1 Definitions, Acronyms, and Abbreviations
Total Page:16
File Type:pdf, Size:1020Kb
1
11 Definitions, acronyms, and abbreviations
21.1 Definitions
3Terms used in this document are defined as follows: 4Table 1 Definitions of General Terminology
Term Definition
Access Control security measures that ensure that resources are only granted to those users who are entitled to them.
Actor a role that a user plays with respect to a hardcopy device.
Applet a program designed to be executed from within another application. Unlike an application, applets cannot be executed directly from the operating system.
Application a major function that an HCD performs, e.g., copying, printing, scanning, and facsimile Asset an entity that the owner of a hardcopy device places value upon.
Auditor a person who reviews and maintains the audit trail recorded by the HCD
Authorized User a person who is permitted to access and use an HCD for a defined purpose.
Availability authorized users have access to information, functionality and associated assets when required.
Black List list of specific user credential values (e.g., login ID, E-mail addresses, phone numbers, URLs) that are explicitly prohibited from accessing all or specified functions of a hardcopy device
Bluetooth a short-range radio technology used to provide personal area networking capabilities.
Confidentiality information accessible only to those authorized to have access.
Copy Control Device an external entity, hardware or software, that enables and tracks copying.
Copy Control interface for connecting a copy control device to a hardcopy device Interface
Credential an object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization.
Custom Environment an environment that does not fit into either the High Value Asset, Enterprise, SOHO or Public environment category.
2 Term Definition
Customer Engineer a person authorized to maintain an HCD at a customer site
Demilitarized Zone aA computer or small subnetwork that sits between a trusted internal network, (DMZ) such as a corporate private Local Area Network, and an untrusted external network, such as the public Internet.
Denial of Service the prevention of authorized access to a system resource or the delaying of system (DoS) operations and functions.
Device Administrator a person who controls administrative operations of the HCD other than its network configuration (e.g., management of users, resources of the HCD, and audit data) Device Interface an electrical interface for connecting an device to control access to local operation of the HCD. Depending on the device and its purpose, access may be granted as a result of identifying the user or as a result of a payment Dictionary Attack an attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.
Document data processed by the hardcopy device, including but not limited to: original paper to be copied, electronic files to be printed, image data sent by scanning or with facsimile and printed paper output.
External Device an electrical interface for connecting an external device to control access to local Interface operation of an HCD
Firewall a gateway that limits access between networks in accordance with local security policy.
Firmware software that cannot be modified by the user and controls and is embedded in a hardware device that allows reading and executing the software, but does not allow modification, e.g., writing or deleting code by an end user. Enterprise a commercial operational context typically consisting of centrally-managed Environment networks of IT products protected from direct Internet access by firewalls. Enterprise environments generally include medium to large businesses, certain governmental agencies, and organizations requiring managed telecommuting systems and remote offices.
Hardcopy Device a system producing or utilizing a physical embodiment of an electronic document (HCD) or image. These systems include laser, ink jet and thermal transfer printers, scanners, fax machines, digital copiers, MFPs (multifunction peripherals), MFDs (multifunction devices), “all-in-ones” and other similar products.
High Value Asset a highly restrictive and secure commercial operational context usually reserved (HVA) Environment for systems that have assets deserving special protection and the associated threats and impacts. In this context High Value Asset Environments do not include either life-critical, national security or other similar applications.
HomePNA. a home networking specification developed by the Home Phoneline Networking Alliance. This technology, built on Ethernet, allows all the components of a home network to interact over the home's existing telephone wiring without disturbing the existing voice or fax services.
32 Term Definition
Information the hardware, firmware and software used as part of a system to collect, create, Technology (IT) communicate, compute, disseminate, process, store or control data or information.
Integrity a condition in which data has not been changed or destroyed in an unauthorized way.
Internal User a person who accesses the HCD physically or using any interface that is not publicly accessible (including virtual private network connections). Internal User includes the Device Administrator, Network Administrator, Normal User, and Customer Engineers Legacy a system, hardcopy device or application (often obsolete) in which a company or organization has already invested considerable experience, time and money.
Legacy Environment a custom environment in which legacy systems are combined with newer systems and secured, to the extent possible, to meet current threats.
Local Interface an electrical, optical, or electromagnetic interface intended for use with close physical proximity (typically no more than 10 meters) to the HCD. Examples include USB, FireWire (IEEE Std. 1394-1995), IrDA, parallel port (IEEE Std- 1284-2000), serial port, memory card, diskette, and Bluetooth (IEEE Std.802.15.1-2005) Maintenance Port an electrical interface used for machine maintenance, service troubleshooting, and/or firmware updates Management Data data that controls the configuration of and access to the device, including: user and administrator authentication data (e.g. passwords); device management data such as audit data, log data, and paper configuration; and network management data such as IP addresses.
Man-in-the-Middle an active attack whereby a third party attempts to surreptitiously intercept, read or Attack alter information moving between two computing devices or users.
Media objects on which data can be stored. These include hard disks, floppy disks, CD- ROMs, and tapes.TBD
Media in computer networks, the cables linking workstations together. There are many different types of transmission media, the most popular being twisted-pair wire (normal electrical wire), coaxial cable (the type of cable used for cable television), and fiber optic cable (cables made out of glass).
Multifunction Device a Hardcopy Device that fulfills multiple purposes by using multiple functions in different combinations to replace several, single function devices.
Network a person who manages the network configuration of the HCD Administrator
Network Interface an interface used to connect the HCD to a network. Examples include IEEE Stds 802.3, 802.5, and 802.11 interfaces Normal User a person who accesses an HCD for normal use (e.g. copy, print, FAX fax and scan) using the operator panel or network or local interfaces Operator Panel a local human interface used to operate the HCD. It typically consists of a keypad, keyboard, or other controls, and a display device Page Description data format for describing a page of information, including commands for
4 3 Term Definition
Language (PDL) positioning text, lines, images and graphics on a page.
Password Cracking the process of attempting to ascertain secret passwords, often through algorithmic, dictionary or automated procedures.
Public Environment an operational context where parts of the IT systems are accessible to public users. Examples of public environments include public libraries, hotel business centers, retail copy centers and Internet cafes.
(Hardcopy Device) components that comprise the HCD (e.g., electronic, electrical, and mechanical Resources items); resident digital components (e.g., fonts); and consumable supplies for the TOE (e.g., paper, toner).
Risk Assessment assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and equipment including consideration of the likelihood of occurrence.
Small Office/Home an operational context consisting of small, unmanaged computer installations. Office (SOHO) SOHO environments encompass a wide variety of operational settings, from a Environment home computer used for occasional work purposes to a geographically separate small branch office of a larger business not managed remotely.
Sniffing network wiretapping: passively monitoring and recording data that is flowing between two or more points in a communication system
Social Engineering non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.
Spam unsolicited and unwanted electronic mail, instant messages or other electronic communications.
Stored Data fonts, forms and document data
Telephone Line an electrical interface used to connect the HCD to the public switch telephone network for transmitting and receiving facsimiles Temporary Data the image data that is temporarily buffered in memory before the HCD performs application operations Threat potential for violation of security, which exists when there is a circumstance, capability, action, or event that could enable a breach of security and cause harm.
Unauthorized User a person who is not permitted to access or use an HCD for a defined purpose.
User an entity outside the hardcopy device that interacts with it.
User Document Data the asset that consists of the information contained in a user’s document. This includes the original document itself in either hardcopy or electronic form, image data or residually-stored data created by the hardcopy device while processing an original document and printed hardcopy output.
User Function Data the asset that consists of the information about users that the HCD applications use, excluding authentication data (e.g. passwords), but including user identifiers for access control, destination lists for scanning and address books for facsimile delivery.
White List list of specific user credential values (e.g., login ID, E-mail addresses, phone
54 Term Definition
numbers, URLs) that are explicitly allowed access to all or specified functions of a hardcopy device
Wireless Fidelity aA term used generically when referring of any type of IEEE 802.11 network, (Wi-Fi®) whether 802.11g, 802.11b, or 802.11a,
6 5 5Table 2 provides definitions of key terms from the Common Criteria [RefTBD] that are used in this 6document. 7Table 2 Definitions of Common Criteria Terminology
Term Definition Evaluation an assurance package, consisting of assurance requirements drawn from CC Part Assurance Level 3, representing a point on the CC predefined assurance scale Protection Profile an implementation-independent statement of security needs for a Product type. (PP) Security Assurance an assurance element that provides an exact description of how the TOE is to be Requirement (SAR) evaluated Security Function a set of security rules, procedures, practices, or guidelines imposed on a security Policy function Security Functional rRequirements that define the desired security behavior of a TOE and are Requirement intended to meet the security objectives of the TOE as stated in a Protection Profile or Security Target. Security Objective a statement of intent to counter identified threats and/or satisfy identified organization security policies and/or assumptions. Security Target (ST) an implementation-dependent statement of security needs for a specific identified TOE Target of Evaluation a product that has been installed and is being operated according to its guidance. (TOE) TOE Security a set consisting of all hardware, software, and firmware of the TOE that must be Function (TSF) relied upon for the correct enforcement of the TSP TOE Security a means by which users supply data to and/or receive data from the TSF. Function Interface TOE Security Policy a description of the security properties of a TOE in the form of a set of SFRs in a (TSP) Protection Profile or Security Target. TSF Scope of Control the set of interactions that can occur with or within a TOE and are subject to the rules of the TSP.
76 81.2 Acronyms and abbreviations
9Abbreviations and acronyms used in this document are defined as follows: 10Table 3 Definitions of Abbreviations and Acronyms
Abbrev. Definition
ACL Access Control List
ANSI American National Standards Institute
ASIS American Society for Industrial Security
ATM Automated Teller Machine
CBEFF Common Biometric Exchange File Format
CC Common Criteria
CEN European Committee for Standardization
CENELEC European Committee for Electrotechnical Standardization
CF Compact Flash
CIFS Common Internet File System
CM Configuration Management
COTS Commercial, Off the Shelf
CPU Central Processing Unit
CRC Cyclic Redundancy Check
C-SET Card Secured Electronic Transactions
CSMA/CD Carrier Sense Multiple Access / Collision Detection
CSN Card Serial Number (for Compact Flash)
DHS Department of Homeland Security
DMZ Demilitarized Zone
DOE Department of Energy
DoS Denial of Service
DRAM Dynamic Random Access Memory
EAL Evaluation Assurance Level
ECM Error Correction Mode
EEPROM Electrically Erasable Programmable Read-Only Memory
8 7 Abbrev. Definition
EM Electromagnetic
EMI Electromagnetic Interference
EN ISO language code for English, all dialects
EPROM Erasable Programmable Read-Only Memory
ETSI European Telecommunications Standards Institute
EU European Union
FAX Facsimile
FIPS Federal Information Processing Standards
FISMA Federal Information Security Management Act of 2002
FX Foreign Exchange
GSM Global System for Mobile Communications
HCD Hardcopy Device
HDD Hard Disk Drive
HIPAA Health Insurance Portability and Accountability Act
HPNA Home Phoneline Networking Alliance
HVA High Value Asset
IBIA International Biometric Industry Association
ICC Integrated Circuit Card
ID Identification
IEC International Electrotechnical Committee
IFD Interface Device
INCITS InterNational Committee for Information Technology Standards (US TAG to JTC1)
IP Internet Protocol
IPP Internet Printing Protocol
ISO International Organization for Standardization
IT Information Technology
ITL Information Technology Laboratory
KBPS Kilobytes Per Second
98 Abbrev. Definition
LAN Local Area Network
LCD Liquid Crystal Display
MAC Media Access Control
MFD Multifunctional Device
MFP Multifunctional Product / Peripheral / Printer
MIC Message Integrity Code
MICR Magnetic Ink Character Recognition
NIST National Institute of Standards and Technology
NRC Nuclear Regulatory Commission
OCR Optical Character Recognition
OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation
OTS Off-The-Shelf
PC Personal Computer
PDL Page Description Language
PHIPA Personal Health Information Protection Act
PIN Personal Identification Number
PP Protection Profile
PSTN Public Switched Telephone Network
RAM Random Access Memory
ROM Read-Only Memory
SANS SysAdmin, Audit, Network, Security
SCADA Supervisory Control and Data Acquisition
SCSI Small Computer System Interface
SEIS Secure Electronic Information in Society
SET Secure Electronic Transactions
SF Security Function
SFP Security Function Policy
SIM Subscriber Identity Module
SOF Strength of Function
10 9 Abbrev. Definition
SOHO Small Office / Home Office
SRAM Static Read-Only Memory
ST Security Target
STANAG Standardization Agreement
TE Terminal Equipment
TEMPEST Transient Electromagnetic Pulse Emanation Standard
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Function
TSFI TOE Security Function Interface
TSP TOE Security Policy
TWIC Transportation Worker Identification Credential
USB Universal Serial Bus
USENIX Advanced Computing Systems Association
VLAN Virtual Local Area Network
WEP Wired Equivalent Privacy
Wi-Fi® Wireless Fidelity
WPA Wi-Fi® Protected Access
11
1110