HP Jetdirect ew2500 Practical considerations for imaging and printing security - Page 4

IEEE p2600 The IEEE p2600 working group is defining a security standard for hardcopy devices, as well as recommendations for the security capabilities of devices when deployed in various environments, including enterprise, high-security, small office/home office, and public spaces. The p2600 working group has broad industry participation, including Hewlett-Packard, Lexmark, Canon, Xerox, Sharp, Ricoh, IBM, Epson, Okidata, Equitrac, and Oce. The p2600 standard will provide a means for credibly measuring the security capabilities of individual manufacturers. HP is actively participating within the working group, and will Common Criteria-certify products to the standard when complete. As of this time, HP devices support the majority of capabilities specified in the draft documents. Security checklists The National Institute of Standards and Technologies (NIST) has been tasked by U.S. legislation to develop checklists that facilitate security configuration of devices likely to be used by the U.S. Federal Government. NIST has requested IT equipment manufacturers to develop these security checklists for their products. Details of the checklist program are available at http://csrc.nist.gov/checklists. NIST will review manufacturer's checklists for relevance and correctness and publish those checklists on a searchable NIST website. HP considers security checklists as a means to significantly improve the security capabilities' ease of configuration for imaging and printing products. A security checklist for the HP LaserJet 4345mfp is available for public review at http://checklists.nist.gov/repository/, and is currently the only available hardcopy product checklist available from any manufacturer. HP plans to develop additional checklists for hardcopy devices in the future. Conclusion: look beyond Common Criteria Certification Ultimately, individuals must look carefully at their requirements and not be swayed by manufacturer advertising claims. Common Criteria Certification adds significant cost and development time to products, while providing limited assurance to the product's actual capabilities and potential vulnerabilities. Products that are not certified may actually provide more robust security capabilities than products that are certified. NIST security checklists simplify the complex process of enabling security functions, and better illustrate the product's capabilities HP's imaging and printing security framework To simplify the presentation of security concepts, HP developed an imaging and printing security framework with three categories of security functions: Secure the Device Includes elements that protect the function of the physical device, including access controls for management and use, secure deletion of files, and physical security. Protect Information on the Network Includes network communications, including media access protocols such as 802.1x and secure management, scanning, and printing protocols. Effectively Monitor and Includes the capabilities to securely manage fleets of imaging and printing devices and audit Manage devices for compliance to security policies and regulatory requirements The categories within HP's imaging and printing security framework are built from traditional network security theory, which identifies the four elements that compose a secure system: confidentiality, access control, integrity, and non-repudiation. 4