1. Don Wright Director of Standards Lexmark International don@lexmark.com
P2600 Hardcopy Device and System Security July 2005 Working Group Meeting
Don Wright
Director of Standards
Lexmark International
11/29/2018

2. Agenda Items Monday/Tuesday, July 11/12 Welcome & Introductions
Update and Approve Agenda
Review and approve May Minutes
IEEE Patent Policy Review
Update on 2005 Meeting Plan and Schedule
2006 Meeting Schedule Proposal
Update on TCG
Formation of INCITS CS1 Working Group
Review of Action Items from May Meeting
Other Topics
11/29/2018

3. Agenda Items Monday/Tuesday, July 11/12 (cont.)
Status on reorganization of document decided at the May meeting
Status on Threat Analysis work
Document Review: Section 1, 2, 3, High Security PP
From Submitted Comments only
Document Review: Enterprise PP
Document Review: SoHo PP
Other PPs
Other items
Summarize and record action items
11/29/2018

4. Minutes from May Meeting
Minutes were published shortly after the meeting.
They are available at:
Any corrections or changes?
11/29/2018

5. Instructions for the WG Chair
At Each Meeting, the Working Group Chair shall:
Show slides #1 and #2 of this presentation
Advise the WG membership that:
The IEEE’s patent policy is consistent with the ANSI patent policy and is described in Clause 6 of the IEEE-SA Standards Board Bylaws;
Early disclosure of patents which may be essential for the use of standards under development is encouraged;
Disclosures made of such patents may not be exhaustive of all patents that may be essential for the use of standards under development, and that neither the IEEE, the WG, nor the WG Chairman ensure the accuracy or completeness of any disclosure or whether any disclosure is of a patent that, in fact, may be essential for the use of standards under development.
Instruct the WG Secretary to record in the minutes of the relevant WG meeting:
That the foregoing advice was provided and the two slides were shown;
That an opportunity was provided for WG members to identify or disclose patents that the WG member believes may be essential for the use of that standard;
Any responses that were given, specifically the patents and patent applications that were identified (if any) and by whom.
11/29/2018
(Not necessary to be shown)
Approved by IEEE-SA Standards Board – March 2003 (Revised March 2005)

6. IEEE-SA Standards Board Bylaws on Patents in Standards
IEEE standards may include the known use of essential patents and patent applications provided the IEEE receives assurance from the patent holder or applicant with respect to patents whose infringement is, or in the case of patent applications, potential future infringement the applicant asserts will be, unavoidable in a compliant implementation of either mandatory or optional portions of the standard [essential patents]. This assurance shall be provided without coercion and prior to approval of the standard (or reaffirmation when a patent or patent application becomes known after initial approval of the standard). This assurance shall be a letter that is in the form of either:
a) A general disclaimer to the effect that the patentee will not enforce any of its present or future patent(s) whose use would be required to implement either mandatory or optional portions of the proposed IEEE standard against any person or entity complying with the standard; or
b) A statement that a license for such implementation will be made available without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination.
This assurance shall apply, at a minimum, from the date of the standard's approval to the date of the standard's withdrawal and is irrevocable during that period.
11/29/2018
Slide #1
Approved by IEEE-SA Standards Board – March 2003 (Revised March 2005)

7. Inappropriate Topics for IEEE WG Meetings
Don’t discuss the validity/essentiality of patents/patent claims
Don’t discuss the cost of specific patent use
Don’t discuss licensing terms or conditions
Don’t discuss product pricing, territorial restrictions, or market share
Don’t discuss ongoing litigation or threatened litigation
Don’t be silent if inappropriate topics are discussed… do formally object. If you have questions, contact the IEEE-SA Standards Board Patent Committee Administrator at or visit This slide set is available at
11/29/2018
Slide #2
Approved by IEEE-SA Standards Board – March 2003 (Revised March 2005)

8. Officers No Changes Chair: Don Wright, Lexmark
Vice Chair: Lee Farrell, Canon
Secretary/Lead Editor: Brian Smithson, Ricoh
Other Editors:
Jerry Thrasher
Ron Bergman
Ron Nevo – HS PP/Enterprise PP
Yusuke Ohta – HS PP/Enterprise
Carmen Aubry – SoHo PP
11/29/2018

9. 2005 Meeting Schedule Sept 15-16 – West Caldwell, NJ
Ricoh US Headquarters 5 Dedrick Place West Caldwell, NJ
Oct New Orleans with PWG
Doubletree Hotel (tentative) 300 Canal Street New Orleans, Louisiana,
Dec San Diego
Host?
11/29/2018

10. 2006 Meeting Schedule Proposal
January 17-18
March 2-3 (West Coast?)
April 11-12
May 17-18
June 19-20
July 26-27
September 6-7
October 25-26
December 12-13
11/29/2018

11. Trusted Computing Group
Update
11/29/2018

12. Trusted Computing Group
Current task is defining use cases for hardcopy devices.
The group needs more hardcopy device companies to participate.
The group has narrowed its scope to concentrate on issues of establishing trust between hardcopy devices and client computers or servers.
Group’s work items provide a good compliment to the work in P2600.
How are you sure the hardcopy device you are establishing a secure session with today is the same, unmodified device you connected with before?
Has it been replaced with a rogue device?
etc.
11/29/2018

13. INCITS CS1 : Cyber-Security
Update
11/29/2018

14. INCITS CS1 What is INCITS Cyber Security 1 Technical Committee?
CS1 is a new group within INCITS responsible for developing the US position in the ISO/IEC JTC1/SC27 working group focused on Information Technology Security.
CS1 is also the Technical Committee responsible for advancing US based/developed security related standard into the international standardization process.
CS1 membership includes US Government agencies such as NSA, NIST, Department of Homeland Security as well as US based technology companies.
First meeting was held June 7-8 in Washington DC
11/29/2018

15. INCITS CS1 CS1’s current scope of security technologies include:
Management of information security and systems
Management of third party information security service providers
Intrusion detection
Network security
Incident handling
IT Security evaluation and assurance
Security assessment of operational systems
Security requirements for cryptographic modules
Protection profiles
Role based access control
Security checklists
Security metrics
11/29/2018

16. INCITS CS1 Current CS1 work items being discussed include:
Role Based Access Control Profile (RBAC) for Healthcare Industry.
A minimum security standard for protecting “sensitive” information on networked computers.
Dynamic Roles for the RBAC mechanisms.
11/29/2018

17. INCITS CS1
Current ISO/IEC JTC1/SC27 work that requires CS1 input includes:
Revision of ISO Parts 1,2,3
Development of ISO family of Security Standards (includes the renaming of ISO be part of the family.
Various authentication and non-repudiation standards.
Proposed Chair: Dan Benigni from NIST
11/29/2018

18. Group Logistical Action Items
Update web site with May meetings results/contents - done
Slides, Minutes, Action Items, Comment Resolution
Update web site with July meeting details - done
Update web site with preliminary Sept meeting details – done
11/29/2018

19. Action Items from Previous Meetings
Section 1 updates (Brian S.) – All Open
Update Bibliography
Add terms from section 2 (Proficient, Bespoke, etc.)
Reference mitigation techniques in sect 3 rather than use the ones from the NIST document.
Define Assets (from section 3) – in progress
Add acronyms from section 2 & 4
Add explanatory text talking about choosing a target security environment based on asset value rather than just the name of the environment. E.g. A SoHo environment may have high value assets and should use enterprise PP instead.
Section 2 updates (Tom H)
Section 4 team to verify which security environment’s PP are applicable to each threat (Section 4 team plus Tom H) -- Threat Analysis in progress
Decide if we want to include the security environment columns in final std -- Open
11/29/2018

20. Action Items from Previous Meetings
Section 3
Move asset section to section 1 – in progress
Section 4
Soho (Carmen Aubry) – really begin review this meeting
Public assigned to Jean Claude of Océ – open
Review:
11/29/2018

21. Reorganization of Document
New Organization Plan --- in process:
document intro
scope, purpose
how to use this document
structure, by manufacturers, by users , block diagrams of the document structure
Definitions / glossary / acronyms
protection profiles (very general)
Overview of Common Criteria
introduction to protection profiles (not the actual protection profiles themselves)
Forward reference to actual PPs
intro to HCDs
what they are, do
how they are similar/different from other IT devices
why they make good targets if insecure
environments
scope of environments that we're considering in this spec
advice on choosing the correct environmental guidance
environment #1
definition, assumptions, examples/diagram, cautions/disclaimers
environment #2...#N
(as above)
Summary
assets
overview of assets
asset type #1
definition, discussion, importance in the different environments
asset type #2...#N
summary
Formerly
Section 1
NEW
Formerly
Section 1
Move from PPs to
Section 1 plus
enhancements
11/29/2018

22. Reorganization of Document (cont.)
threats and mitigation
overview of threats
threat vector model, top level categories -- related to assets
general recommendations for manufacturers
out-of-box, etc., best practices that aren't covered earlier
general recommendations for end-users / IT departments
IT environment, etc., best practices that aren't covered earlier
specific threats and mitigation
threat #1
detailed description
importance in each environment / coverage in protection profile(s)
recommendations for manufacturers
recommendations for customers
threat #2...#N
(as above)
Specific overview of the PPs in the annexes
annexes
Protection Profiles
Annex A: HS
Annex B: Enterprise
Annex C: SoHo
Annex D: Public
(perhaps some materials extracted from Best Practices would be better as annexes? e.g. discussion on selecting passwords)
Threat cross reference (by asset / by access)
references (from section 1 and 3)
bibliography (from section 1 and 3)
??? STATUS ???
Formerly
Section 3
Formerly
Section 2
11/29/2018

23. Threat Analysis: Plan from May Meeting
Threat Analysis – discussion summary
Why would the value of a user document vary in a person’s risk assessment?
FIPS-199 contains useful definitions
Develop more detail directions and guidelines for performing the assessment
Re-run the assessment with the new information from this meeting and the guidelines
Involve more people in doing the assessments.
Look at the results and propose which threats should be removed or added to PPs.
Owner – Brian Smithson (will propose a timeline)
11/29/2018

24. Threat Analysis: Status
Few Participated, no usable results
11/29/2018

25. P2600-comments-database-May 2005.xls
Document Review
Review Comments on Draft per Excel Chart
Section 1
Section 2
Section 3
High Security PP
Results contained in:
P2600-comments-database-May 2005.xls
11/29/2018

26. HS versus Enterprise – From May Meeting
Difference between HS and Enterprise environments.
Enterprise - Generally medium value assets
Can be physically medium to large in geographic area and in number of devices on the network.
Areas within the enterprise that have high value assets (perhaps due to legislated mandates) can be treated as High Security islands within the enterprise.
New enterprise examples
Cable TV Company – production printing of bills
Large advertising agency
Big box retailer
Delete: DA Office, Health Claims (move to HS)
Update HS examples
Delete “Top Secret” from Military Research Lab
Move Financial/Stock Broker and SS Office to HS environments.
Is there anything else that needs to be reviewed?
11/29/2018

27. Document Review: Enterprise PP
Review Draft –
Any comments submitted? ?
11/29/2018

28. Document Review: SoHo PP
Review Draft –
Any comments submitted? ?
11/29/2018

29. Other PPs
What is schedule?
Public PP: Jean Claude
No news
11/29/2018

30. Reminder: Managing the Process Going Forward
Going forward we must manage the discussion and changes to the document.
For the following components of the standard, we will have no “random” discussions. All proposed changes MUST be on the reflector at least one week before the meeting including specific changes requested.
Sections 1 through 3, High Security Profile
Enterprise Profile / SoHo Profile – Not at this time.
Additions sections will be added to this list as they mature.
11/29/2018

31. Project Schedule
The PAR included estimates of the end-points of the schedule:
Sponsor Ballot: June ?????
Submission to RevCom: Feb 2006
What schedule should we expect now?
11/29/2018

32. Next Meeting Details September 15-16 at Ricoh
Where: Ricoh's US headquarters 5 Dedrick Place West Caldwell, NJ
VIP Conference Room
Driving directions from EWR, LGA and JFK are on the web site.
11/29/2018

33. Next Meeting Details
11/29/2018

34. Next Meeting Details 11/29/2018 Dedrick Place Henderson Drive
Passaic Ave
11/29/2018

35. Action Items for September?
11/29/2018

36. Mailing List and Web Site
Listserv run by the IEEE
An archive is available on the web site
Subscribe via a note to: containing the line: subscribe stds-2600
Only subscribers may send to the mailing list.
11/29/2018