Canon Paper Shredder User Manual

35

White Paper: Canon imageRUNNER ADVANCE Security

Section 7 — Canon Solutions & Regulatory Requirements

Canon is dedicated to providing the most secure multifunctional printers available on the market today.
Many of our products meet or exceed the requirements of government agencies and private entities as they
relate to security certifications and industry regulations.

7.1 – Common Criteria

Beginning on July 1, 2002, the Department of Defense required a broad group of commercial
hardware/software suppliers to have their products evaluated using a standard known as Common Criteria
to determine its fitness for the department’s use.

Following the development of the Common Criteria, the National Institute of Standards and Technology
and the National Security Agency, in cooperation and collaboration with the U.S. State Department,
worked closely with their partners in the CC Project to produce a mutual recognition arrangement for IT
security evaluations that use the Common Criteria. The Arrangement is officially known as the
Arrangement on the Mutual Recognition of Common Criteria Certificates in the field of IT Security. It
states that each participant will recognize evaluations performed using the Common Criteria evaluation
methodology where product certificates have been issued by the Mutually Recognized producing nations
for EAL1-EAL4 evaluations. Evaluation Assurance components found in EAL5-EAL7 are not part of the
mutual recognition arrangement.

The list of Common Criteria Recognition Arrangement members currently includes Australia, Austria,
Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan,
Republic of Korea, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Turkey, United
Kingdom and United States.

7.2 – Common Criteria Certification

The Common Criteria for Information Technology Security Evaluation (CC), ISO/IEC 15408 Standard,
defines general concepts and principles of IT security evaluation and presents a general model of
evaluation. It presents constructs for expressing IT security objectives, for selecting and defining IT
security requirements, and for writing high-level specifications for products and systems. It specifies
information security functional requirements and seven predefined assurance packages, known as
Evaluated Assurance Levels (EALs), against which products' functions are tested and evaluated.

EALS provide both the vendor and user with flexibility to define functional and assurance requirements
that are unique to their operating environments and to obtain an evaluated product best suited to those
needs.

Hardware and software companies around the world use the Common Criteria (CC) evaluation program to
provide a means of comparison for the level of assurance that their products provide. As a cautionary note,
while the evaluation program is very effective at validating a manufacturer’s claims, it does not measure
the overall security capabilities or vulnerabilities as a whole. Therefore, Common Criteria certification
should be one of many considerations when choosing security-related products instead of being considered
the de-facto standard.

7.3 –IEEE 2600.1 Common Criteria Certification

IEEE Std 2600.1TM-2009 or “IEEE Standard for a Protection Profile in Operational Environment A”
(referred to as IEEE 2600.1, hereafter) Protection Profile is a global information security standard for hard
copy devices that require a relatively high level of document security, operational accountability and