1. P2600 Hardcopy Device and System Security April 2004 Working Group Meeting
Don Wright
Director, Alliances & Standards
Lexmark International
2/22/2019

2. Agenda
April 19, :30 Continental Breakfast 9:00 Opening, Intros, etc. 9:15 IEEE Patent Policy 9:30 Developing Protection Profiles - Mario Tinto   (Aerospace Corp) 10:30 Break 10:45 Protection Profile Proposal - Mr. Yuusuke Ohta        (Ricoh) 12:40 Lunch 2:15 Protection Profile Discussions 5:30 Wrap-up
April 20, :30 Continental Breakfast 9:00 Opening, Intros, etc. 9:15 Document Development 12:00 Lunch 1:00 Resume Document Development 2:30 Review future meeting plan 3:00 Wrap-up
2/22/2019

3. Instructions for the WG Chair
At Each Meeting, the Working Group Chair shall:
Show slides #1 and #2 of this presentation
Advise the WG membership that:
The IEEE’s Patent Policy is consistent with the ANSI patent policy and is described in Clause 6 of the IEEE SA Standards Board Bylaws;
Early disclosure of patents which may be essential for the use of standards under development is encouraged;
Disclosures made of such patents may not be exhaustive of all patents that may be essential for the use of standards under development, and that neither the IEEE, the WG nor the WG Chairman ensure the accuracy or completeness of any disclosure or whether any disclosure is of a patent that in fact may be essential for the use of standards under development.
Instruct the WG Secretary to record in the minutes of the relevant WG meeting:
that the foregoing advice was provided and the two slides were shown;
that an opportunity was provided for WG members to identify or disclose patents that the WG member believes may be essential for the use of that standard;
any responses that were given, specifically the patents and patent applications that were identified (if any) and by whom.
2/22/2019
(Not necessary to be shown)
Approved by IEEE-SA Standards Board – March 2003 (Revised Feb 2004)

4. IEEE-SA Standards Board Bylaws on Patents in Standards
IEEE standards may include the known use of essential patents and patent applications provided the IEEE receives assurance from the patent holder or applicant with respect to patents whose infringement is, or in the case of patent applications, potential future infringement the applicant asserts will be, unavoidable in a compliant implementation of either mandatory or optional portions of the standard [essential patents]. This assurance shall be provided without coercion and prior to approval of the standard (or reaffirmation when a patent or patent application becomes known after initial approval of the standard). This assurance shall be a letter that is in the form of either:
a) A general disclaimer to the effect that the patentee will not enforce any of its present or future patent(s) whose use would be required to implement either mandatory or optional potions of the proposed IEEE standard against any person or entity complying with the standard; or
b) A statement that a license for such implementation will be made available without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination.
This assurance shall apply, at a minimum, from the date of the standard's approval to the date of the standard's withdrawal and is irrevocable during that period.
2/22/2019
Slide #1
Approved by IEEE-SA Standards Board – March 2003 (Revised February 2004)

5. Inappropriate Topics for IEEE WG Meetings
Don’t discuss licensing terms or conditions
Don’t discuss product pricing, territorial restrictions or market share
Don’t discuss ongoing litigation or threatened litigation
Don’t be silent if inappropriate topics are discussed… do formally object.
If you have questions, contact the IEEE-SA Standards Board Patent Committee Administrator at or visit
2/22/2019
Slide #2
Approved by IEEE-SA Standards Board – March 2003 (Revised February 2004)

6. Officers Chair: Don Wright, Lexmark Vice Chair: Lee Farrell, Canon
Secretary: Steffan Deschrijver, Print4Sight
Editors:
Brian Volkoff
Jerry Thrasher
Ron Bergman
Stefaan DeSchrijver
2/22/2019

7. Mailing List and Web Site
Listserv run by the IEEE
An archive is available on the web site
Subscribe via a note to: containing the line: subscribe stds-2600
Only subscribers may send to the mailing list.
2/22/2019

8. Action Items
Begin developing draft document based on CSPP - Guidance for COTS Security Protection Profiles (
Introduction – D.W. -- posted
TOE Description – J.T. -- posted
Security Environment (Multiple environments) – P.C.
Security Assumptions
Organizational Policies
Role/Vulnerabilities/Exploitations – S.D. -- posted
Security Objectives – B.V.
Security Requirements
TOE Functional Security
IT Functional Security
Non-IT Functional Security Requirements
Assurance Requirements
Rationale
Appendix
TOE Functional Requirements Additional Details
TOE Assurance Requirements Additional Details
IT Environment Functional Requirements Additional Details
Other Security Consideration
Encryption Certification (FIPS in the US)
System Considerations
2/22/2019

9. Presentation/Forum Developing Protection Profiles Mario Tinto
Aerospace Corp
2/22/2019

10. Presentation/Proposal
Protection Profile Proposal
Mr. Yuusuke Ohta
Ricoh
2/22/2019

11. Content of Standard IEEE standards include but are not limited to:
Lists of terms, definitions, or symbols, applicable to any field of science or technology within the scope of the IEEE.
Expositions of scientific methods of measurement or tests of the parameters or performance of any device, apparatus, system, or phenomenon associated with the art, science, or technology of any field within the scope of the IEEE.
Characteristics, performance, and safety requirements associated with devices, equipment, and systems with engineering installations.
Recommendations reflecting current state-of-the-art in the application of engineering principles to any field of technology within the scope of the IEEE.
IEEE standards are classified as:
Standards: documents with mandatory requirements.
Recommended practices: documents in which procedures and positions preferred by the IEEE are presented.
Guides: documents in which alternative approaches to good practice are suggested but no clear-cut recommendations are made.
Trial-Use documents: publications that are effective for not more than two years. They can be any of the categories of standards publications listed above.
2/22/2019

12. Document Editor(s) Create drafts Publish on web site
Respond to comments
Maintain change history
Volunteers:
Brian V.
Jerry T.
Ron Bergman
Stefaan DeSchrijver
2/22/2019

13. Content of Standard
CSPP - Guidance for COTS Security Protection Profiles (
Introduction – D.W.
TOE Description – J.T.
Security Environment (Multiple environments) – P.C.
Security Assumptions
Organizational Policies
Role/Vulnerabilities/Exploitations – S.D.
Security Objectives – B.V.
Functional Security Requirements
Assurance Requirements
Appendix
TOE Functional Requirements Details
TOE Assurance Requirements Details
IT Environment Functional Requirements
Other Security Consideration
Encryption Certification (FIPS in the US)
System Considerations
2/22/2019

14. Content of Standard
Is there one and only one profile or is there a way to divide or segment the profile?
A profile could have objectives that are based on the security environment. Increasing objectives for increasing security risk.
The profiles could then be broken down into categories (network, harddisk, etc.) where the security objectives are conditionally mandatory. (Requires some degree of modularity within the device.)
Try to get people from NIST/NIAP to attend and present at the Washington DC meeting on the viability to this approach to creating a protection profile.
2/22/2019

15. Day 2
April 20, :30 Continental Breakfast 9:00 Opening, Intros, etc. 9:15 Document Development* 12:00 Lunch 1:00 Resume Document Development 2:30 Review future meeting plan 3:00 Wrap-up * Work assignments to be made
2/22/2019

16. Issues
Should the P2600 Standard contain actual PPs against which devices could be tested? - YES
Do we need to create multiple profiles targeted at market segments with differing security needs (e.g. High (Govt. Security Agencies) vs Medium (e.g. HIPAA, GLB compliance) vs Basic (e.g. general office))? - YES
What else needs to be in the standard?
Threats/Vulnerabilities
Techniques to mitigate above
Which profiles cover which Threats
Intended use of the profiles – are they guidance or requirements presented in the form of a PP?
What system dependencies (e.g. encrypted print jobs) exist.
2/22/2019

17. Threat Domains Confidentiality Integrity Availability
Asset: User Documents, MFPs, Comfiguration files, Supplies, Audit/Utilization data, other equipment on the network
Agents: Who: User, Admin, Hacker and their skill level: Novice, Expert, Highly skilled (bespoke)
2/22/2019

18. Schedule The PAR included estimates of the end-points of the schedule:
Sponsor Ballot: June 2005
Submission to RevCom: Feb 2006
Future Meetings
June 2-3, Xerox, El Segundo, CA
M1 Bldg, on S. Aviation Blvd between Utah and Alaska
No contracted hotel
August 19-20, with PWG in Montreal
October 6-7, with PWG, in Lexington KY
November 18-19, with PWG, San Antonio
2/22/2019