[2600] Call for comments: minimum set of management functions for the FoPPs
In the current (28a) draft of the FoPP, we have functional requirements
that imply some kind of administrative management is required, but we
don't specific which management functions are actually required. Instead,
there is a list of recommended items in a PP application note. Unlike the
audit requirements, I don't know that anyone has suggested to us that we
must specify a minimum set of management functions, but it seems like a
good idea to at least consider.
This is a little different situation from the audit requirements, because
the management functions are more directly driven by the security
functions that we include in our FoPP. The CC does not define categories
of management functions (like "minimal" and "basic" for auditing).
Instead, there are management recommendations for some of the SFRs.
However, some of the management recommendations are really optional. Here
are some examples to consider:
FAU_SAR.1 (making audit records available to authorized users) recommends
that we provide a management function for maintaining the group of users
who have permission to access audit records. This seems like a good idea,
but it might be just as good (at least in some environments) for a product
to hard-wire access controls so that administrators can access audit
records and regular users cannot, and in such a product, no management
function would be required.
FIA_UID.1 (user identification requirements) recommends that we provide
(a) management of user identities and (b) management of the list of
actions that can take place before a user is identified. I think it is
reasonably certain that we must provide the capability for user identities
to be managed, but we probably do not need to require that administrators
have the ability to change the actions that can take place before
identification.
SO.... Take a look at this spreadsheet:
http://grouper.ieee.org/groups/2600/presentations/Bellevue/mgmt-recommenda
tions-28a.xls
It is similar to the audit recommendations spreadsheet except that there
are no standard sets of requirements.
MY REQUEST IS:
Consider which management functions should be required for each
environment. I think that the rest of them could remain optional in a PP
application note. Remember that your products will need to provide all of
the required functions if they are to be certified for a particular
environment, so everything from a fully featured MFP down to a simple
printer will need most or all of the functions that we specify. Send me
your thoughts on this and I'll try to put them together for discussion at
the Bellevue meeting.
Regards,
--
Brian Smithson
Project Manager
PMP, SSCP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435