Monday, November 12, 2007

Security certification

As security becomes an ever bigger deal, vendors are claiming different levels of security certification. This is a relatively new area, and you may not understand the buzzwords.

The security features in most copier/multifunctionals make use of a standardized model called the International Common Criteria for Information Technology Security Evaluation (ISO 15408). This is generally shortened to the term Common Criteria or even CC. For many corporations, CC certification is a requirement for all products added to the network.

Common Criteria is used to define the security levels for a wide variety of devices on the network, from servers to routers to PCs, as well as to the software that runs them. It is an international standard based on the security requirements from several sources, including those used buy the U.S. Department of Defense. Adherence to the standard is certified at a set of accredited neutral testing laboratories.

Most mid- to high-end copier/multifunctional released over the past year have some level of certification. Older models are less likely to be certified.

Among the features required for certification in copiers and multifunctionals are:
▪ Hard disk encryption
▪ Hard disk overwriting
▪ Hard disk removal protection
▪ Memory overwriting
▪ Digital watermarks
▪ Network job encryption
▪ User authentication
▪ Secure print and fax
▪ Job auditing and accounting

The report cards on CC testing is presented in term of EAL (Evaluation Assurance Level), ranging from EAL1 to EAL7, where the higher number indicates a higher level of security tested. Most office machines come in at EAL2 or EAL3. But don’t be too impressed by these terms. For general office use especially, EAL2 is quite sufficient. It’s sometimes just a matter of how much time and money a company is willing to spend on such testing.

No comments: