IEEE 2600™, "STANDARD FOR INFORMATION TECHNOLOGY: HARDCOPY SYSTEM AND DEVICE SECURITY
Computer security has become a top priority for corporations and government agencies around the world. But networked printers and other hardcopy peripherals (such as copiers and multifunction devices) remain vulnerable to attack, thereby compromising even the most comprehensive security protocols.
To address this situation, the IEEE Standards Association (IEEE-SA) recently approved IEEE 2600™, "Standard for Information Technology: Hardcopy System and Device Security." This standard defines security requirements (all aspects of security including but not limited to authentication, authorization, privacy, integrity, device management, physical security and information security) for manufacturers, users and others on the selection, installation, configuration and usage of hardcopy devices and systems; including printers, copiers, and multifunction devices. Issues addressed by the standard encompass authentication, authorization and the privacy of data sent to and from devices and residing on them, as well as such areas as data integrity and device management.
IEEE 2600 identifies security exposures for these hardcopy devices and systems and instructs manufacturers and software developers on appropriate security capabilities to include in their devices and systems and instructs users on appropriate ways to use these security capabilities.
Prior to IEEE 2600, there were no standards to guide manufacturers or users of hardcopy devices in the secure installation, configuration, or usage of these devices and systems.
IEEE 2600 is was developed by the Hardcopy Device and System Security Working Group, and sponsored by the IEEE Information Assurance Standards Committee of the IEEE Computer Society.
Legal Aspects of Information Security
This standard is necessitated by several laws governing information security, including the Health Insurance Portability and Accountability Act, which requires healthcare organizations to protect the privacy and security of confidential health information, as well as the Safeguards Rule in the Gramm-Leach-Bliley Act, which calls on financial institutions to have comprehensive security programs that keep customer information secure and confidential. In addition, compliance with certain parts of the Sarbanes-Oxley Act of 2002 could be adversely affected by a failure to provide adequate hardcopy security.
Protection Profiles
In addition to the main standard, four additional standards are being developed to create protection profiles concerning the security requirements of different types of devices. A protection profile is a document used as part of the certification process according to the Common Criteria for Information Technology Security Evaluation, an international standard (ISO/IEC 15408) for computer security. A protection profile is a combination of threats, security objectives, assumptions, security functional requirements, security assurance requirements, assumptions, and rationales.
The four protection profiles being developed to work with IEEE 2600 include:
IEEE P2600.1™, “Standard for a Protection Profile in Operational Environment A”, concerns hardcopy devices in restrictive commercial information processing environments that need a relatively high level of document security, operational accountability and information assurance. Critical information in such environments includes trade secrets and that subject to legal and regulatory considerations.
IEEE P2600.2™, “Standard for a Protection Profile in Operational Environment B”, concerns hardcopy devices in commercial environments that need moderate document and network security and security assurance for day-to-day proprietary and non-proprietary information concerning enterprise operation.
IEEE P2600.3™, “Standard for a Protection Profile in Operational Environment C”, concerns hardcopy devices in a public-facing environment in which document security is not guaranteed, but access control and usage accounting are important. Such environments include retail copy centers, public libraries and Internet cafés.
IEEE P2600.4™, “Standard for a Protection Profile in Operational Environment D”, concerns hardcopy devices in a small, private information processing environments where most security elements rely on the physical environment, but basic network security is needed to protect a device and its network from misuse from outside of the environment. Such environments include small offices and home offices.
Next Steps
IEEE 2600, "Standard for Information Technology: Hardcopy System and Device Security," was approved by the IEEE Standards Board on 27 March 2008. The four protection profiles will soon be submitted to an independent laboratory for testing and certification. The IEEE Standards Association has selected an independent laboratory, ATSEC Information Security Corporation, to test and certify the four protection profile standards.
IEEE 2600 Sponsors: Canon Inc., headquartered in Tokyo, Japan, is a leader in the fields of professional and consumer imaging equipment and information systems. Canon’s extensive range of products includes copying machines, inkjet and laser beam printers, cameras, video equipment, medical equipment and semiconductor-manufacturing equipment.
Fuji Xerox provides solutions to manage and use "documents"-ranging from hard copy / electronic documents to image/video files-generated in the IT office, and to thereby improve management quality and corporate quality through the creation and circulation of knowledge. Security of documents and devices is our priority issue.
The Hewlett-Packard Company focuses on simplifying technology experiences for all of its customers - from individual consumers to the largest businesses. With a portfolio that spans printing, personal computing, software, services and IT infrastructure, HP is among the world's largest IT companies.
InfoPrint Solutions Company headquartered in Boulder, Colorado, brings to market the advantages IBM and Ricoh have in the development, manufacturing, marketing and building of strategic solutions for customers, creating a growth-oriented global enterprise that is strategically focused on the output market.
The InfoPrint Solutions Company portfolio includes solutions for production printing for enterprises and commercial printers as well as solutions for office workgroup environments and industrial segments. The company offers customers the highest quality output solutions that optimize productivity by providing efficient workflow and, at the same time, delivering low cost of ownership and high return on investment. The heritage of InfoPrint Solutions Company includes the development of the IBM Advanced Function Presentation (AFP) Architecture - now an industry standard - and Intelligent Printer Data Stream (IPDS), which has since become the standard for mission critical business printing. The company also leads the industry in print management solutions with both InfoPrint Process Director and InfoPrint Manager.
Mita Corporation manufactures and markets black & white and color digital copiers, network-ready laser printers, multi-functional devices, wide format imaging products and a portfolio of Kyocera-developed and third-party software and network solutions.
Lexmark International, Inc. provides businesses and consumers in more than 150 countries with a broad range of printing and imaging products, solutions and services that help them to be more productive.
Océ is one of the world's leading providers of document management and printing for professionals. The broad Océ offering includes office printing and copying systems, high speed digital production printers and wide format printing systems for both technical documentation and color display graphics. As a company committed to providing its customers with secure, quality products and services, Océ is a strong supporter of standardization in security requirements.
OKI Printing Solutions is a market leader in the global color printer market, with representation in 120 countries worldwide. OKI Printing Solutions develops PC peripheral equipment and customized document management solutions for businesses to maximize the effectiveness of their printed communications. These solutions include digital color and monochrome printers, color and monochrome multifunction products and serial impact dot matrix printers, as well as a full line of options, accessories and consumables.
Ricoh Company, Ltd. is a leading global manufacturer of office automation equipment, including copiers, multifunctional and other printers, facsimiles, personal computers, optical disc products, and related supplies and services, as well as digital cameras and advanced electronic devices. Ricoh is building a solid presence worldwide as a provider of comprehensive document solutions that help customers streamline their businesses and cut operating costs. The Ricoh Group includes Ricoh Company, Ltd. and 322 subsidiaries and affiliates – 114 companies in Japan and 208 overseas, together employing around 81,000 people.
Samsung Electronics Co., Ltd. (SEC) is one of the top-ten electronics manufacturers in the world and an acknowledged leader in the digital convergence revolution. SEC is currently the world's number one manufacturer of CDMA cell phones, LCD and CRT monitors, DRAM memory chips and microwave ovens. As part of the business strategy, SEC has chosen to excel in computer peripherals, including printers and multifunction devices. Samsung is committed to Hardcopy System and Device Security to safeguard the business information of its customers.
Sharp Corporation is a $26 billion worldwide developer of one-of-a-kind home entertainment products, appliances, networked multifunctional office solutions, solar energy solutions and mobile communication and information tools. Many of MFPs in Sharp's award-winning line feature the Sharp OSA™ platform, which tightly integrates Sharp MFPs into a customer’s back-end IT system, allowing customers to create tailored solutions to meet each business’ unique challenges. In addition, Sharp offers one of the most comprehensive approaches to MFP security cross the widest range of products, and convenience features such as Scan2 technology, which allows users to scan both sides of a two-sided document in a single pass, and My Sharp support, which gives users personalized online access to support and service information.
Toshiba TEC Corporation provides solutions for the problems and issues that users face now, as well as those they may face in the future. "Solutions" is a keyword in Toshiba TEC's document processing and telecommunications effort. In our document processing and telecommunications business, we direct our efforts toward a "Human Centric" MFP concept, placing user considerations at the forefront. Keeping this concept in mind, the company aims for "worker-friendly" MFPs that are easier and more convenient to operate and which can be used safely and securely.
Xerox Corporation is the world's leading document management technology and services enterprise. A $17 billion company, Xerox provides the document industry's broadest portfolio of offerings. Digital systems include color and black-and-white printing and publishing systems, digital presses and "book factories," multifunction devices, laser and solid ink network printers, copiers and fax machines. Xerox's services expertise is unmatched and includes helping businesses develop online document archives, analyzing how employees can most efficiently share documents and knowledge in the office, operating in-house print shops or mailrooms, and building Web-based processes for personalizing direct mail, invoices, brochures and more. Xerox also offers associated software, support and supplies such as toner, paper and ink.
