<p>1</p><p>11 Definitions, acronyms, and abbreviations</p><p>21.1 Definitions</p><p>3Terms used in this document are defined as follows: 4Table 1 Definitions of General Terminology</p><p>Term Definition</p><p>Access Control security measures that ensure that resources are only granted to those users who are entitled to them.</p><p>Actor a role that a user plays with respect to a hardcopy device.</p><p>Applet a program designed to be executed from within another application. Unlike an application, applets cannot be executed directly from the operating system.</p><p>Application a major function that an HCD performs, e.g., copying, printing, scanning, and facsimile Asset an entity that the owner of a hardcopy device places value upon.</p><p>Auditor a person who reviews and maintains the audit trail recorded by the HCD</p><p>Authorized User a person who is permitted to access and use an HCD for a defined purpose. </p><p>Availability authorized users have access to information, functionality and associated assets when required.</p><p>Black List list of specific user credential values (e.g., login ID, E-mail addresses, phone numbers, URLs) that are explicitly prohibited from accessing all or specified functions of a hardcopy device</p><p>Bluetooth a short-range radio technology used to provide personal area networking capabilities. </p><p>Confidentiality information accessible only to those authorized to have access.</p><p>Copy Control Device an external entity, hardware or software, that enables and tracks copying.</p><p>Copy Control interface for connecting a copy control device to a hardcopy device Interface</p><p>Credential an object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization.</p><p>Custom Environment an environment that does not fit into either the High Value Asset, Enterprise, SOHO or Public environment category.</p><p>2 Term Definition</p><p>Customer Engineer a person authorized to maintain an HCD at a customer site</p><p>Demilitarized Zone aA computer or small subnetwork that sits between a trusted internal network, (DMZ) such as a corporate private Local Area Network, and an untrusted external network, such as the public Internet.</p><p>Denial of Service the prevention of authorized access to a system resource or the delaying of system (DoS) operations and functions.</p><p>Device Administrator a person who controls administrative operations of the HCD other than its network configuration (e.g., management of users, resources of the HCD, and audit data) Device Interface an electrical interface for connecting an device to control access to local operation of the HCD. Depending on the device and its purpose, access may be granted as a result of identifying the user or as a result of a payment Dictionary Attack an attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.</p><p>Document data processed by the hardcopy device, including but not limited to: original paper to be copied, electronic files to be printed, image data sent by scanning or with facsimile and printed paper output. </p><p>External Device an electrical interface for connecting an external device to control access to local Interface operation of an HCD </p><p>Firewall a gateway that limits access between networks in accordance with local security policy.</p><p>Firmware software that cannot be modified by the user and controls and is embedded in a hardware device that allows reading and executing the software, but does not allow modification, e.g., writing or deleting code by an end user. Enterprise a commercial operational context typically consisting of centrally-managed Environment networks of IT products protected from direct Internet access by firewalls. Enterprise environments generally include medium to large businesses, certain governmental agencies, and organizations requiring managed telecommuting systems and remote offices. </p><p>Hardcopy Device a system producing or utilizing a physical embodiment of an electronic document (HCD) or image. These systems include laser, ink jet and thermal transfer printers, scanners, fax machines, digital copiers, MFPs (multifunction peripherals), MFDs (multifunction devices), “all-in-ones” and other similar products. </p><p>High Value Asset a highly restrictive and secure commercial operational context usually reserved (HVA) Environment for systems that have assets deserving special protection and the associated threats and impacts. In this context High Value Asset Environments do not include either life-critical, national security or other similar applications.</p><p>HomePNA. a home networking specification developed by the Home Phoneline Networking Alliance. This technology, built on Ethernet, allows all the components of a home network to interact over the home's existing telephone wiring without disturbing the existing voice or fax services.</p><p>32 Term Definition</p><p>Information the hardware, firmware and software used as part of a system to collect, create, Technology (IT) communicate, compute, disseminate, process, store or control data or information.</p><p>Integrity a condition in which data has not been changed or destroyed in an unauthorized way.</p><p>Internal User a person who accesses the HCD physically or using any interface that is not publicly accessible (including virtual private network connections). Internal User includes the Device Administrator, Network Administrator, Normal User, and Customer Engineers Legacy a system, hardcopy device or application (often obsolete) in which a company or organization has already invested considerable experience, time and money.</p><p>Legacy Environment a custom environment in which legacy systems are combined with newer systems and secured, to the extent possible, to meet current threats.</p><p>Local Interface an electrical, optical, or electromagnetic interface intended for use with close physical proximity (typically no more than 10 meters) to the HCD. Examples include USB, FireWire (IEEE Std. 1394-1995), IrDA, parallel port (IEEE Std- 1284-2000), serial port, memory card, diskette, and Bluetooth (IEEE Std.802.15.1-2005) Maintenance Port an electrical interface used for machine maintenance, service troubleshooting, and/or firmware updates Management Data data that controls the configuration of and access to the device, including: user and administrator authentication data (e.g. passwords); device management data such as audit data, log data, and paper configuration; and network management data such as IP addresses.</p><p>Man-in-the-Middle an active attack whereby a third party attempts to surreptitiously intercept, read or Attack alter information moving between two computing devices or users. </p><p>Media objects on which data can be stored. These include hard disks, floppy disks, CD- ROMs, and tapes.TBD</p><p>Media in computer networks, the cables linking workstations together. There are many different types of transmission media, the most popular being twisted-pair wire (normal electrical wire), coaxial cable (the type of cable used for cable television), and fiber optic cable (cables made out of glass).</p><p>Multifunction Device a Hardcopy Device that fulfills multiple purposes by using multiple functions in different combinations to replace several, single function devices.</p><p>Network a person who manages the network configuration of the HCD Administrator</p><p>Network Interface an interface used to connect the HCD to a network. Examples include IEEE Stds 802.3, 802.5, and 802.11 interfaces Normal User a person who accesses an HCD for normal use (e.g. copy, print, FAX fax and scan) using the operator panel or network or local interfaces Operator Panel a local human interface used to operate the HCD. It typically consists of a keypad, keyboard, or other controls, and a display device Page Description data format for describing a page of information, including commands for </p><p>4 3 Term Definition</p><p>Language (PDL) positioning text, lines, images and graphics on a page.</p><p>Password Cracking the process of attempting to ascertain secret passwords, often through algorithmic, dictionary or automated procedures.</p><p>Public Environment an operational context where parts of the IT systems are accessible to public users. Examples of public environments include public libraries, hotel business centers, retail copy centers and Internet cafes.</p><p>(Hardcopy Device) components that comprise the HCD (e.g., electronic, electrical, and mechanical Resources items); resident digital components (e.g., fonts); and consumable supplies for the TOE (e.g., paper, toner).</p><p>Risk Assessment assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and equipment including consideration of the likelihood of occurrence.</p><p>Small Office/Home an operational context consisting of small, unmanaged computer installations. Office (SOHO) SOHO environments encompass a wide variety of operational settings, from a Environment home computer used for occasional work purposes to a geographically separate small branch office of a larger business not managed remotely. </p><p>Sniffing network wiretapping: passively monitoring and recording data that is flowing between two or more points in a communication system</p><p>Social Engineering non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.</p><p>Spam unsolicited and unwanted electronic mail, instant messages or other electronic communications. </p><p>Stored Data fonts, forms and document data</p><p>Telephone Line an electrical interface used to connect the HCD to the public switch telephone network for transmitting and receiving facsimiles Temporary Data the image data that is temporarily buffered in memory before the HCD performs application operations Threat potential for violation of security, which exists when there is a circumstance, capability, action, or event that could enable a breach of security and cause harm.</p><p>Unauthorized User a person who is not permitted to access or use an HCD for a defined purpose. </p><p>User an entity outside the hardcopy device that interacts with it.</p><p>User Document Data the asset that consists of the information contained in a user’s document. This includes the original document itself in either hardcopy or electronic form, image data or residually-stored data created by the hardcopy device while processing an original document and printed hardcopy output.</p><p>User Function Data the asset that consists of the information about users that the HCD applications use, excluding authentication data (e.g. passwords), but including user identifiers for access control, destination lists for scanning and address books for facsimile delivery.</p><p>White List list of specific user credential values (e.g., login ID, E-mail addresses, phone </p><p>54 Term Definition</p><p> numbers, URLs) that are explicitly allowed access to all or specified functions of a hardcopy device</p><p>Wireless Fidelity aA term used generically when referring of any type of IEEE 802.11 network, (Wi-Fi®) whether 802.11g, 802.11b, or 802.11a,</p><p>6 5 5Table 2 provides definitions of key terms from the Common Criteria [RefTBD] that are used in this 6document. 7Table 2 Definitions of Common Criteria Terminology</p><p>Term Definition Evaluation an assurance package, consisting of assurance requirements drawn from CC Part Assurance Level 3, representing a point on the CC predefined assurance scale Protection Profile an implementation-independent statement of security needs for a Product type. (PP) Security Assurance an assurance element that provides an exact description of how the TOE is to be Requirement (SAR) evaluated Security Function a set of security rules, procedures, practices, or guidelines imposed on a security Policy function Security Functional rRequirements that define the desired security behavior of a TOE and are Requirement intended to meet the security objectives of the TOE as stated in a Protection Profile or Security Target. Security Objective a statement of intent to counter identified threats and/or satisfy identified organization security policies and/or assumptions. Security Target (ST) an implementation-dependent statement of security needs for a specific identified TOE Target of Evaluation a product that has been installed and is being operated according to its guidance. (TOE) TOE Security a set consisting of all hardware, software, and firmware of the TOE that must be Function (TSF) relied upon for the correct enforcement of the TSP TOE Security a means by which users supply data to and/or receive data from the TSF. Function Interface TOE Security Policy a description of the security properties of a TOE in the form of a set of SFRs in a (TSP) Protection Profile or Security Target. TSF Scope of Control the set of interactions that can occur with or within a TOE and are subject to the rules of the TSP.</p><p>76 81.2 Acronyms and abbreviations</p><p>9Abbreviations and acronyms used in this document are defined as follows: 10Table 3 Definitions of Abbreviations and Acronyms</p><p>Abbrev. Definition</p><p>ACL Access Control List</p><p>ANSI American National Standards Institute</p><p>ASIS American Society for Industrial Security</p><p>ATM Automated Teller Machine</p><p>CBEFF Common Biometric Exchange File Format</p><p>CC Common Criteria</p><p>CEN European Committee for Standardization</p><p>CENELEC European Committee for Electrotechnical Standardization</p><p>CF Compact Flash</p><p>CIFS Common Internet File System</p><p>CM Configuration Management</p><p>COTS Commercial, Off the Shelf</p><p>CPU Central Processing Unit</p><p>CRC Cyclic Redundancy Check</p><p>C-SET Card Secured Electronic Transactions</p><p>CSMA/CD Carrier Sense Multiple Access / Collision Detection</p><p>CSN Card Serial Number (for Compact Flash)</p><p>DHS Department of Homeland Security</p><p>DMZ Demilitarized Zone</p><p>DOE Department of Energy</p><p>DoS Denial of Service</p><p>DRAM Dynamic Random Access Memory</p><p>EAL Evaluation Assurance Level</p><p>ECM Error Correction Mode</p><p>EEPROM Electrically Erasable Programmable Read-Only Memory</p><p>8 7 Abbrev. Definition</p><p>EM Electromagnetic</p><p>EMI Electromagnetic Interference</p><p>EN ISO language code for English, all dialects</p><p>EPROM Erasable Programmable Read-Only Memory</p><p>ETSI European Telecommunications Standards Institute</p><p>EU European Union</p><p>FAX Facsimile</p><p>FIPS Federal Information Processing Standards</p><p>FISMA Federal Information Security Management Act of 2002</p><p>FX Foreign Exchange</p><p>GSM Global System for Mobile Communications</p><p>HCD Hardcopy Device</p><p>HDD Hard Disk Drive</p><p>HIPAA Health Insurance Portability and Accountability Act</p><p>HPNA Home Phoneline Networking Alliance </p><p>HVA High Value Asset</p><p>IBIA International Biometric Industry Association</p><p>ICC Integrated Circuit Card</p><p>ID Identification</p><p>IEC International Electrotechnical Committee</p><p>IFD Interface Device </p><p>INCITS InterNational Committee for Information Technology Standards (US TAG to JTC1)</p><p>IP Internet Protocol</p><p>IPP Internet Printing Protocol</p><p>ISO International Organization for Standardization</p><p>IT Information Technology</p><p>ITL Information Technology Laboratory</p><p>KBPS Kilobytes Per Second</p><p>98 Abbrev. Definition</p><p>LAN Local Area Network</p><p>LCD Liquid Crystal Display</p><p>MAC Media Access Control</p><p>MFD Multifunctional Device</p><p>MFP Multifunctional Product / Peripheral / Printer</p><p>MIC Message Integrity Code</p><p>MICR Magnetic Ink Character Recognition</p><p>NIST National Institute of Standards and Technology</p><p>NRC Nuclear Regulatory Commission</p><p>OCR Optical Character Recognition</p><p>OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation</p><p>OTS Off-The-Shelf</p><p>PC Personal Computer</p><p>PDL Page Description Language</p><p>PHIPA Personal Health Information Protection Act</p><p>PIN Personal Identification Number</p><p>PP Protection Profile</p><p>PSTN Public Switched Telephone Network</p><p>RAM Random Access Memory</p><p>ROM Read-Only Memory</p><p>SANS SysAdmin, Audit, Network, Security</p><p>SCADA Supervisory Control and Data Acquisition</p><p>SCSI Small Computer System Interface</p><p>SEIS Secure Electronic Information in Society</p><p>SET Secure Electronic Transactions</p><p>SF Security Function</p><p>SFP Security Function Policy</p><p>SIM Subscriber Identity Module</p><p>SOF Strength of Function</p><p>10 9 Abbrev. Definition</p><p>SOHO Small Office / Home Office</p><p>SRAM Static Read-Only Memory</p><p>ST Security Target</p><p>STANAG Standardization Agreement</p><p>TE Terminal Equipment</p><p>TEMPEST Transient Electromagnetic Pulse Emanation Standard</p><p>TOE Target of Evaluation</p><p>TSC TSF Scope of Control</p><p>TSF TOE Security Function</p><p>TSFI TOE Security Function Interface</p><p>TSP TOE Security Policy</p><p>TWIC Transportation Worker Identification Credential</p><p>USB Universal Serial Bus</p><p>USENIX Advanced Computing Systems Association</p><p>VLAN Virtual Local Area Network</p><p>WEP Wired Equivalent Privacy</p><p>Wi-Fi® Wireless Fidelity</p><p>WPA Wi-Fi® Protected Access</p><p>11</p><p>1110</p>