authors to
define a new family with just one member.
37

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FPT_FDI_EXP.1
Restricted forwarding of data to external interfaces
Hierarchical to:
No other components.
Dependencies:
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles.
FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on
[assignment: list of external interfaces] from being forwarded
without further processing by the TSF to [assignment: list of
external interfaces].
38

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6. SECURITY
REQUIREMENTS
This section defines the IT security requirements that shall be satisfied by the TOE or its
environment:
The CC divides TOE security requirements into two categories:

Security functional requirements (SFRs) (such as, identification and
authentication, security management, and user data protection) that the TOE and
the supporting evidence need to satisfy to meet the security objectives of the
TOE.

Security assurance requirements (SARs) that provide grounds for confidence
that the TOE and its supporting IT environment meet its security objectives (e.g.,
configuration management, testing, and vulnerability assessment).
These requirements are discussed separately within the following subsections.
6.1.
Conventions
All operations performed on the Security Functional Requirements or the Security
Assurance Requirements need to be identified. For this purpose the following
conventions shall be used.

Assignments will be written in [normal text with brackets]

Selections will be written in underlined and italic text.

Refinements will be written bold

Iterations will be performed on components and functional elements. The
component ID defined by the Common Criteria (e.g. FDP_IFC.1) will be
extended by an ID for the iteration (e.g. “(SSL)”). The resulting component ID
would be “FDP_IFC.1 (SSL)”.

Where an iteration is identified in rationale discussion as “all”, the statement
applies to all iterations of the requirement (e.g. “FCS_CKM.1 (all)”)

SFRs and TSPs that appear in the IEEE 2600.2 are marked as such; all
unmarked SFRs have been added to this ST from CC Part 2.
6.2.
TOE Security Policies
39

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
This chapter contains the definition of security policies which must be enforced by the
TSF.
6.2.1.
Information Flow Control Policy (TSP_FLOW)
The security function “Information Flow” (TSF_FLOW) (see section 1.3.2.11) restricts
the information flow between the PSTN port and the internal network by implementing a
store-and-forward principle.
The following policy defines the rules according to which TSF_FLOW shall restrict the
information flow, if the fax is enabled:

Only the copy controller (see section 1.3.2.11) may copy image information and
job data (e.g. the telephone number of the other fax machine) from and to a
shared memory area on the FAX board.

RECEIVING FAX: The fax controller must have terminated the PSTN connection
before informing the copy controller about the fax that was received.

SENDING FAX: The copy controller must have finished the copy operation of the
fax image to the shared memory area of the FAX board before informing the fax
controller to send the fax.
6.2.2.
SSLSec SFP (TSP_SSL)
The security function “User Data Protection -- SSL” (TSF_FDP_SSL) requires that SSL
is enabled so that Web-based network traffic to and from the TOE will be encrypted
using SSL This policy will be enforced on:

SUBJECTS: Web clients.

INFORMATION: All web-based traffic to and from that destination.

OPERATIONS: HTTP commands.
6.2.3.
IP Filter SFP (TSP_FILTER)
The security function “User Data Protection -- IP Filtering” (TSF_FDP_FILTER) requires
that network traffic to and from the TOE will be filtered in accordance with the rules
defined by the system administrator at the Web User Interface configuration editor for IP
Filtering. This policy will be enforced on:

SUBJECTS: External entities that send network traffic to the TOE.

INFORMATION: All IP-based traffic to and from that destination.

OPERATIONS: Pass network traffic.
Note: The TOE cannot enforce the IP Filtering (TSP_FILTER) when it is configured
for IPv6, AppleTalk or IPX networks.
40

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.2.4.
IPSec SFP (TSP_IPSEC)
The security function “User Data Protection -- IPSec” (TSF_FDP_IPSec) requires that
network traffic to and from the TOE will be encrypted when the printing client initiates
IPSec encryption. This policy will be enforced on:

SUBJECTS: Printing clients.

INFORMATION: All lpr and port 9100 traffic to and from that destination.

OPERATIONS: Print jobs.
6.2.5.
SNMPSec SFP (TSP_SNMP)
The security function “Network Management Security” (TSF_NET_MGMT) requires that
the TOE applies SNMPv3 so that network traffic to and from the TOE will be encrypted
in accordance with SNMPv3. This policy will be enforced on:



SUBJECTS: Remote SNMPv3 hosts.
INFORMATION: All SNMPv3 traffic to and from that destination.
OPERATIONS: SNMPv3 commands and messages.
6.2.6.
PrivUserAccess SFP (TSP_FMT)
The security function “Security Management” (TSF_FMT) restricts management of TOE
security functions to the authorized system administrator.
6.2.7.
2009)
User Access Control SFP (UAC_SFP) (IEEE Std. 2600.2-
The Security Function Policy (SFP) described in Table 18: User Access Control SFP is
referenced by the Class FDP SFRs.
Table 18: User Access Control SFP
Object
Attribute
Operation(
s)
Subject
Access Control Rule
U.NORMAL
Denied, except for his/her own
documents.
U.ADMINISTRATOR
Allowed
Delete
U.NORMAL,
U.ADMINISTRATOR
Denied, except when the
associated D.FUNC is deleted.
+SCN
Read,
Delete
U.NORMAL,
U.ADMINISTRATOR
Denied, except for his/her own
documents
+CPY
Read,
Delete
U.NORMAL,
U.ADMINISTRATOR
Denied, except for his/her own
documents
D.DOC
Read
+PRT
41

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Object
Attribute
+FAXIN
+FAXOUT
+DSR and
+SCN
D.FUNC
Any
Attribute,
except
+CPY
+PRT
+PC
Operation(
s)
Subject
Access Control Rule
Read,
Delete
U.ADMINISTRATOR
Allowed
Read,
Delete
U.NORMAL
Denied
Read,
Delete
U.NORMAL,
U.ADMINISTRATOR
Denied, except for his/her own
documents
U.NORMAL
Denied, except for his/her own
documents.
U.ADMINISTRATOR
Allowed
U.NORMAL,
U.ADMINISTRATOR
Denied
U.NORMAL
Denied, except for his/her own
documents, for which only he/she
knows the pass code.
U.ADMINISTRATOR
Allowed
Read,
Delete
Modify
Delete
+SCN
Delete
U.NORMAL,
U.ADMINISTRATOR
Denied
+CPY
Delete,
Modify
U.NORMAL,
U.ADMINISTRATOR
Denied, except for his/her own
documents
+FAXIN
Delete
U.NORMAL,
U.ADMINISTRATOR
Denied
+FAXOUT
Delete
U.NORMAL
Denied
+FAXOUT
Delete
U.ADMINISTRATOR
Allowed
Table 19: Attributes Definition
Designation
+PRT
+SCN
+CPY
+FAXIN
+FAXOUT
+DSR
+SMI
Definition
Indicates data that are associated with a print job.
Indicates data that are associated with a scan job.
Indicates data that are associated with a copy job.
Indicates data that are associated with an inbound (received) fax job.
Indicates data that are associated with an outbound (sent) fax job.
Indicates data that are associated with a document storage and retrieval job.
Indicates data that are transmitted or received over a shared-medium interface.
42

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Application Note: IEEE Std. 2600.2-2009 specifies the contents of FDP_ACC.1 for
each function package that is claimed by a ST and a Common Access Control SFP for
D.FUNC and D.DOC (Operation: read). In this ST, the SFPs for each package are
combined with the Common Access Control SFP then refined to form Table 18 (User
Access Control SFP). User Access Control SFP represents more detail and a more
restrictive requirement than the combination of package SFPs and the Common Access
Control SFP. Hence the ST is conformant to IEEE Std. 2600.2-2009.
Application Note: A document (D.DOC) is “owned” by a User (U.User) if that
document was created or submitted to the TOE by that User. The only exception are
documents received as fax (D.DOC +FAXIN), for which the system administrators are
considered as the owner. This is in conformance to IEEE Std. 2600.2-2009 application
note 94 and 95.
Application Note: Access control rules for the “Create” Operation are not specified
because typically, any authorized U.User can create his/her own documents and cannot
create documents that are owned by another User.
Application Note: IEEE Std. 2600.2-2009 (table 23) defined attribute +DSR does not
apply to D.FUNC, and in this ST is only applicable to D.DOC with attribute +SCN.
Attribute +SMI does not apply to this SFP.
6.2.8.
TOE Function Access Control SFP (TF_SFP) (IEEE Std.
2600.2-2009)
Users (U.NORMAL) require explicit authorization from system administrators
(U.ADMINISTRATOR) for them to be allowed to perform the following TOE Functions
as defined in the IEEE Std. 2600.2-2009 SFR Packages in Section 12.3 via the Web UI
or the LUI:
 Print (PRT)
 Scan (SCN)
 Fax (FAX)
 Copy (CPY)
 Document Storage and Retrieval (DSR)
 Transmit data via Shared-medium Interfaces (SMI)
Any User who is authorized to establish an connection with the TOE through the
Ethernet port is allowed to perform the following TOE Functions as defined in the IEEE
Std. 2600.2-2009 SFR Packages in Section 12.3:
 Print (PRT)
 Fax (FAX) – LanFax only
 Transmit data via Shared-medium Interfaces (SMI)
43

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.
Security Functional Requirements
The TOE satisfies the SFRs delineated in Table 20: TOE Security Functional
Requirements. The rest of this section contains a description of each component and
any related dependencies.
Table 20: TOE Security Functional Requirements
Functional Component ID
Functional Component Name
FAU_GEN.1
Audit data generation
FAU_GEN.2
User identity association
FAU_SAR.1
Audit review
FAU_SAR.2
Restricted audit review
FAU_STG.1
Protected audit trail storage
FAU_STG.4
Prevention of audit data loss
FCS_CKM.1
Cryptographic key generation
FCS_CKM.2
Cryptographic key distribution
FCS_CKM.4
Cryptographic key destruction
FCS_COP.1
Cryptographic operation
FDP_ACC.1
Subset access control
FDP_ACF.1
Security attribute based access control
FDP_IFC.1
Subset information flow control
FDP_IFF.1
Simple security attributes
FDP_RIP.1
Subset residual information protection
FDP_UCT.1
Basic data exchange confidentiality
FDP_UIT.1
Data exchange integrity
FIA_ATD.1
User attribute definition
FIA_UAU.2
User authentication before any action
FIA_UAU.7
Protected authentication feedback
FIA_UID.2
User identification before any action
FIA_USB.1
User-subject binding
FMT_MOF.1
Management of security functions behaviour
FMT_MSA.1
Management of security attributes
FMT_MSA.3
Static attribute initialisation
FMT_MTD.1
Management of TSF data
FMT_SMF.1
Specification of management functions
FMT_SMR.1
Security Roles
FPT_FDI_EXP.1
Restricted forwarding of data to external interfaces
FPT_STM.1
Reliable time stamps
FPT_TST.1
TSF Testing
FTA_SSL.3
TSF-initiated termination
44

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Functional Component ID
Functional Component Name
FTP_ITC.1
Inter-TSF trusted channel
FTP_TRP.1
Trusted path
6.3.1.
Class FAU: Security audit
6.3.1.1.
2009)
FAU_GEN.1
Audit data generation (IEEE Std. 2600.2-
Hierarchical to:
No other components.
Dependencies:
FPT_STM.1 Reliable time stamps
FAU_GEN.1.1
The TSF shall be able to generate an audit record of the
following auditable events:
 Start-up and shutdown of the audit functions;
 All auditable events for the not specified level of audit;
and
 [all Auditable Events as each is defined for its Audit Level
(if one is specified) for the Relevant SFR in Table 21].
FAU_GEN.1.2
The TSF shall record within each audit record at least the
following information:
 Date and time of the event, type of event, subject identity
(if applicable), and the outcome (success or failure) of the
event; and
 For each audit event type, based on the auditable event
definitions of the functional components included in the
PP/ST, [for each Relevant SFR listed in Table 21: (1)
information as defined by its Audit Level (if one is
specified), and (2) all Additional Information (if any is
required),
 And the following audit attribute:

Entry number (an integer value from 1 to the number
of entries in the audit log) ]
45

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Table 21: Audit Data Requirements
Auditable Event
Job completion
Both successful and unsuccessful use of
the authentication mechanism
Both successful and unsuccessful use of
the identification mechanism
Use of the management functions
Modifications to the group of users that are
part of a role
Changes to the time
Locking of an interactive session by the
session locking mechanism
12
Failure of the trusted channel functions
6.3.1.2.
2009)
FAU_GEN.2
Relevant
SFR
FDP_ACF.1
FIA_UAU.2
FIA_UID.2
10
Audit Level
9
Not specified
Basic
Basic
Additional
Information
Type of job
None required
FMT_SMF.1
FMT_SMR.1
Minimum
Minimum
Attempted user identity,
11
if available
None required
None required
FPT_STM.1
FTA_SSL.3
Minimum
Minimum
None required
None required
FTP_ITC.1
Minimum
Non required
User identity association (IEEE Std. 2600.2-
Hierarchical to:
No other components.
Dependencies:
FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
FAU_GEN.2.1
For audit events resulting from actions of identified users,
the TSF shall be able to associate each auditable event with
the identity of the user that caused the event.
6.3.1.3.
FAU_SAR.1
Audit review
Hierarchical to:
No other components.
Dependencies:
FAU_GEN.1 Audit data generation
FAU_SAR.1.1:
The TSF shall provide [U.ADMINISTRATOR] with the
capability to read [all information] from the audit records.
FAU_SAR.1.2:
The TSF shall provide the audit records in a manner suitable
for the user to interpret the information.
9
For certain auditable events, IEEE Std. 2600.2-2009 has specified the Audit Level required to be “minimum” instead of “minimal”
as required by CC part 2.
10
FIA_UAU.2 and FIA_UID.2 are claimed in this ST instead of FIA_UAU.1 and FIA_UID.1 from IEEE Std. 2600.2-2009
11
Additional Information requirement specified in IEEE Std. 2600.2-2009.
12
This audit event is required by the addition of the IEEE 2600.2-SMI SFR Package. The developer added it to the existing table of
events rather than adding an iteration for FAU_GEN.1.
46

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.1.4.
FAU_SAR.2
Restricted audit review
Hierarchical to:
No other components.
Dependencies:
FAU_SAR.1 Audit review
FAU_SAR.2.1:
The TSF shall prohibit all users read access to the audit
records, except those users that have been granted explicit
read-access.
6.3.1.5.
FAU_STG.1
Protected audit trail storage
Hierarchical to:
None.
Dependencies:
FAU_GEN.1 Audit data generation
FAU_STG.1.1:
The TSF shall protect the stored audit records in the audit
trail from unauthorized deletion.
FAU_STG.1.2:
The TSF shall be able to prevent unauthorized modifications
to the stored audit records in the audit trail.
6.3.1.6.
FAU_STG.4
Prevention of audit data loss
Hierarchical to:
FAU_STG.3.
Dependencies:
FAU_STG.1 Protected audit trail storage
FAU_STG.4.1:
The TSF shall overwrite the oldest stored audit records and
[generate an email warning at 90%] if the audit trail is full.
6.3.2.
Class FCO: Communication
There are no Class FCO security functional requirements for this Security Target.
6.3.3.
Class FCS: Cryptographic support
6.3.3.1.
FCS_CKM.1 (SSL)
Hierarchical to:
Dependencies:
Cryptographic key generation
No other components.
[FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
47

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FCS_CKM.1.1 (SSL)
The TSF shall generate cryptographic keys in
accordance with a specified cryptographic key generation
algorithm [RSA key pair generation] and specified
cryptographic key sizes [1024 bits or smaller key sizes
required for SSLv3 non-capable clients] that meet the
following: [not specified].
Application note: The SSL v3 standard does not define how the RSA key pair
is generated; the definition is implementation. The evaluation does not cover the
assessment of the strength of the keys generated, ONLY that a correct RSA key
pair is generated. No assessment of the strength of the key pair will be
performed. The SSLv3 standard allows for the TOE to operate in accordance
with previous SSL standards when communicating with clients that are not
SSLv3 capable.
6.3.3.2.
FCS_CKM.2 (SSL 1) Cryptographic key distribution
Hierarchical to:
Dependencies:
No other components.
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.2.1 (SSL 1)
The TSF shall distribute cryptographic keys in
accordance with a specified cryptographic key distribution
method [RSA encrypted exchange of session keys for SSL
handshake] that meet the following: [SSLv3 standard].
Application note: This requirement is intended for SSL client and server
authentication.
6.3.3.3.
FCS_CKM.2 (SSL 2)
Hierarchical to:
Dependencies:
Cryptographic key distribution
No other components.
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.2.1 (SSL 2)
The TSF shall distribute cryptographic keys in
accordance with a specified cryptographic key distribution
method [digital certificates for public RSA keys] that meet the
following: [certificate format given in X.509v3].
48

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.3.4.
FCS_COP.1 (SSL)
Hierarchical to:
Dependencies:
Cryptographic operation
No other components.
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 (SSL)
The TSF shall perform [digital signature generation
and verification] in accordance with a specified cryptographic
algorithm [RSA] and cryptographic key sizes [1024 bits or
smaller key sizes required for SSLv3 non-capable clients]
that meet the following: [SSLv3 standard].
Application note: The SSLv3 standard allows for the TOE to operate in
accordance with previous SSL standards when communicating with clients that
are not SSLv3 capable.
6.3.3.5.
FCS_CKM.1 (IPSEC)
Hierarchical to:
Dependencies:
Cryptographic key generation
No other components.
[FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 (IPSEC)
The TSF shall generate cryptographic keys in
accordance with a specified cryptographic key generation
algorithm [Triple Data Encryption Standard (3DES-EDE)]
and specified cryptographic key sizes [3 unique 56-bit keys]
that meet the following: [NIST 800-67].
6.3.3.6.
FCS_COP.1 (IPSEC 1) Cryptographic operation
Hierarchical to:
Dependencies:
No other components
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 (IPSEC 1) The TSF shall perform [
a)
IPSec Security Association data encryption/decryption
specified by IKE in RFC2409 as defined in
TSP_IPSEC; and
49

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
b)
IPSec ESP bulk data encryption/decryption specified
by IKE in RFC2406 as defined in the TSP_IPSEC]
in accordance with a specified cryptographic algorithm
[3DES-EDE] and cryptographic key sizes [168 bits] that
meet the following: [NIST 800-67].
6.3.3.7.
FCS_COP.1 (IPSEC 2) Cryptographic operation
Hierarchical to:
Dependencies:
No other components
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 (IPSEC 2) The TSF shall perform [cryptographic checksum
generation and secure hash (message digest) computation]
in accordance with a specified cryptographic algorithm [SHA1] and cryptographic key sizes [N/A] that meet the following:
[FIPS-180-2].
6.3.3.8.
FCS_CKM.1 (SNMP) Cryptographic key generation
Hierarchical to:
Dependencies:
No other components.
[FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 (SNMP)
The TSF shall generate cryptographic keys in
accordance with a specified cryptographic key generation
algorithm [DES] and specified cryptographic key sizes [64
bit] that meet the following: [generation of keys as defined in
the SNMPv3 standard with the cipher suites defined in
FCS_COP.1 (SNMP)].
6.3.3.9.
FCS_COP.1 (SNMP) Cryptographic operation
Hierarchical to:
Dependencies:
No other components.
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
50

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FCS_COP.1.1 (SNMP)
The TSF shall perform [hashing and verification] in
accordance with a specified cryptographic algorithm [HMAC
– SHA1] and cryptographic key sizes [none] that meet the
following: [SNMPv3 standard].
6.3.3.10.
FCS_CKM.1 (UDE) Cryptographic key generation
Hierarchical to:
Dependencies:
No other components.
[FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1 (UDE)
The TSF shall generate cryptographic keys in
accordance with a specified cryptographic key generation
algorithm [AES] and specified cryptographic key sizes [256
bit] that meet the following: [randomization of network
interface MAC address upon boot up].
6.3.3.11.
FCS_COP.1 (UDE) Cryptographic operation
Hierarchical to:
Dependencies:
No other components.
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1 (UDE)
The TSF shall perform [encryptions and decryption]
on user data stored on the HDD(s) in accordance with a
specified cryptographic algorithm [AES] and cryptographic
key sizes [256 bit] that meet the following: [none].
6.3.3.12.
FCS_CKM.4 Cryptographic key destruction
Hierarchical to:
Dependencies:
No other components
[FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4.1
The TSF shall destroy cryptographic keys in accordance with
a specified cryptographic key destruction method
[semiconductor memory state loss at power-down,
semiconductor memory zeroization at power-up] that meets
the following: [None].
51

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.4.
Class FDP: User data protection
6.3.4.1.
2009)
FDP_ACC.1 (USER) Subset access control (IEEE Std. 2600.2-
Hierarchical to:
No other components.
Dependencies:
FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 (USER)
The TSF shall enforce the [User Access Control SFP
in Table 18] on [the list of users as subjects, objects, and
operations among subjects and objects covered by the User
Access Control SFP in Table 18].
Application Note: This SFR covers FDP_ACC.1 (a) and FDP_ACC.1 from all
claimed packages (PRT, SCN, CPY, FAX, DSR) in the IEEE
Std. 2600.2 PP.
6.3.4.2.
2009)
FDP_ACC.1 (FUNC) Subset access control (IEEE Std. 2600.2-
Hierarchical to:
No other components.
Dependencies:
FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 (FUNC)
The TSF shall enforce the [TOE Function Access
Control SFP] on [users as subjects, TOE functions as
objects, and the right to use the functions as operations].
Application Note: This SFR is FDP_ACC.1 (b) from The IEEE Std. 2600.2 PP.
6.3.4.3.
FDP_ACC.1 (MGMT) Subset access control
Hierarchical to:
No other components.
Dependencies:
FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1 (MGMT)
The TSF shall enforce the [PrivUserAccess SFP] on [

Subjects: authorized users;

Object: functions accessible via WebUI and Local UI;

Operations: access management interfaces].
52

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.4.4.
FDP_ACF.1 (USER) Security attribute based access control
(IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1 (USER)
The TSF shall enforce the [User Access Control SFP
in Table 18] to objects based on the following: [the list of
users as subjects and objects controlled under the User
Access Control SFP in Table 18, and for each, the indicated
security attributes in Table 18].
FDP_ACF.1.2 (USER)
The TSF shall enforce the following rules to determine
if an operation among controlled subjects and controlled
objects is allowed: [rules specified in the User Access
Control SFP in Table 18 governing access among controlled
users as subjects and controlled objects using controlled
operations on controlled objects].
FDP_ACF.1.3 (USER)
The TSF shall explicitly authorise access of subjects
to objects based on the following additional rules: [none].
FDP_ACF.1.4 (USER)
The TSF shall explicitly deny access of subjects to
objects based on the [none].
Application Note: This SFR covers FDP_ACF.1 (a) and FDP_ACF.1 from all
claimed packages (PRT, SCN, CPY, FAX, DSR) in the IEEE
Std. 2600.2 PP.
6.3.4.5.
FDP_ACF.1 (FUNC) Security attribute based access control
(IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1 (FUNC)
The TSF shall enforce the [TOE Function Access
Control SFP] to objects based on the following: [users, roles
and their individual permissions to perform any or all of the
following functions: print, scan, copy, fax, document storage
and retrieval, access to shared-medium interface].
FDP_ACF.1.2 (FUNC)
The TSF shall enforce the following rules to determine
if an operation among controlled subjects and controlled
53

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
objects is allowed: [the user who is explicitly authorized by
U.ADMINISTATOR to use a function is allowed to access
the function via Web UI or LUI].
FDP_ACF.1.3 (FUNC)
The TSF shall explicitly authorise access of subjects
to objects based on the following additional rules: [

the user acts in the role U.ADMINISTRATOR is allowed
to access all functions available;

all users authorized for remote connection to the TOE are
allowed to access print, LanFax, and access to sharedmedium interface].
FDP_ACF.1.4 (FUNC)
The TSF shall explicitly deny access of subjects to
objects based on the [none].
Application Note: This SFR is FDP_ACF.1 (b) from The IEEE Std. 2600.2 PP.
6.3.4.6.
FDP_ACF.1 (MGMT) Security attribute based access control
Hierarchical to:
No other components.
Dependencies:
FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1 (MGMT)
The TSF shall enforce the [PrivUserAccess SFP] to
objects based on the following: [

Subjects: Authorized users – role;

Objects: functions accessible via WebUI and Local UI –
role].
FDP_ACF.1.2 (MGMT)
The TSF shall enforce the following rules to determine
if an operation among controlled subjects and controlled
objects is allowed: [
Authorized user(s) in U.ADMINISTRATOR role will be
granted access to the TOE security relevant functions
accessible via the management interfaces].
FDP_ACF.1.3 (MGMT)
The TSF shall explicitly authorize access of subjects
to objects based on the following additional rules: [none].
FDP_ACF.1.4 (MGMT)
The TSF shall explicitly deny access of subjects to
objects based on the [none].
54

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.4.7.
FDP_IFC.1 (FILTER) Subset information flow control
Hierarchical to:
No other components.
Dependencies:
FDP_IFF.1 Simple security attributes
FDP_IFC.1.1 (FILTER)
6.3.4.8.
The TSF shall enforce the [IPFilter SFP] on [

Subjects: External entities that send traffic to the TOE;

Information: All IP-based traffic to/from that
source/destination;

Operations: send or receive network traffic].
FDP_IFF.1 (FILTER) Simple security attributes
Hierarchical to:
No other components.
Dependencies:
FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialization.
FDP_IFF.1.1 (FILTER)
The TSF shall enforce the [IPFilter SFP] based on the
following types of subject and information security attributes:
[

Subjects: External entities that send traffic to the TOE
o IP address,

Information: IP Packet
o Source IP address, protocol used (TCP or UDP),
destination TCP or UDP port].
FDP_IFF.1.2 (FILTER)
The TSF shall permit an information flow between a
controlled subject and controlled information via a controlled
operation if the following rules hold: [

The source IP address matches a rule in the TOE’s rule
base

If configured, the destination transport layer port matches
a rule in the TOE’s rule base.]
FDP_IFF.1.3 (FILTER)
The TSF shall enforce the [implicit allow if no rules
have been defined].
FDP_IFF.1.4 (FILTER)
The TSF shall explicitly authorize an information flow
based on the following rules: [if the rule is the default all].
FDP_IFF.1.5 (FILTER)
The TSF shall explicitly deny an information flow
based on the following rules: [if there are no rules with
matching security attributes or if a rule explicitly denies an
information flow].
55

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Application Note: When custom rules have not been defined by the system
administrator, the default rule (allow all traffic) will apply. Because it is a wildcard
rule, all IP addresses, ports and protocols (either TCP or UDP) will be a match
for allowed traffic.
6.3.4.9.
FDP_RIP.1 (IOW 1) Subset residual information protection
(IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
No dependencies
FDP_RIP.1.1 (IOW 1)
The TSF shall ensure that any previous information
content of a resource is made unavailable upon the
deallocation of the resource from the following objects:
D.DOC, [copy, print, internet fax, workflow scan or scan-toemail job].
5
Application Note: This SFR is taken directly from IEEE 2600.2. It has been
marked as iterated because this Security Target includes two instances of
FDP_RIP.1. This SFR shall ensure that all stored document image data written
to the hard disk drive(s) will be overwritten once the respective print, workflow
scan or scan-to-email job has completed or is deleted.
6.3.4.10.
FDP_RIP.1 (IOW 2) Subset residual information protection
Hierarchical to:
No other components
Dependencies:
No dependencies
FDP_RIP.1.1 (IOW 2)
The TSF shall ensure that any previous information
content of temporary image files will be overwritten with
zeroes upon the deallocation of the resource from the
following objects: [fax card flash memory that contains
embedded fax job data].
Application Note: The embedded fax card flash memory overwrite is one round
only.
6.3.4.11.
FDP_UCT.1 (IPSEC) Basic data exchange confidentiality
Hierarchical to:
No other components
Dependencies:
[FDP_ITC.1 Inter-TSF trusted channel, or
FTP_TRP.1 Trusted path]
[FDP_ACC.1 Subset access control or
FDP_IFC.1 Subset information flow control]
56

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FDP_UCT.1.1 (IPSEC)
The TSF shall enforce the [IPSec SFP] to be able to
transmit and receive user data in a manner protected from
unauthorized disclosure.
6.3.4.12.
FDP_UIT.1 (IPSEC) Data exchange integrity
Hierarchical to:
No other components
Dependencies:
[FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
[FTP_ITC.1 Inter-TSF trusted channel, or
FTP_TRP.1 Trusted path]
FDP_UIT.1.1 (IPSEC)
The TSF shall enforce the [IPSec SFP] to be able to
transmit and receive user data in a manner protected from
modification, deletion, insertion, and/or replay errors.
FDP_UIT.1.2 (IPSEC)
The TSF shall be able to determine on receipt of user
data, whether modification, deletion, insertion, and/or replay
has occurred.
6.3.4.13.
FDP_UCT.1 (SSL)
Hierarchical to:
Basic data exchange confidentiality
No other components
Dependencies:
[FDP_ITC.1 Inter-TSF trusted channel, or
FTP_TRP.1 Trusted path]
[FDP_ACC.1 Subset access control or
FDP_IFC.1 Subset information flow control]
FDP_UCT.1.1 (SSL)
The TSF shall enforce the [SSLSec SFP] to be able to
transmit and receive user data in a manner protected from
unauthorized disclosure.
6.3.4.14.
FDP_UIT.1 (SSL)
Data exchange integrity
Hierarchical to:
No other components
Dependencies:
[FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
[FTP_ITC.1 Inter-TSF trusted channel, or
FTP_TRP.1 Trusted path]
FDP_UIT.1.1 (SSL) The TSF shall enforce the [SSLSec SFP] to be able to
transmit and receive user data in a manner protected from
modification, deletion, insertion, and/or replay errors.
57

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FDP_UIT.1.2 (SSL) The TSF shall be able to determine on receipt of user data,
whether modification, deletion, insertion, and/or replay has
occurred.
6.3.4.15.
FDP_UCT.1 (SNMP) Basic data exchange confidentiality
Hierarchical to:
No other components
Dependencies:
[FDP_ITC.1 Inter-TSF trusted channel, or
FTP_TRP.1 Trusted path]
[FDP_ACC.1 Subset access control or
FDP_IFC.1 Subset information flow control]
FDP_UCT.1.1 (SNMP)
The TSF shall enforce the [SNMPSec SFP] to be able
to transmit and receive user data in a manner protected from
unauthorized disclosure.
6.3.4.16.
FDP_UIT.1 (SNMP) Data exchange integrity
Hierarchical to:
No other components
Dependencies:
[FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
[FTP_ITC.1 Inter-TSF trusted channel, or
FTP_TRP.1 Trusted path]
FDP_UIT.1.1 (SNMP)
The TSF shall enforce the [SNMPSec SFP] to be able
to transmit and receive user data in a manner protected from
modification, deletion, insertion, and/or replay errors.
FDP_UIT.1.2 (SNMP)
The TSF shall be able to determine on receipt of user
data, whether modification, deletion, insertion, and/or replay
has occurred.
6.3.5.
Class FIA: Identification and authentication
6.3.5.1.
FIA_ATD.1 User attribute definition (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
No dependencies
FIA_ATD.1.1
The TSF shall maintain the following list of security attributes
belonging to individual users: [username, password, role, list
of objects and functions that the user has permission to
access].
58

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.5.2.
FIA_UAU.2 User authentication before any action (IEEE Std.
2600.2-2009)
Hierarchical to:
FIA_UAU.1 Timing of authentication.
Dependencies:
FIA_UID.1 Timing of identification
FIA_UAU.2.1
The TSF shall require each user to be successfully
authenticated before allowing any other TSF-mediated
actions on behalf of that user.
Application Note: IEEE 2600.2 includes the FIA_UAU.1 requirement.
FIA_UAU.2 is hierarchical to FIA_UAU.1 and satisfies the requirement that the
content in the ST be as strict as or more strict than the PP in order to claim
conformance to IEEE 2600.2.
6.3.5.3.
FIA_UAU.7 Protected authentication feedback
Hierarchical to:
No other components
Dependencies:
FIA_UAU.1 Timing of Authentication
FIA_UAU.7.1
The TSF shall provide only [obscured feedback] to the user
while the authentication is in progress.
6.3.5.4.
FIA_UID.2 User identification before any action (IEEE Std.
2600.2-2009)
Hierarchical to:
FIA_UID.1 Timing of identification.
Dependencies:
No dependencies.
FIA_UID.2.1
The TSF shall require each user to be successfully identified
before allowing any other TSF-mediated actions on behalf of
that user.
Application Note: IEEE 2600.2 includes the FIA_UID.1 requirement.
FIA_UID.2 is hierarchical to FIA_UID.1 and satisfies the requirement that the
content in the ST be as strict as or more strict than the PP in order to claim
conformance to IEEE 2600.2.
59

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.5.5.
FIA_USB.1 User-subject binding (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FIA_ATD.1 User attribute definition
FIA_USB.1.1
The TSF shall associate the following user security attributes
with subjects acting on the behalf of that user: [identity, list of
objects and functions that the user has permission to
access].
FIA_USB.1.2
The TSF shall enforce the following rules on the initial
association of user security attributes with the subjects
acting on behalf of users: [subjects will be assigned the
security attributes of the user that they are acting on behalf
of].
FIA_USB.1.3
The TSF shall enforce the following rules governing changes
to the user security attributes with the subjects acting on
behalf of users: [security attributes of subjects acting on
behalf of a user will not be changed while an action is in
progress and cannot be changed by anyone but
U.ADMINISTRATOR].
Application Note: For the purposes of this requirement, a “subject” is a process
within the TOE that is acting (performing functions) on behalf of a user that is
interacting with the TOE through its external interfaces. The subject will be
assigned the permissions (security attributes) of the user and will act with only
the permission set that the user holds. These permissions cannot be changed by
the user; they can only be changed by the system administrator, and cannot be
changed while an action is in progress. For example, if a process on the TOE is
printing a document on behalf of a user and a system administrator revokes their
permission to print, the user/subject pair will be denied further printing rights once
the print job in progress has completed.
6.3.6.
Class FMT: Security management
6.3.6.1.
FMT_MOF.1 (FMT 1) Management of security functions
behavior
Hierarchical to:
No other components
Dependencies:
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security Roles
FMT_MOF.1.1 (FMT 1)
The TSF shall restrict the ability to disable and enable
the functions [
60

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target

Immediate Image Overwrite (IIO),

Audit Logging

Disk Encryption

Common Access Card Use]
to [U.ADMINISTRATOR].
6.3.6.2.
FMT_MOF.1 (FMT 2) Management of security functions
behavior
Hierarchical to:
No other components
Dependencies:
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security Roles
FMT_MOF.1.1 (FMT 2)
The TSF shall restrict the ability to determine the
behavior of, disable, enable, and/or modify the behavior of
the functions [

Authentication,

On Demand Image Overwrite (ODIO),

Authorization,

IP Filtering,

Encryption / decryption (SSL, IPSec, SNMPv3),

Inactive session timeout]
to [U.ADMINISTRATOR].
6.3.6.3.
FMT_MSA.1 (USER) Management of security attributes (IEEE
Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
[FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 (USER)
The TSF shall enforce the [User Access Control SFP
in Table 18] to restrict the ability to change_default, modify,
delete, [read] the security attributes [all] to
[U.ADMINISTRATOR].
Application Note: This SFR is FMT_MSA.1 (a) from The IEEE Std. 2600.2 PP.
61

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.6.4.
FMT_MSA.1 (FUNC) Management of security attributes (IEEE
Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
[FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 (FUNC) The TSF shall enforce the [TOE Function Access
Control SFP] to restrict the ability to change_default, modify,
delete, [read] the security attributes [user access
permissions] to [U.ADMINISTRATOR].
Application Note: This SFR is FMT_MSA.1 (b) from The IEEE Std. 2600.2 PP.
6.3.6.5.
FMT_MSA.3 (USER) Static attribute initialisation (IEEE Std.
2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 (USER)
The TSF shall enforce the [User Access Control SFP
in Table 18] to provide permissive default values for security
attributes that are used to enforce the SFP.
FMT_MSA.3.2 (USER)
The TSF shall allow the [U.ADMINISTRATOR] to
specify alternative initial values to override the default values
when an object or information is created.
Application Note: This SFR is FMT_MSA.3 (a) from The IEEE Std. 2600.2 PP.
6.3.6.6.
FMT_MSA.3 (FUNC) Static attribute initialisation (IEEE Std.
2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 (FUNC)
The TSF shall enforce the [TOE Function Access
Control Policy] to provide permissive default values for
security attributes that are used to enforce the SFP.
62

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FMT_MSA.3.2 (FUNC)
The TSF shall allow the [U.ADMINISTRATOR] to
specify alternative initial values to override the default values
when an object or information is created.
Application Note: This SFR is FMT_MSA.3 (b) from The IEEE Std. 2600.2 PP.
6.3.6.7.
FMT_MTD.1 (MGMT1) Management of TSF data (IEEE Std.
2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 (MGMT1) The TSF shall restrict the ability to [read (download)]
the [audit log] to [U.ADMINISTRATOR].
Application Note: This SFR is part of FMT_MTD.1 from The IEEE Std. 2600.2
PP.
6.3.6.8.
FMT_MTD.1 (MGMT2) Management of TSF data (IEEE Std.
2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 (MGMT2) The TSF shall restrict the ability to change_default,
modify, delete, [read] the [security attributes of D.DOC and
access permissions of U.NORMAL] to
[U.ADMINISTRATOR].
Application Note: FMT_MTD.1 (MGMT1) and FMT_MTD.1 (MGMT2) appear
as a single requirement in IEEE 2600.2. Because the Common Criteria does not
allow for iterating elements, this Security Target has iterated the entire
requirement for correctness.
Application Note: This SFR is part of FMT_MTD.1 from The IEEE Std. 2600.2
PP
6.3.6.9.
FMT_MTD.1 (KEY) Management of TSF data (IEEE Std.
2600.2-2009)
Hierarchical to:
No other components
Dependencies:
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security Roles
63

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FMT_MTD.1.1 (KEY)
The TSF shall restrict the ability to modify, delete,
[create] the [

SNMPv3 authentication key,

SNMPv3 privacy key,

IPSec Secret Key,

X.509 Server certificate]
to [U.ADMINISTRATOR].
6.3.6.10. FMT_MTD.1 (FILTER) Management of TSF data (IEEE Std.
2600.2-2009)
Hierarchical to:
No other components
Dependencies:
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security Roles
FMT_MTD.1.1 (FILTER) The TSF shall restrict the ability to modify, delete,
[create, read] the [

IP filter rules

Fax forwarding email addresses]
to [U.ADMINISTRATOR].
6.3.6.11. FMT_SMF.1 Specification of Management Functions (IEEE
Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
No dependencies.
FMT_SMF.1.1
The TSF shall be capable of performing the following
management functions: [

Enable/disable Immediate Image Overwrite (IIO)
[TSF_IOW] (Local User Interfaces);

Create and Delete User (ID);

Enable/disable and Configure Common Access Card
use (Web User Interface);

Change System Administrator Password (Web User
Interface);

Set and Change User Local Authentication Password
(Web User Interface);
64

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target

Invoke ODIO [TSF_IOW] (Web and Local User
Interfaces);

Create a recurrence schedule for “On Demand” image
overwrite (Web User Interface);

Enable/disable audit function (Web User Interface);

Transfer the audit records (if audit is enabled) to a
remote trusted IT product (Web User Interface);

Configure email addresses for audit exhaustion
warnings (Web User Interface);

Enable/disable SSL (Web User Interface);

Create/upload/download X.509 certificates (Web User
Interface);

Enable/disable and configure 802.1x (Web User
Interface);

Enable/disable and configure IPSec (Web User
Interface);

Enable/disable and configure SNMPv3 (Web User
Interface);

Configure (specify the IP address and/or IP address
range, port and port range for remote trusted IT
products (presumed) allowed to connect to the TOE via
the network interface) IP filtering (Web User Interface);

Enable/disable Disk Encryption (Web User Interface);

Configure network authentication (Web User Interface);

Configure local device and service authorization (Web
User Interface);

Configure WebUI and Local UI session timeout (Web
User Interface);

Configure Local UI session timeout (Local User
Interface);

Manage receive fax jobs and fax mailboxes pass
codes;

Enable/disable and configure fax forwarding to email;
and,

Perform Software Self-test (integrity verification of the
binary code)].
65

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.3.6.12.
FMT_SMR.1 Security roles (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FIA_UID.1 Timing of identification
FMT_SMR.1.1
The TSF shall maintain the roles [U.ADMINISTRATOR,
U.NORMAL, Nobody].
FMT_SMR.1.2
The TSF shall be able to associate users with roles, except
for the role “Nobody” to which no user shall be
associated.
Application Note: The role “Nobody” cannot be assigned to any user. It is included in
FMT_SMR.1.1 only because it has been used as a role in other SFRs. Only users who
have been assigned the role “U.ADMINISTRATOR” can exercise management
functions of the TOE.
6.3.7.
Class FPR: Privacy
There are no Class FPR security functional requirements for this Security Target.
6.3.8.
Class FPT: Protection of the TSF
6.3.8.1.
FPT_STM.1
Reliable time stamps (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
No dependencies.
FPT_STM.1.1
The TSF shall be able to provide reliable time stamps.
6.3.8.2.
FPT_TST.1
TSF testing (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
No dependencies.
FPT_TST.1.1
The TSF shall run a suite of self tests at the conditions: [

reboot, or

once the device is turned on after a power
failure/unorderly shutdown]
to demonstrate the correct operation of [the following parts of
TSF:

Hard disk Immediate Image Overwrite;
66

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target

FPT_TST.1.2
The TSF shall provide authorised users with the capability to
verify the integrity of [the following parts of TSF data:
FPT_TST.1.3
6.3.8.3.
Fax flash memory Immediate Image Overwrite].

Software Module version (configuration data);

IP Filtering Tables].
The TSF shall provide authorised users with the capability to
verify the integrity of stored TSF executable code.
Class FRU: Resource utilization
There are no Class FRU security functional requirements for this Security Target.
6.3.9.
Class FTA: TOE access
6.3.9.1.
2009)
FTA_SSL.3
TSF-initiated termination (IEEE Std. 2600.2-
Hierarchical to:
No other components.
Dependencies:
No dependencies.
FTA_SSL.3.1
The TSF shall terminate an interactive session after a
[U.ADMINISTRATOR configurable amount of time in the
Local UI or on the WebUI].
6.3.10.
Class FTP: Trusted paths/channels
6.3.10.1.
FTP_ITC.1 Inter-TSF trusted channel (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
No dependencies.
FTP_ITC.1.1
The TSF shall provide a communication channel between
itself and another trusted IT product that is logically distinct
from other communication channels and provides assured
identification of its end points and protection of the
communicated data from modification or disclosure.
FTP_ITC.1.2
The TSF shall permit the TSF, another trusted IT product to
initiate communication via the trusted channel.
67

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
FTP_ITC.1.3
6.3.10.2.
The TSF shall initiate communication via the trusted channel
for [communication of D.DOC, D.FUNC, D.PROT, and
D.CONF over any Shared-medium interface].
FTP_TRP.1 (IPSEC) Trusted path (NOTE: IPSec SFP)
Hierarchical to:
No other components.
Dependencies:
No dependencies
FTP_TRP.1.1 (IPSEC)
The TSF shall provide a communication path between
itself and remote users that is logically distinct from other
communication paths and provides assured identification of
its end points and protection of the communicated data from
modification or disclosure.
FTP_TRP.1.2 (IPSEC)
The TSF shall permit remote users to initiate
communication via the trusted path.
FTP_TRP.1.3 (IPSEC)

6.3.10.3.
The TSF shall require use of the trusted path for [
Print jobs submitted via lpr or port 9100].
FTP_TRP.1 (SSL)
Trusted path (NOTE: SSLSec SFP)
Hierarchical to:
No other components.
Dependencies:
No dependencies
FTP_TRP.1.1 (SSL) The TSF shall provide a communication path between itself
and remote users that is logically distinct from other
communication paths and provides assured identification of
its end points and protection of the communicated data from
modification or disclosure.
FTP_TRP.1.2 (SSL) The TSF shall permit remote users to initiate communication
via the trusted path.
FTP_TRP.1.3 (SSL) The TSF shall require use of the trusted path for [
6.3.10.4.

Print jobs and LanFax jobs submitted via Web UI,

the security management functions available to the
system administrator from the Web UI].
FTP_TRP.1 (SNMP) Trusted path (NOTE: SNMPSec SFP)
Hierarchical to:
No other components.
Dependencies:
No dependencies
FTP_TRP.1.1 (SNMP)
The TSF shall provide a communication path between
itself and remote users that is logically distinct from other
communication paths and provides assured identification of
68

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
its end points and protection of the communicated data from
modification or disclosure.
FTP_TRP.1.2 (SNMP)
The TSF shall permit remote users and the TSF to
initiate communication via the trusted path.
FTP_TRP.1.3 (SNMP)
The TSF shall require use of the trusted path for
[SNMP messages].
6.4. TOE Security Assurance
Requirements
Table 22 lists the security assurance requirements for “U.S. Government Protection
Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2-2009)”, and related SFR
packages, EAL2+ augmented with ALC_FLR.3. This Security Target claims
conformance with these Security Assurance Requirements; they are not iterated or
refined from their counterparts in CC Part 3.
Table 22: IEEE 2600.2 Security Assurance Requirements
Assurance Class
ADV: Development
AGD: Guidance documents
ALC: Life-cycle support
ASE:
Security
evaluation
Target
ATE: Tests
AVA:
assessment
Vulnerability
Assurance Components
ADV_ARC.1 Security architecture description
ADV_FSP.2 Security-enforcing functional specification
ADV_TDS.1 Basic design
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC_CMC.2 Use of a CM system
ALC_CMS.2 Parts of the TOE CM coverage
ALC_DEL.1 Delivery procedures
ALC_FLR.3 Systematic flaw remediation (augmentation of EAL2)
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
AVA_VAN.2 Vulnerability analysis
6.5. Explicitly Stated Requirements for the
TOE
69

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
6.5.1.
FPT_FDI_EXP.1 Restricted forwarding of data to external
interfaces (IEEE Std. 2600.2-2009)
Hierarchical to:
No other components.
Dependencies:
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security Roles
FPT_FDI_EXP.1.1
The TSF shall provide the capability to restrict data received
on [any external Interface] from being forwarded without further
processing by the TSF to [any Shared-medium Interface].
Application Note: IEEE 2600.2 PP Application Note 116 states the following: “The ST
Author can use this SFR to define the roles that are permitted to allow unmediated
transmission between Interfaces. If unmediated transmission is never allowed,
“Nobody” should be instantiated as the “authorized identified roles.” This extended
component, as defined in IEEE 2600.2, does not provide a mechanism for specifying
authorized identified roles. For this reason, the authorized identified role that is not
included in this extended requirement claim should be “Nobody”. Additionally, for this
TOE, the restricted forwarding from the external interfaces to the network controller are
architectural design features which cannot be configured; hence the dependencies on
FMT_SMF.1 and FMT_SMR.1 are not met.
6.6. Rationale for Security Functional
Requirements
Table 23: Completeness of Security Functional Requirements and Table 24: Sufficiency
of Security Functional Requirements below demonstrate the completeness and
sufficiency of SFRs that fulfill the objectives of the TOE. These tables contain the
original rationale from IEEE Std. 2600.2-2009. Rationales for the SFRs that have been
added to this Security Target, that do not originate in IEEE Std. 2600.2-2009, have been
added to these tables. Bold typeface items provide principal (P) fulfillment of the
objectives, and normal typeface items provide supporting (S) fulfillment.
Table 23: Completeness of Security Functional Requirements
SFRs
Objectives
70

Copyright 2013 Xerox Corporation, All rights reserved
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
FAU_SAR.2
FAU_STG.1
FAU_STG.4
FCS_CKM.1 (SSL)
FCS_CKM.2 (SSL 1)
FCS_CKM.2 (SSL 2)
FCS_COP.1 (SSL)
FCS_CKM.1 (IPSEC)
FCS_COP.1 (IPSEC 1)
FCS_COP.1 (IPSEC 2)
FCS_CKM.1 (SNMP)
FCS_COP.1 (SNMP)
FCS_CKM.1 (UDE)
FCS_COP.1 (UDE)
FCS_CKM.4
FDP_ACC.1 (USER)
FDP_ACC.1 (FUNC)
FDP_ACC.1 (MGMT)
FDP_ACF.1 (USER)
FDP_ACF.1 (FUNC)
FDP_ACF.1 (MGMT)
FDP_IFC.1 (FILTER)
FDP_IFF.1 (FILTER)
FDP_RIP.1 (IOW 1)
FDP_RIP.1 (IOW 2)
FDP_UCT.1 (IPSEC)
FDP_UIT.1 (IPSEC)
FDP_UCT.1 (SSL)
FDP_UIT.1 (SSL)
FDP_UCT.1 (SNMP)
FDP_UIT.1 (SNMP)
O.AUDIT_STORAGE.PROTECTE
D
O.AUDIT_ACCESS.AUTHORIZED
ED
O.DOC.NO_DIS
O.DOC.NO_ALT
O.FUNC.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.CONF.NO_ALT
O.USER.AUTHORIZED
O.INTERFACE.MANAGED
O.SOFTWARE.VERIFIED
O.AUDIT.LOGGED
Xerox WorkCentre™ 7755/7765/7775 Security Target
P P P
P P P
P P
P P
P P
P P
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S S S
S S S
S
S
S
P
S
S
S
P
S
S
S S S S
P
P
S S S
S S S
S
S S S
P
S
P
P
S
S
S
S
S
S
S
S
S
S
S S S
S S S
S S
S S
S
S
S
S
71

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
S
P
S
S S S S S S P
P
S S S S S S S
S S S S S S S
S S S
S
S S S
S
P P P
P P P
P P P
P P P
S S S S S S
S S S S S S S
O.AUDIT_STORAGE.PROTECTE
D
O.AUDIT_ACCESS.AUTHORIZED
ED
SFRs
FIA_ATD.1
FIA_UAU.2
FIA_UAU.7
FIA_UID.2
FIA_USB.1
FMT_MOF.1 (FMT 1)
FMT_MOF.1 (FMT 2)
FMT_MSA.1 (USER)
FMT_MSA.1 (FUNC)
FMT_MSA.3 (USER)
FMT_MSA.3 (FUNC)
FMT_MTD.1 (MGMT1)
FMT_MTD.1 (MGMT2)
FMT_MTD.1 (FILTER)
FMT_MTD.1 (KEY)
FMT_SMF.1
FMT_SMR.1
FPT_STM.1
FPT_TST.1
FPT_FDI_EXP.1
FTA_SSL.3
FTP_ITC.1
FTP_TRP.1 (IPSEC)
FTP_TRP.1 (SSL)
FTP_TRP.1 (SNMP)
O.DOC.NO_DIS
O.DOC.NO_ALT
O.FUNC.NO_ALT
O.PROT.NO_ALT
O.CONF.NO_DIS
O.CONF.NO_ALT
O.USER.AUTHORIZED
O.INTERFACE.MANAGED
O.SOFTWARE.VERIFIED
O.AUDIT.LOGGED
Objectives
P
P
S S S
S
P
S
S
S
S
P
S
S S S
P
P
P P
P P P P P P
S S S
S S S S S S
S S S
72

S
Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Table 24: Sufficiency of Security Functional Requirements
Objectives
O.DOC.NO_DIS,
O.DOC.NO_ALT,
O.FUNC.NO_ALT
Description
Protection of User
Data from
unauthorized
disclosure or
alteration
SFRs
FCS_CKM.1 (IPSEC)
FCS_COP.1 (IPSEC
1)
FCS_COP.1 (IPSEC
2)
FCS_CKM.1 (UDE)
FCS_COP.1 (UDE)
FDP_ACC.1(USER)
FDP_ACF.1(USER)
FDP_UCT.1 (IPSEC)
FDP_UIT.1 (IPSEC)
FIA_UID.2
FMT_MSA.1(USER)
FMT_MSA.3(USER)
FMT_SMF.1
FMT_SMR.1
FTP_TRP.1 (IPSEC)
Purpose
Supports protection by
providing cryptographic
keys for IPSEC.
Supports protection by
providing cryptographic
operations for IPSEC.
Supports protection by
providing cryptographic
keys for disk encryption.
Supports protection by
providing cryptographic
operations for disk
encryption.
Enforces protection by
establishing an access
control policy.
Supports access control
policy by providing
access control function.
Supports protection by
providing confidentiality
for print jobs.
Supports protection by
providing integrity for print
jobs.
Supports access control
and security roles by
requiring user
identification.
Supports access control
function by enforcing
control of security
attributes.
Supports access control
function by enforcing
control of security
attribute defaults.
Supports control of
security attributes by
requiring functions to
control attributes.
Supports control of
security attributes by
requiring security roles.
Supports protection by
providing a trusted
communications path.
73

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objectives
O.DOC.NO_DIS
O.CONF.NO_DIS,
O.PROT.NO_ALT,
O.CONF.NO_ALT
Description
Protection of User
Document Data
from unauthorized
disclosure
Protection of TSF
Data from
unauthorized
disclosure or
alteration
SFRs
FDP_RIP.1 (all)
Purpose
Enforces protection by
making residual data
unavailable.
FCS_CKM.1 (SNMP)
Supports protection by
providing cryptographic
keys for SNMP.
Supports protection by
providing cryptographic
operations for SNMP.
Supports protection by
limiting user access to
administrative functions.
Supports protection by
limiting user access to
administrative functions.
Supports protection by
providing confidentiality of
SNMP data.
Supports protection by
providing integrity of
SNMP data.
Supports access control
and security roles by
requiring user
identification.
Enforces protection by
restricting access.
Enforces protection by
restricting access.
FCS_COP.1 (SNMP)
FDP_ACC.1 (MGMT)
FDP_ACF.1 (MGMT)
FDP_UCT.1 (SNMP)
FDP_UIT.1 (SNMP)
FIA_UID.2
FMT_MTD.1(MGMT1)
FMT_MTD.1(MGMT2)
FMT_MTD.1 (KEY)
FMT_MTD.1
(FILTER)
FMT_SMF.1
FMT_SMR.1
FTP_TRP.1 (SNMP)
O.USER.AUTHORIZED
Authorization of
Normal Users and
Administrators to
use the TOE
FDP_ACC.1(FUNC)
FDP_ACF.1(FUNC)
FIA_ATD.1
FIA_UAU.2
Supports control of
security attributes by
requiring functions to
control attributes.
Supports control of
security attributes by
requiring security roles.
Supports protection by
providing a trusted
communications path.
Enforces authorization
by establishing an
access control policy.
Supports access control
policy by providing
access control function.
Supports authorization by
associating security
attributes with users.
Enforces authorization
by requiring user
authentication.
74

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objectives
Description
SFRs
FIA_UAU.7
FIA_UID.2
FIA_USB.1
FMT_MOF.1 (FMT 1)
FMT_MOF.1 (FMT 2)
FMT_MSA.1(FUNC)
FMT_MSA.3(FUNC)
FMT_SMR 1
FTA_SSL.3
O.INTERFACE.MANAGED
Management of
external interfaces
FDP_IFC.1 (FILTER)
FDP_IFF.1 (FILTER)
FIA_UAU.2
FIA_UID.2
FMT_MOF.1 (FMT 1)
FMT_MOF.1 (FMT 2)
FTA_SSL.3
Purpose
Supports authorization by
protecting passwords.
Enforces authorization
by requiring user
identification.
Enforces authorization
by distinguishing
subject security
attributes associated
with user roles.
Supports authorization by
restricting management
actions to administrators.
Supports access control
function by enforcing
control of security
attributes.
Supports access control
function by enforcing
control of security
attribute defaults.
Supports authorization by
requiring security roles.
Enforces authorization
by terminating inactive
sessions.
Enforces management
of external interfaces by
establishing an
information flow policy
for the network and fax
interfaces
Supports management of
external interfaces by
enforcing information flow
rules on the network and
fax interfaces
Enforces management
of external interfaces by
requiring user
authentication.
Enforces management
of external interfaces by
requiring user
identification.
Supports management of
external interfaces by
providing management
functionality.
Enforces management
of external interfaces by
terminating inactive
sessions.
75

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objectives
Description
SFRs
FPT_FDI_EXP.1
O.SOFTWARE.VERIFIED
Verification of
software integrity
FPT_TST.1
O.AUDIT.LOGGED
Logging and
authorized access
to audit events
FAU_GEN.1
FAU_GEN.2
FIA_UID.2
FMT_MOF.1 (FMT.1)
FMT_SMF.1
FPT_STM.1
O.AUDIT_STORAGE.PROT
ECTED,
O.AUDIT_ACCESS.AUTHO
RIZED
Logging and
authorized access
to audit events
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
FAU_SAR.2
FAU_STG.1
Purpose
Enforces management
of external interfaces by
requiring (as needed)
administrator control of
data transmission from
external Interfaces to
Shared-medium
Interfaces.
Enforces verification of
software by requiring
self tests.
Enforces audit policies
by requiring logging of
relevant events.
Enforces audit policies
by requiring logging of
information associated
with audited events.
Supports audit policies by
associating user identity
with events.
Enforces audit policies
by enabling logging of
relevant events.
Supports audit policies by
requiring functions to
enable logging of relevant
events.
Supports audit policies by
requiring time stamps
associated with events.
Enforces audit policies
by requiring logging of
relevant events.
Enforces audit policies
by requiring logging of
information associated
with audited events.
Enforces audit policies
by giving the
administrator a way to
read the logs that are
collected.
Enforces the audit
policies by preventing
unauthorized users
from reading the logs.
Enforces the audit
policies by preventing
unauthorized
modification or
deletion.
76

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objectives
Description
SFRs
FAU_STG.4
FIA_UID.2
FPT_STM.1
O.AUDIT_ACCESS.AUTHO
RIZED
Authorized access
to audit events
FIA_USB.1
FMT_MOF.1 (FMT 1)
FMT_MOF.1 (FMT 2)
FMT_MTD.1(MGMT1)
FMT_SMF.1
O.DOC.NO_DIS,
O.DOC.NO_ALT,
O.FUNC.NO_ALT,
O.PROT.NO_ALT,
O.CONF.NO_DIS,
O.CONF.NO_ALT
Protection of User
and TSF Data
from unauthorized
disclosure or
alteration
FCS_CKM.1 (SSL)
FCS_CKM.2 (SSL 1)
FCS_CKM.2 (SSL 2)
FCS_COP.1 (SSL)
FCS_CKM.4
FDP_UCT.1 (SSL)
FDP_UIT.1 (SSL)
FMT_MOF.1 (FMT 1)
FMT_MOF.1 (FMT 2)
FTP_ITC.1
Purpose
Enforces the audit
policies by preventing
loss of newer audit trail
data.
Supports audit policies by
requiring user
identification
Supports audit policies by
requiring time stamps
associated with events.
Supports authorization by
distinguishing subject
security attributes
associated with user
roles.
Supports audit policies by
restricting management
actions to administrators.
Enforces protection by
restricting access to the
audit records.
Supports audit policies by
requiring functions to
enable access to the
audit records.
Supports protection by
generating cryptographic
keys for SSL.
Supports protection by
distributing cryptographic
keys for SSL.
Supports protection by
providing cryptographic
operations for SSL.
Supports protection by
providing cryptographic
key destruction.
Supports protection by
providing confidentiality of
transmitted data and
functions.
Supports protection by
providing integrity of
transmitted data and
functions.
Supports protection by
restricting management
actions to administrators.
Enforces protection by
requiring the use of
trusted channels for
communication of data
over Shared-medium
Interfaces.
77

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Objectives
Description
SFRs
FTP_TRP.1 (SSL)
Purpose
Supports protection by
providing a trusted
communications path.
6.7. Rationale for Security Assurance
Requirements
This Security Target has been developed Using the “U.S. Government Protection Profile
for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2-2009)” and related SFR packages,
EAL2+ augmented with ALC_FLR.2; which was created to describe Hardcopy Devices
used in commercial information processing environments that require a relatively high
level of document security, operational accountability and information assurance. The
TOE environment will be exposed to only a low level of risk because it is assumed that
the TOE will be located in a restricted or monitored environment that provides almost
constant protection from unauthorized and unmanaged access to the TOE and its data
interfaces. Agents cannot physically access any nonvolatile storage without
disassembling the TOE. Agents have limited or no means of infiltrating the TOE with
code to effect a change and the TOE self-verifies its executable code to detect
unintentional malfunctions. As such, the Evaluation Assurance Level 2 is appropriate.
While IEEE Std. 2600.2-2009 augments EAL2 with ALC_FLR.2, Flaw reporting
procedures, this ST augments EAL2 with ALC_FLR.3, Systematic flaw remediation.
ALC_FLR.3 is hierarchical to ALC_FLR.2 and encompasses all requirements of
ALC_FLR.2 plus some additional requirements. ALC_FLR.3 ensures that instructions
and procedures for the reporting and remediation of identified security flaws are in place
and their inclusion is expected by the consumers of this TOE, and that consumers of
this TOE are automatically notified of flaws and changes to the TOE.
6.8.
Rationale for Dependencies
6.8.1.
Security Functional Requirement Dependencies
Table 25: SFR Dependencies Satisfied is a cross-reference of the functional
components, their related dependencies, and whether the dependency was satisfied.
Table 25: SFR Dependencies Satisfied
Functional
Component ID
FAU_GEN.1
FAU_GEN.2
Dependency (ies)
FPT_STM.1
FAU_GEN.1
FIA_UID.1
Satisfied
Yes
Yes
Yes, hierarchically by FIA_UID.2
78

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Functional
Component ID
FAU_SAR.1
FAU_SAR.2
FAU_STG.1
FAU_STG.4
FCS_CKM.1 (SSL)
FCS_CKM.2 (SSL
1)
FCS_CKM.2 (SSL
2)
FCS_COP.1 (SSL)
FCS_CKM.1
(IPSEC)
FCS_COP.1
(IPSEC 1)
FCS_COP.1
(IPSEC 2)
FCS_CKM.1
(SNMP)
FCS_COP.1
(SNMP)
FCS_CKM.1 (UDE)
FCS_COP.1 (UDE)
FCS_CKM.4
FDP_ACC.1(USER
)
FDP_ACC.1(FUNC
)
FDP_ACC.1
Dependency (ies)
Satisfied
FAU_GEN.1
FAU_SAR.1
FAU_GEN.1
FAU_STG.1
FCS_CKM.2 or
FCS_COP.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FCS_CKM.2 or
FCS_COP.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FCS_CKM.2 or
FCS_COP.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FCS_CKM.2 or
FCS_COP.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FCS_CKM.4
FDP_ITC.1 or
FDP_ITC.2 or
FCS_CKM.1
FDP_ACF.1
Yes
Yes
Yes
Yes
Yes, FCS_CKM.2(SSL 1), FCS_CKM.2 (SSL 2) and
FCS_COP.1 (SSL)
Yes
Yes, FCS_CKM.1 (SSL)
FDP_ACF.1
Yes, FDP_ACF.1(FUNC)
FDP_ACF.1
Yes, FDP_ACF.1 (MGMT)
Yes
Yes, FCS_CKM.1 (SSL)
Yes
Yes, FCS_CKM.1 (SSL)
Yes
Yes, FCS_COP.1 (IPSEC)
Yes
Yes, FCS_CKM.1 (IPSEC)
Yes
Yes, FCS_CKM.1 (IPSEC)
Yes
Yes, FCS_COP.1 (SNMP)
Yes
Yes, FCS_CKM.1 (SNMP)
Yes
Yes, FCS_COP.1 (UDE)
Yes
Yes, FCS_CKM.1 (UDE)
Yes
Yes, FCS_CKM.1 (SSL) (IPSEC) (SNMP) (UDE)
Yes, FDP_ACF.1(USER)
79

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Functional
Component ID
(MGMT)
FDP_ACF.1(USER
)
FDP_ACF.1(FUNC
)
FDP_ACF.1
(MGMT)
FDP_IFC.1
(FILTER)
FDP_IFF.1
(FILTER)
FDP_RIP.1 (IOW
1)
FDP_RIP.1 (IOW
2)
FDP_UCT.1
(IPSEC)
FDP_UCT.1 (SSL)
FDP_UCT.1
(SNMP)
FDP_UIT.1
(IPSEC)
FDP_UIT.1 (SSL)
FDP_UIT.1
(SNMP)
FIA_ATD.1
FIA_UAU.2
Dependency (ies)
Satisfied
FDP_ACC.1
FMT_MSA.3
FDP_ACC.1
FMT_MSA.3
FDP_ACC.1
FMT_MSA.3
FDP_IFF.1
Yes, FDP_ACC.1(USER)
Yes, FMT_MSA.3(USER)
Yes, FDP_ACC.1(FUNC)
Yes, FMT_MSA.3 (FUNC)
Yes, FDP_ACC.1 (MGMT)
13
No
Yes, FDP_IFF.1 (FILTER)
FDP_IFC.1
FMT_MSA.3
None
Yes, FDP_IFC.1 (FILTER)
14
No
None
FDP_ITC.1 or
FTP_TRP.1
FDP_ACC.1 or
FDP_IFC.1
FTP_ITC.1 or
FTP_TRP.1
FDP_ACC.1 or
FDP_IFC.1
FTP_ITC.1 or
FTP_TRP.1
FDP_ACC.1 or
FDP_IFC.1
FDP_ACC.1 or
FDP_IFC.1
FTP_ITC.1 or
FTP_TRP.1
FDP_ACC.1 or
FDP_IFC.1
FTP_ITC.1 or
FTP_TRP.1
FDP_ACC.1 or
FDP_IFC.1
FTP_ITC.1 or
FTP_TRP.1
None
FIA_UID.1
Yes, FTP_TRP.1 (IPSEC)
Yes, FDP_ACC.1 (FUNC)
Yes, FTP_TRP.1 (SSL)
Yes, FDP_ACC.1 (FUNC)
Yes, FTP_TRP.1 (SNMP)
Yes, FDP_ACC.1 (FUNC)
Yes, FDP_ACC.1 (FUNC)
Yes, FTP_TRP.1 (IPSEC)
Yes, FDP_ACC.1 (FUNC)
Yes, FTP_TRP.1 (SSL)
Yes, FDP_ACC.1 (FUNC)
Yes, FTP_TRP.1 (SNMP)
Yes, hierarchically by FIA_UID.2
The dependency of FDP_ACF.1 (MGMT) on FMT_MSA.3 is not met because none of these functions support “a) managing the
group of roles that can specify initial values; b) managing the permissive or restrictive setting of default values for a given access
control SFP; c) management of rules by which security attributes inherit specified values.” (CC Part 2 Page 106). The TOE does not
give system administrators the option of managing or specifying default role values, permissive or otherwise, for the creation of user
accounts. It is for these reasons that the dependencies on FMT_MSA.3 are not and cannot be expected to be met.
14
The dependency of FDP_IFF.1 (FILTER) on FMT_MSA.3 is not met because none of these functions support “a) managing the
group of roles that can specify initial values; b) managing the permissive or restrictive setting of default values for a given access
control SFP; c) management of rules by which security attributes inherit specified values.” (CC Part 2 Page 106). The TOE does not
give system administrators the option of specifying default values, permissive or otherwise. In fact, these features are configured
and, with the exception of IP Filter rules, cannot be modified by the system administrator other than to enable or disable them. It is
for these reasons that the dependency on FMT_MSA.3 is not and cannot be expected to be met.
13
80

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Functional
Component ID
FIA_UAU.7
FIA_UID.2
FIA_USB.1
FMT_MOF.1 (FMT
1)
FMT_MOF.1 (FMT
2)
FMT_MSA.1(USER
)
FMT_MSA.1(FUNC
)
FMT_MSA.3(USER
)
FMT_MSA.3(FUNC
)
FMT_MTD.1(MGM
T1)
FMT_MTD.1(MGM
T2)
FMT_MTD.1
(FILTER)
FMT_MTD.1 (KEY)
FMT_SMF.1
FMT_SMR.1
FPT_STM.1
FPT_TST.1
FPT_FDI_EXP.1
FTA_SSL.3
FTP_ITC.1
FTP_TRP.1
(IPSEC)
FTP_TRP.1 (SSL)
FTP_TRP.1
(SNMP)
6.8.2.
Dependency (ies)
FIA_UAU.1
None
FIA_ATD.1
FMT_SMF.1
FMT_SMR.1
FMT_SMF.1
FMT_SMR.1
FDP_ACC.1 or
FDP_IFC.1
FMT_SMF.1
FMT_SMR.1
FDP_ACC.1 or
FDP_IFC.1
FMT_SMF.1
FMT_SMR.1
FMT_MSA.1
FMT_SMR.1
FMT_MSA.1
FMT_SMR.1
FMT_SMF.1
FMT_SMR.1
FMT_SMF.1
FMT_SMR.1
FMT_SMF.1
FMT_SMR.1
FMT_SMF.1
FMT_SMR.1
None
FIA_UID.1
None
None
FMT_SMF.1
FMT_SMR.1
None
None
None
Satisfied
Yes, hierarchically by FIA_UAU.2
Yes
Yes
Yes
Yes
Yes
FDP_ACC.1 (USER)
Yes
Yes
FDP_ACC.1 (FUNC)
Yes
Yes
Yes, FMT_MSA.1(USER)
Yes
Yes, FMT_MSA.1(FUNC)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes, hierarchically by FIA_UID.2
15
No
16
No
None
None
Security Assurance Requirement Dependencies
SAR dependencies identified in the CC have been met by this ST as shown in Table 26.
15
For this TOE, the restricted forwarding from the external interfaces to the network controller are architectural design features
which cannot be configured, hence the dependencies on FMT_SMF.1 is not met.
16
For this TOE, the restricted forwarding from the external interfaces to the network controller are architectural design features
which cannot be configured; hence the dependencies on FMT_SMF.1 and FMT_SMR.1 are not met.
81

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Table 26: EAL2 (Augmented with ALC_FLR.3) SAR Dependencies Satisfied
Assurance
Component ID
ADV_ARC.1
ADV_FSP.2
ADV_TDS.1
AGD_OPE.1
AGD_PRE.1
ALC_CMC.2
ALC_CMS.2
ALC_DEL.1
ALC_FLR.3
ASE_CCL.1
ASE_ECD.1
ASE_INT.1
ASE_OBJ.2
ASE_REQ.2
ASE_SPD.1
ASE_TSS.1
ATE_COV.1
ATE_FUN.1
ATE_IND.2
AVA_VAN.2
Dependencies
ADV_FSP.1,
ADV_TDS.1
ADV_TDS.1
ADV_FSP.2
ADV_FSP.1
None
ALC_CMS.1
None
None
None
ASE_ECD.1
ASE_INT.1
ASE_REQ.1
None
None
ASE_SPD.1
ASE_ECD.1
ASE_OBJ.2
None
ADV_FSP.1
ASE_INT.1
ASE_REQ.1
ADV_FSP.2
ATE_FUN.1
ATE_COV.1
ADV_FSP.2
AGD_OPE.1
AGD_PRE.1
ATE_COV.1
ATE_FUN.1
ADV_ARC.1
ADV_FSP.2
ADV_TDS.1
AGD_OPE.1
AGD_PRE.1
Satisfied
Yes, hierarchically
Yes
Yes
Yes
Yes, hierarchically
Yes, hierarchically
Yes
Yes
Yes, hierarchically
Yes
Yes
Yes
Yes, hierarchically
Yes
Yes, hierarchically
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
82

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
7. TOE SUMMARY
SPECIFICATION
This section presents an overview of the security functions implemented by the TOE.
7.1.
TOE Security Functions
This section presents the security functions performed by the TOE to satisfy the
identified SFRs in Sections 6.3 and 6.5. For reference, the TOE architecture is depicted
in Figure 1.












Image Overwrite (TSF_IOW)
Information Flow Security (TSF_FLOW)
System Authentication (TSF_AUT)
Network Identification (TSF_NET_ID)
Security Audit (TSF_FAU)
Cryptographic Support (TSF_FCS)
User Data Protection – SSL (TSF_FDP_SSL)
User Data Protection – IP Filtering (TSF_FDP_FILTER)
User Data Protection – IPSec (TSF_FDP_IPSec)
Network Management Security (TSF_NET_MGMT)
Security Management (TSF_FMT)
User Data Protection - Disk Encryption (TSF_FDP_UDE)
7.1.1.
Image Overwrite (TSF_IOW)
FDP_RIP.1 (IOW 1), FDP_RIP.1 (IOW 2)
The TOE implements an image overwrite security function to overwrite all temporary
files created during processing of jobs, files (images) of completed or deleted jobs or
any files that are deleted17.
The network controller spools and processes documents to be printed or scanned.
Temporary files are created as a result of this processing on a reserved section of the
hard disk drive. The definition of this reserved section is statically stored within the TOE
and cannot be manipulated. Immediately after the job has completed, the files are
overwritten, and this is called Immediate Image Overwrite (IIO).
17
Files are stored inside mailboxes. They may be deleted by their owner through individual file deletions or deletion of the mailbox.
83

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
The embedded fax card buffers incoming and outgoing fax images in flash memory.
Immediately after an embedded fax job has completed, the files are overwritten.
The TOE automatically starts an IIO procedure for all abnormally terminated copy, print
or scan jobs stored on the HDD and fax jobs on the fax card flash memory prior to
coming “on line” when any of the following occurs: a reboot or once the MFD is turned
back on after a power failure/unorderly shutdown.
The image overwrite security function can also be invoked manually (on demand) by the
system administrator (ODIO). Once invoked, the ODIO cancels all print and scan jobs,
halts the printer interface (network), performs the overwrites, and then the network
controller reboots. A scheduling function allows ODIO to be executed on a recurring
basis as set up by the System Administrator.
A standard On Demand Image Overwrite (ODIO) overwrites all files written to temporary
storage areas of the HDD(s) and the temporary storage area of the Fax card flash
memory. A full ODIO overwrites those files as well as the Fax mailbox/dial directory (in
Fax card flash memory), and Scan to mailbox data.
An ODIO cannot be aborted from either the WebUI or Local UI.
TSF_IOW overwrites the contents of the reserved section on the hard disk using a three
pass overwrite procedure. It overwrites the contents of the embedded fax card flash
memory using a single-pass zeroization method.
For example, LanFax jobs are overwritten (using three pass overwrite) on the shared
hard disk after the image is transferred from the Network Controller to Copy Controller,
and zeroized on the fax card flash memory once the image has been sent.
7.1.2.
Information Flow Security (TSF_FLOW)
FPT_FDI_EXP.1
The only physical Shared-medium interface of the TOE is the Ethernet port directly
controlled by the network controller software.
The TOE controls and restricts the data/information flow from the Local User Interface
(LUI), document scanner and document feeder to the network controller software (which
covers the information flow to and from the internal network). All data and/or commands
received from these interfaces are processed and in most cases transformed by the
copy controller before being submitted to the network controller. The network controller
further processes the data before sending them to the internal network.
The TOE provides separation between the optional FAX processing board and the
network interface and therefore prevents an interconnection between the PSTN and the
internal network. This separation is realized in software as the network process has no
method or API with which to directly connect to the FAX processing board without the
use of the copy process as an intermediary. All internal command calls (API) and
response messages for both the Network Controller process and the FAX software
process are statically defined within the TOE. No user or system administrator is able to
change their formats or functionalities.
84

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
The Fax software runs two independent processes, for sending and receiving job data
through the fax card respectively. There is no internal communication between these
two processes.
The same job data will never be active on both the fax interface and network interface at the
same time. For network interface to fax interface (LanFax) jobs, the entire job must be received
as an image and buffered in memory before it is sent out through the fax interface. Likewise, for
fax interface to network interface (fax forwarding to email) jobs, the entire job must be received
from the fax interface and buffered in controller memory before it is transformed by the copy
controller process into an email attachment and sent out through the network interface.
7.1.3.
Authentication (TSF_ AUT)
FIA_ATD.1, FIA_UAU.2, FIA_UAU.7, FIA_UID.2, FIA_USB.1, FMT_SMR.1,
FTA_SSL.3
A user must authenticate by entering a username and password prior to being granted
access to the Local UI or the Web UI. While the user is typing the password, the TOE
obscures18 each character entered.
Upon successful authentication, users are granted access based on their role and
predefined privileges. Only a system administrator is allowed full access to the TOE
including all the system administration functions. Each common user’s access is
determined by which function (copy, scan, print, fax etc.) they have permission for.
If configured for local authentication the system requires the system administrator to
enter a username and password for each user. The system will authenticate the user
against an internal database.
By default, the Local UI will terminate any session that has been inactive for 60 minutes.
By default, the Web UI will terminate any session that has been inactive for 15 minutes.
The system administrator can configure both the Local UI and Web UI session timeouts
to terminate an inactive session after some other period of time.
7.1.4.
Network Identification (TSF_NET_ID)
FIA_UAU.2, FIA_UAU.7, FIA_UID.2, FIA_USB.1, FMT_SMR.1, FTA_SSL.3
As an alternative to TSF_AUT, the TOE allows user name and password for a user to
be validated by a designated authentication server (a trusted remote IT entity). The user
is not required to login to the network; account information entered at Local UI or Web
UI of the TOE is authenticated at the server instead of the TOE. The remote
authentication services supported by the TOE in the evaluated configuration are: CAC
authentication, LDAP v4, Kerberos v5 (Solaris) and Kerberos v5 (Windows 2000/2003).
When a user authenticates using the CAC method a PIN number is used instead of a
password. The PIN is authenticated by the CAC.
18
The LUI obscures input with the asterisk character. The specific character used to obscure input at the WebUI is browser
dependent
85

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
The TOE maintains the username from a successful authentication during the context of
the job, and this value is entered into the audit log as the user name.
By default, the Local UI will terminate any session that has been inactive for 60 minutes.
By default, the Web UI will terminate any session that has been inactive for 15 minutes.
The system administrator can configure both the Local UI and Web UI session timeouts
to terminate an inactive session after some other period of time.
7.1.5.
Security Audit (TSF_FAU)
FAU_GEN.1, FAU_GEN.2, FAU_SAR.1, FAU_SAR.2, FAU_STG.1, FAU_STG.4,
FMT_MTD.1 (MGMT1), FPT_STM.1
The TOE generates audit logs that track events/actions (e.g., print/scan/fax job
submission) to logged-in users, and each log entry contains a timestamp. The audit
logs are only available to TOE administrators and can be downloaded via the web
interface for viewing and analysis.
The audit log tracks user identification and authentication, session timeout, system
administrator actions, and failure of trusted channels. By adopting a policy of regularly
downloading and saving the audit logs, users can satisfy the tracking requirements for
transmission of data outside of the local environment, as required by such legislation as
HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, etc.
The Web UI presents the only access to the audit log; the audit log is not viewable from
the Local UI. The system administrator must be logged in to download the audit log.
The TOE can store a maximum of 15,000 audit log entries. The TOE overwrites oldest
events first if the maximum is reached. When the TOE reaches 13,500 entries (90% full)
an email warning is sent to a set of administrator defined email addresses. Subsequent
warnings will be emailed after every 15,000 entries if the audit log has not been cleared
Application Note: For print and LanFax jobs not submitted from the web UI, the
network username associated with the logged in user at the client workstation will be
recorded in the audit log.
7.1.6.
Cryptographic Operations (TSF_FCS)
FCS_CKM.1 (SSL), FCS_CKM.2 (SSL 1), FCS_CKM.2 (SSL 2), FCS_COP.1 (SSL),
FCS_CKM.1 (IPSEC), FCS_COP.1 (IPSEC 1), FCS_COP.1 (IPSEC 2), FCS_CKM.1
(SNMP), FCS_COP.1 (SNMP), FCS_CKM.4
The TOE utilizes data encryption (AES, RSA, RC4, DES, TDES) and cryptographic
checksum generation and secure hash computation (MD5 and SHA-1), as provided by
the OpenSSL cryptographic libraries, to support secure communication between the
TOE and remote trusted products. Those packages include provisions for the
generation and destruction of cryptographic keys and checksum/hash values and meet
the following standards: 3DES – FIPS-42-2, FIPS-74, FIPS-81; MD5 – RFC1321; SHA1 – FIPS-186, AES-256-FIPS-197 SSLv3 and SNMPv3.
86

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
7.1.7.
User Data Protection – SSL (TSF_FDP_SSL)
FCS_CKM.1 (SSL), FCS_CKM.2 (SSL 1), FCS_CKM.2 (SSL 2), FCS_COP.1 (SSL),
FDP_UCT.1 (SSL), FDP_UIT.1 (SSL), FTP_ITC.1, FTP_TRP.1 (SSL), FMT_MTD.1
(KEY)
The TOE provides support for SSL through the use of the OpenSSL cryptographic
libraries, and allows the TOE to act as either an SSL server or SSL client, depending on
the function the TOE is performing. SSL must be enabled before setting up either
IPSec, SNMPv3, or before the system administrator can retrieve the audit log. The SSL
functionality also permits the TOE to be securely administered from the Web UI, as well
as, being used to secure the connection between the TOE and the repository server
when utilizing the remote scanning option. As provided for in the SSLv3 standard, the
TOE will negotiate with the clients to select the encryption standard to be used for the
session, to include operating in backward-compatible modes for clients that do not
support SSLv3. The TOE creates and enforces the security policy model, “All
communications to the Web server will utilize SSL (HTTPS).”
All information that is transmitted between the TOE and a remote trusted product using
SSL is protected from both disclosure and modification. The disclosure protection is
accomplished by the symmetric encryption of the data being transferred using the DES
EDE (aka, Triple DES – defined in FIPS-46-3) cipher or the AES (FIPS-197) cipher, and
a per connection key generated as part of the SSLv3 protocol. The modification
protection is accomplished by the use of the HMAC (Hashed Message Authentication
Code – defined by IETF RFC2104) that is incorporated into the SSLv3 record transfer
protocol.
Once SSL is enabled on the TOE web services, requests from clients must be received
through HTTPS.
Additionally, the TOE can act as a web client in the case of workflow scanning. When
acting as an SSL client to SSL scan repository, the TOE can validate the remote
server’s certificate against a trusted CA; in this configuration, if it cannot validate the
identity of the certificate received from the remote server it will not communicate with
the scan repository.
7.1.8.
User Data Protection – IPSec (TSF_FDP_IPSec)
FCS_CKM.1 (IPSEC), FCS_COP.1 (IPSEC 1), FCS_COP.1 (IPSEC 2), FDP_UCT.1
(IPSEC), FDP_UIT.1 (IPSEC), FTP_ITC.1, FTP_TRP.1 (IPSEC), FMT_MTD.1 (KEY)
The TOE implements the IPSec SFP to ensure user data protection for all objects,
information, and operations handled or performed by the TOE through the lpr and port
9100 network interfaces. Printing clients initiate the establishment of a security
association with the MFD. The MFD establishes a security association with the printing
client using IPSec. Thereafter, all IP-based traffic to and from this destination will pass
through the IPSec tunnel until either end powers down, or resets, after which IPSec
must be reestablished. The use of IPSec for communication with a particular
destination is based on the presumed address of the printing client.
87

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
IPSec secures packet flows through two protocols – Encapsulating Security Payload
(ESP) and Authentication Header (AH). ESP provides authentication, data
confidentiality and message integrity. The ESP extension header provides origin
authenticity, integrity, and confidentiality of a packet. AH provides authentication and
message integrity, but does not offer confidentiality. The AH guarantees connectionless
integrity and data origin authentication of IP datagram.
Note: The TOE cannot enforce the IPSec (TSF_FDP_IPSec) security function
when it is configured for AppleTalk or IPX networks.
7.1.9.
User Data Protection – Disk Encryption (TSF_FDP_UDE)
FCS_CKM.1 (UDE), FCS_COP.1 (UDE), FCS_CKM.4
The TOE utilizes data encryption (AES) and cryptographic checksum generation and
secure hash computation (SHA-1), as provided by the Loop_AES cryptographic
libraries, to support encryption and decryption of designated portions of the hard disk
where user files may be stored. Those packages include provisions for the generation
and destruction of cryptographic keys. AES data encryption and its associated
cryptographic keys are used to encrypt and decrypt the hard drive partition where user
jobs are stored or temporarily stored during processing.
7.1.10.
User Data Protection – IP Filtering (TSF_FDP_FILTER)
FDP_IFC.1 (FILTER), FDP_IFF.1 (FILTER), FMT_MTD.1 (FILTER)
The TOE provides the ability for the system administrator to configure a network
information flow control policy based on a configurable rule set. The information flow
control policy (IPFilter SFP) is defined by the system administrator through specifying a
series of rules to “accept,” “deny,” or “drop” packets. These rules include a listing of IP
addresses that will be allowed to communicate with the TOE. Additionally rules can be
generated specifying filtering options based on port number given in the received
packet.
Note: The TOE cannot enforce the IP Filtering (TSF_FDP_FILTER) security
function when it is configured for IPv6, AppleTalk or IPX networks.
7.1.11.
Network Management Security (TSF_NET_MGMT)
FCS_CKM.1 (SNMP), FCS_COP.1 (SNMP), FDP_UCT.1 (SNMP), FDP_UIT.1 (SNMP),
FMT_MTD.1 (KEY), FTP_TRP.1 (SNMP)
The TOE supports SNMPv3 as part of its security solution through the SNMPSec SFP.
The SNMPv3 protocol is used to authenticate each SNMP message, as well as provide
encryption of the data as described in RFC 3414.
As implemented, both an authentication and privacy (encryption) password must be set
up both at the device and at the manager. Both passwords must be a minimum of 8
characters. SNMP uses SHA-1 for authentication and single-DES in Cipher Block
88

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Chaining mode for encryption. SNMPv3 utilizes the OpenSSL crypto library for the
authentication and encryption functions.
7.1.12.
Security Management (TSF_FMT)
FDP_ACC.1 (USER), FDP_ACC.1 (FUNC), FDP_ACC.1 (MGMT), FDP_ACF.1
(USER), FDP_ACF.1 (FUNC), FDP_ACF.1 (MGMT), FIA_ATD.1, FMT_SMF.1,
FMT_MOF.1 (FMT 1), FMT_MOF.1 (FMT 2), FMT_MSA.1 (USER), FMT_MSA.1
(FUNC), FMT_MSA.3 (USER), FMT_MSA.3 (FUNC), FMT_MTD.1 (MGMT1),
FMT_MTD.1 (MGMT2), FTP_TST.1
Only authenticated system administrators can enable or disable the Image Overwrite
function, change the system administrator password, and invoke an On Demand Image
Overwrite operation.
While IIO can be disabled, doing so will remove the TOE from its evaluated
configuration.
Additionally, only authenticated system administrators can assign authorization
privileges to users, create user IDs for local authentication, establish a recurrence
schedule for On Demand Image Overwrite, enable/disable SSL support, enable/disable
and configure IPSec, enable/disable and configure SNMPv3, create/install X.509
certificates, enable/disable and download the audit log, configure email addresses for
audit exhaustion warnings, enable/disable and configure (rules) IP filtering,
enable/disable disk encryption, enable/disable and configure use of Common Access
Cards, configure inactive session timeout settings, verify the integrity of TOE software
binary code, and enable/disable and configure 802.1x.
Only authenticated users with the necessary privileges are allowed to perform copy,
print, scan or fax on the TOE via the Web UI or the LUI.
All Users who are authorized to connect to the TOE can submit print or LanFax jobs.
All System Administrators are allowed full access to perform copy, print, scan or fax
operations on the TOE.
Copy has to be performed at the local user interface. A user can only read physical
copies of the documents (D.DOC +CPY Read). During job setup, a copy job (D.FUNC
+CPY Delete, Modify) or image (D.DOC +CPY Read, Delete) can be read, modified or
deleted. Once a job is committed, the job (D.FUNC +CPY Delete, Modify) can only be
canceled (deleted) during its execution. Once completed, the job is removed.
Print jobs can be submitted remotely via printing protocols (e.g. lpr, port 9100) or from
the WebUI using https. Once submitted to the TOE, there is no way for anyone to
modify the job (D.FUNC +PRT Modify) or the document (D.DOC +PRT Delete). Each
print job has an assigned pass code19 which is only known to the job owner. Only the
job owner can release printing of the document (D.DOC +PRT Read) or delete the print
job (D.FUNC +PTR Delete) using this pass code at the local user interface before the
19
A four to ten characters numeric string assigned by the job owner during print job creation.
89

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
job is executed on the TOE. The owner may also choose to delete a job (submitted from
the Web UI) through Web UI before it is released.
A system administrator has the capability for releasing (D.DOC +PRT Read) any print
job on the TOE through its authenticated Local UI session. A system administrator also
has the capability for deleting (D.FUNC +PRT Delete) any print job on the TOE through
its authenticated Local UI or Web UI20 session.
Once completed, a print job is removed.
Documents can only be scanned at the Local User Interface. During job setup,
document image (D.DOC +SCN Read, Delete) may be read or deleted. Once the job is
committed, the owner may send the image via email, transfer the image to a remote
(SSL scan) repository or keep the image in their private mailbox. (Scan to) Mailboxes
are created and owned by individual users. Only the owner is allowed to locate and
access the mailbox, and this access to mailboxes is further restricted with a pass code21
which the owner creates and owns. System Administrators have access to all the (scan)
mailboxes. (Scan) Images saved in a mailbox (D.DOC +DSR and +SCN Read, Delete)
may only be downloaded via the Web UI or deleted. A user with proper access may
choose to delete the mailbox together with all images stored inside the mailbox.
Faxes can be submitted at the Local User Interface or remotely as LanFax (through the
same interfaces as for printing). During job setup, document image (D.DOC +FAXOUT
Read, Delete) created may be read or deleted. Once a job (D.FUNC +FAXOUT Delete)
is submitted, only a system administrator can delete the Job before it is fully completed,
e.g. in the case of delayed send.
Access to the received Faxes (D.DOC +FAXIN Read, Delete) is restricted to the system
administrators. All received faxes will be stored locally and assigned a (system
administrator) predefined pass code. The SA can print or delete secure received faxes
by entering the appropriate pass code. Once printed, the faxes are automatically
deleted. Alternatively, the system administrator may also choose designate email
addresses for receiving fax images. Once the fax job is forwarded as an attachment to
an email, the job is automatically deleted.
Following recommendations from the user guidance document, an authenticated
system administrator can perform various tests to verify the integrity of the TSF.
During start up of the TOE after a reboot or power reset, an IIO is performed on U.DOC
remaining inside the TOE’s hard drive and the fax flash memory. Upon Hard drive IIO
completion, for a randomly picked contiguous block of disk space which is 10% the size
of the overall overwritten image, the resulting binary data pattern on the hard drive is
compared against the expected results, and any mismatch would be reported. Upon fax
flash memory IIO completion, the TOE will attempt to access the files that should be
overwritten and report any abnormalities. Also during initial start up, the version number
20
At the Web UI, the the System Administrator can only delete print jobs submitted from the Web UI.
21
An alphanumeric string with length between one to fifty characters owned and managed by the (scan to) mail box owner (creator).
90

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
of the software loaded is compared to the expected software version number; any
corruption of this data will be reported.
During normal operation of the TOE, integrity of the IP filtering table can be verified
through manual inspection from the Web UI, by the system administrator.. The System
Administrator can also verify the integrity of the TOE software image through the Web
UI using a software verification feature.
91

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
8. GLOSSARY
(NORMATIVE)
For the purposes of this document, the following terms and definitions
apply. IEEE Std. 100, The Authoritative Dictionary of IEEE Standards,
Seventh Edition, should be referenced for terms not defined in this annex.
Access: Interaction between an entity and an object that results in the
flow or modification of data.
Access Control: Security service that controls the use of hardware and
software resources and the disclosure and modification of stored or
communicated data.
Accountability: Property that allows activities in an IT system to be traced
to the entity responsible for the activity.
Administrator: A User who has been specifically granted the authority to
manage some portion or all of the TOE and whose actions may affect the
TSP. Administrators may possess special privileges that provide
capabilities to override portions of the TSP.
Asset: An entity upon which the TOE Owner, User, or manager of the
TOE places value.
Authentication: Security measure that verifies a claimed identity.
Authentication data: Information used to verify a claimed identity.
Authorization: Permission, granted by an entity authorized to do so, to
perform functions and access data.
Authorized User: An authenticated User who may, in accordance with the
TSP, perform an operation, This includes Users who are permitted to
perform some operations but may be able to attempt or perform
operations that are beyond those permissions.
Availability: (A) A condition in which Authorized Users have access to
information, functionality and associated assets when requested. (B)
Timely (according to a defined metric), reliable access to IT resources.
Channel: Mechanisms through which data can be transferred into and out
of the TOE.
Confidentiality: (A) A condition in which information is accessible only to
those authorized to have access. (B) A security policy pertaining to
disclosure of data.
92

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Enterprise: An operational context typically consisting of centrallymanaged networks of IT products protected from direct Internet access by
firewalls. Enterprise environments generally include medium to large
businesses, certain governmental agencies, and organizations requiring
managed telecommuting systems and remote offices
Evaluation Assurance Level: An assurance package, consisting of
assurance requirements drawn from CC Part 3, representing a point on
the CC predefined assurance scale.
External Interface: A non-hardcopy interface where either the input is
being received from outside the TOE or the output is delivered to a
destination outside the TOE.
Function: an entity in the TOE that performs processing, storage, or
transmission of data that may be present in the TOE.
Hardcopy Device (HCD): A system producing or utilizing a physical
embodiment of an electronic document or image. These systems include
printers, scanners, fax machines, digital copiers, MFPs (multifunction
peripherals), MFDs (multifunction devices), “all-in-ones”, and other similar
products. See also: multifunction device.
Hardcopy Output Handler: Mechanisms for transferring User Document
Data in hardcopy form out of the HCD.
Identity: A representation (e.g., a string) uniquely identifying an
Authorized User, which can either be the full or abbreviated name of that
User or a pseudonym.
Information assurance: Information operations that protect and defend
information and information systems by ensuring their availability, integrity,
authentication, confidentiality, and non-repudiation. This includes
providing for restoration of information systems by incorporating
protection, detection, and reaction capabilities.
Information Technology (IT): The hardware, firmware and software used
as part of a system to collect, create, communicate, compute,
disseminate, process, store or control data or information.
Integrity: A) A condition in which data has not been changed or destroyed
in an unauthorized way. (B) A security policy pertaining to the corruption of
data and security function mechanisms.
Job: A document processing task submitted to the hardcopy device. A
single processing task may process one or more documents.
Multifunction Device (MFD) and Multifunction Product (MFP): A
hardcopy device that fulfills multiple purposes by using multiple functions
in different combinations to replace several, single function devices.
Nobody: A pseudo-role that cannot be assigned to any User.
93

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Nonvolatile storage: Computer storage that is not cleared when the
power is turned off.
Normal User: A User who is authorized to perform User Document Data
processing functions of the TOE.
Object: A passive entity in the TOE, that contains or receives information,
and upon which subjects perform operations.
Operation: A specific type of action performed by a subject on an object.
Operational Environment: The total environment in which a TOE
operates, including the consideration of the value of assets and controls
for operational accountability, physical security and personnel.
Operator Panel: A local human interface used to operate the HCD. It
typically consists of a keypad, keyboard, or other controls, and a display
device.
Organizational Security Policy (OSP): A set of security rules,
procedures, or guidelines imposed (or presumed to be imposed) now
and/or in the future by an actual or hypothetical organization in the
operational environment.
Original Document Handler: Mechanisms
Document Data in hardcopy form into the HCD.
for
transferring
User
Own or Ownership: May refer to a User Document or to User Function
Data associated with .processing a User Document. Depending upon the
implementation of conforming TOE applications, the Owner of a User
Function Data associated with a User Document may be different or may
have different access control rules. These should be specified in a
conforming Security Target.
Private-medium interface: Mechanism for exchanging data that (1) use
wired or wireless electronic methods over a communications medium
which, in conventional practice, is not accessed by multiple simultaneous
users; or, (2) use Operator Panel and displays that are part of the TOE.
Protected: A condition in which data has not been changed or destroyed
in an unauthorized way.
Removable nonvolatile storage: nonvolatile storage that is part of an
evaluated TOE but is designed to be removed from the TOE by authorized
personnel. See also Nonvolatile storage.
Security attribute: A property of subjects, users (including external IT
products), objects, information, sessions and/or resources that is used in
defining the SFRs and whose values are used in enforcing the SFRs.
Security Function Policy (SFP): A set of rules describing specific
security behavior enforced by the TSF and expressible as a set of SFRs.
94

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Security Functional Requirement (SFR): A functional requirement which
is taken from Part 2 of the Common Criteria and provide the mechanisms
to enforce the security policy.
Security Target (ST): An implementation-dependent statement of security
needs for a specific identified TOE.
SFR package: A named set of security functional requirements.
Shared-medium interface: Mechanism for transmitting or receiving data
that uses wired or wireless network or non-network electronic methods
over a communications medium which, in conventional practice, is or can
be simultaneously accessed by multiple users.
Subject: An active entity in the TOE that performs operations on objects.
Target of Evaluation (TOE): A set of software, firmware and/or hardware
possibly accompanied by guidance.
Telephone line: An electrical interface used to connect the TOE to the
public switch telephone network for transmitting and receiving facsimiles.
Threat: Capabilities, intentions and attack methods of adversaries, or any
circumstance or event, with the potential to violate the TOE security policy.
TSF Data: Data created by and for the TOE, that might affect the
operation of the TOE.
TSF Confidential Data: Assets for which either disclosure or alteration by
a User who is not an Administrator or the owner of the data would have an
effect on the operational security of the TOE.
TSF Protected Data: Assets for which alteration by a User who is not an
Administrator or the owner of the data would have an effect on the
operational security of the TOE, but for which disclosure is acceptable.
TOE Owner: A person or organizational entity responsible for protecting
TOE assets and establishing related security policies.
TOE security functionality (TSF): A set consisting of all hardware,
software, and firmware of the TOE that must be relied upon for the correct
enforcement of the SFRs.
User: An entity (human user or external IT entity) outside the TOE that
interacts with the TOE.
User Data: Data created by and for the User, that do not affect the
operation of the TOE security functionality.
User Document Data: The asset that consists of the information
contained in a user’s document. This includes the original document itself
in either hardcopy or electronic form, image data, or residually-stored data
created by the hardcopy device while processing an original document
and printed hardcopy output.
95

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
User Function Data: The asset that consists of the information about a
user’s document or job to be processed by the HCD.
96

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
9. ACRONYMS
(INFORMATIVE)
For the purposes of this document, the following acronyms and definitions
apply. IEEE Std. 100, The Authoritative Dictionary of IEEE Standards,
Seventh Edition, should be referenced for terms not defined in this annex.
Table 27: Acronyms
Acronym
A.
ADMIN.
ALT
CC
C/IA
CONF.
CPY
D.
DIS
DOC.
DSR
EAL
F.
FAX
FUNC.
HCD
IEEE
IOT
IPP
IT
LPR
MFD
MFP
NVS
O.
OE.
OSP
P.
PP
PROT.
PRT
SCN
SFP
SFR
SMI
ST
Std
Definition
assumption (when used in hierarchical naming)
administrator (when used in hierarchical naming)
alteration
Common Criteria
IEEE Computer Society Information Assurance
confidential (when used in hierarchical naming)
copy
data (when used in hierarchical naming)
disclosure
document (when used in hierarchical naming)
document storage and retrieval
evaluation assurance level
Function (when used in hierarchical naming)
facsimile
function (when used in hierarchical naming)
hardcopy device
Institute of Electrical and Electronics Engineers
Image Output Terminal
Internet Printing Protocol
information technology
Line Printer Remote
multifunctional device
multifunctional product / peripheral / printer
nonvolatile storage
security objective (of the TOE) (when used in hierarchical naming)
security objective (of the operational environment) (when used in hierarchical
naming)
organizational security policy
organizational security policy (when used in hierarchical naming)
protection profile
protected (when used in hierarchical naming)
print
scan
security function policy
security functional requirement
shared-medium interface
security target
standard
97

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
Acronym
T.
TOE
TSF
TSP
U.
Definition
threat (when used in hierarchical naming)
Target of Evaluation
TOE security functionality
TOE security policy
user (when used in hierarchical naming)
98

Copyright 2013 Xerox Corporation, All rights reserved
Xerox WorkCentre™ 7755/7765/7775 Security Target
10. BIBLIOGRAPH
Y (INFORMATIVE)
[B1] Common Criteria for Information Technology Security Evaluation
Version 3.1 Release 1 - Part 1: Introduction and General Model22
[B2] Common Methodology for Information Technology Security
Evaluation Version 3.1 Release 2 - Evaluation Methodology23
[B3] IEEE Std. 100, The Authoritative Dictionary of IEEE Standards
Terms, Seventh Edition, New York, Institute of Electrical and
Electronics Engineers, Inc.24
22
Available from: http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R1.pdf
23
Available from: http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R2.pdf
24
IEEE publications are available from the Institute of Electrical and Electronics Engineers, 445 Hoes Lane,
Piscataway, NJ 08854, USA (http://standards.ieee.org)
99

Copyright 2013 Xerox Corporation, All rights reserved
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement