Ricoh Aficio MP 4001/MP 5001
Digital Imaging System Accelerate Your Workflow

quality

innovation
Engineered for outstanding performance. To stay competitive, organizations are doing more with less. Companies are consolidating resources, eliminating redundancies and taking every opportunity to keep productivity high while maintaining information security and supporting sustainability. The RICOH Aficio MP 4001/MP 5001 aligns perfectly with these strategies. These systems are designed to take on an incredibly wide variety of document tasks and come equipped with powerful new solutions: the Personal Paperless Document Manager (PPDM) software and the breakthrough App2Me portable workflow solution. These solutions will help you streamline workflow and minimize operating costs.
FlexibleSecureEfficientDynamic
Improve Productivity Immediately
Expect fast, high-quality results from the Ricoh Aficio MP 4001/MP 5001. It is equipped to help your office print, copy, scan, fax or distribute critical documents.
Boost productivity by copying or printing up to 50 pages per minute. Turn everyday documents into impressive, professionally finished output with three finishing options, including a 1,000-Sheet Booklet Finisher. Manage document processing and storage capacity with 768 MB RAM and a 40 GB Hard Disk Drive (HDD).

Keep Workflow Moving

Trust the Ricoh Aficio MP 4001/MP 5001 to provide practical functions that make it easy to run your office efficiently and help everyone stay on task.
Establish cost control. Set print or copy quotas for up to 500 users with the account limit feature. Give critical print and copy jobs higher priority with the Job Function List, which allows you to send any job to the top of the queue for immediate output. Ensure efficient production of reports, presentations and training materials with standard support for PCL or optional Adobe PostScript3. Keep your local network clear. PDF Direct Print* lets you send PDF files directly to the MFP without opening Adobe Acrobat software. Give mobile workers an edge. Mail to Print* allows them to print without installing drivers. Users can send an e-mail to the system and have it print the attached PDF or JPEG file.
*Requires optional equipment.
The optional keyboard provides an alternative way to enter data at the device.*
*Does not support all functions.
Customize Documents and Workflow
Personal Paperless Document Manager (PPDM) enables users to capture, combine, convert and share the three most prominent document types: paper, PDFs and Microsoft Office files.
Make document distribution easy, secure and productive. Send paper and electronic files to virtually any destination, including e-mail, FTP sites, Web folders, Microsoft SharePoint and content management systems. Transform paper originals into fully editable Microsoft Office files, PDFs or fillable forms that can be edited and electronically completed. Extract data from fillable forms into a.csv file for analysis. Convert digital and paper documents into WAV audio files. Create custom workflows. When users authenticate to the system, the interface shows only the personalized view they create at their desktop computers.
Create unique scanning workflows and save time with Personal Paperless Document Manager (PPDM).
Enhance Personal Productivity
The App2Me solution revolutionizes document management, enabling users to create customized workflows and execute them anywhere they go.
Download widgets to any client (desktop PC, laptop or Smartphone) and use them on any Ricoh MFP enabled with App2Me. No matter where you go, your experience at each App2Me-enabled MFP remains completely personalized for maximum convenience. Simplify complex workflows. Widgets can be created to combine, distribute, edit and create documents, as well as perform many other tasks automatically. Maximize productivity. App2Me improves efficiency through widgets that control a virtually endless array of MFP, software or Web services-driven workflows. Create specialized widgets for virtually any need, in any framework across multiple platforms that App2Me supports, such as Google Desktop and more.

With App2Me, you can download timesaving and workflow-enhancing widgets and use them at any Ricoh MFP enabled with the App2Me solution.
ReliablePowerfulVersatileFast
Eliminate Distribution Costs
Designed to serve as your offices zero-cost document distribution portal, the Ricoh Aficio MP 4001/MP 5001 incorporates an impressive lineup of technologies.
Scan full-color or black & white originals and share them instantly and at no cost with Scan-to-Email/Folder/HDD. Do not spend time searching for e-mail addresses. The system pulls the correct address for each recipient directly from up to five LDAP servers. Never waste time or resources on rescans. See full-color thumbnails of every scanned page on the control panel, so you can verify quality prior to distribution. Minimize file sizes for full-color scans with the High Compression PDF feature, which keeps large files off the network. Keep the network moving with Scan-to-URL. It stores documents on the HDD, then sends recipients a link that enables viewing or downloading via Web browser.

Next-Generation Faxing

The Ricoh Aficio MP 4001/MP 5001 includes the latest fax technologies to reduce costs and minimize transmission time.
Take advantage of up to three analog lines with the Super G3 modem. This improves total fax capacity and helps prevent bottlenecks. Send documents directly to e-mail addresses and eliminate longdistance costs with Internet Fax capabilities. Forward inbound faxes to e-mail addresses, network folders or the systems HDD and go completely paperless.
Protect Critical Documents
The Ricoh Aficio MP 4001/MP 5001 includes the high-end security technologies required to keep documents safe from a variety of threats at every stage of workflow.
Prevent unauthorized access and usage with password protection. Keep sensitive documents safe without expensive mail boxes. Locked Print holds printed files in memory until authorized users enter a PIN code or password. Secure latent images remaining on the systems internal hard drive with the DataOverwriteSecurity System (DOSS).
The Total Green Office Solution
Ricoh continues its long-standing commitment to developing office solutions with environmentally friendly and superior energy- and supply-saving features, without compromising productivity.

User-Friendly Management

Make every administrators life easier with intuitive tools for system management, device monitoring, troubleshooting and other tasks.
Configure system settings, address books and more with Web Image Monitor. Manage multiple Ricoh devices remotely with Web SmartDeviceMonitor. Request alerts for low supplies or error detection with Auto E-mail Notification. Automate service calls with @Remote (network appliance or embedded), which can be configured to notify service and supply alerts.
ReliableSecureFastVersatile
Improve Speed, Efficiency and Productivity

1,000-Sheet Finisher Holds up to 1,000 sheets of 8.5" x 11" or smaller, 20 lb. Bond (500 sheets of 8.5" x 14" or larger) and offers automatic three-position stapling. 100-Sheet Automatic Reversing Document Feeder (ARDF) Handles multi-page and doublesided originals up to 11" x 17" with extreme efficiency. Automatic Stackless Duplexing Produces two-sided booklets, brochures and more while cutting paper usage in half.
2,000-Sheet Booklet/Saddle Stitch Finisher Automatically staples documents to produce professional-grade booklets with a variety of staple positions and optional 2- or 3-hole punching.
Inner One-Bin Tray (Optional) Provides a cost-effective way to separate copy, print and fax output. 3,000-Sheet Multi-Tray Finisher Enhances productivity, convenience and versatility with high-capacity trays, optional 2- or 3-hole punching and multi-position stapling for a wide variety of paper weights and sizes. 100-Sheet Stack Bypass Holds a range of paper types and weights up to 58 lb. Bond.
Dual 550-Sheet Paper Trays Increases productivity and efficiency by minimizing the need to reload paper.
Two 550-Sheet Tray Paper Bank (Optional) Holds up to five different sizes and orientations of paper at all times for maximum versatility. 2,000-Sheet (Letter-Sized) Large Capacity Tray also available. Over/Underhand-Grip Tray Handles and Easy-Open Trays Ensure effortless paper loading for all users.
Large Capacity Tray (Optional) Holds an additional 1,200 letter-sized sheets to optimize workflow and minimize user intervention during large jobs. Easy-to-Replace Toner Cartridge Ensures quick replacement of toner to minimize maintenance time. Document Server Stores up to 3,000 frequently used documents for instant reprinting, refaxing or redistribution.

Specifications

Engine/Copier Specifications
Configuration Scanning Element Console Flatbed with Moving CCD Array Image Sensor Printing Process Twin Laser Beam Scanning & Electrophotographic Printing Toner Dry, Dual Component System Memory 768 MB RAM (std./max.) Hard Disk Drive 40 GB Standard Document Feeder 100-Sheet ARDF (Standard) Copy Resolution 600 x 600 dpi Grayscale 256 levels Exposure Adjustment Manual & Automatic (Standard) Quantity Indicator Up to 999 Original Type Book/Sheet/Objects Maximum Original Size Up to 11" x 17" Copy Size 5.5"x 8.5" to 11" x 17" Copy Type Plain Paper, Transparencies, Recycled Paper, Card Stock, Letterhead Warm-Up Time 22 seconds First Copy Speed MP 4001: 4.1 seconds MP 5001: 3.5 seconds Continuous Copying MP 4001: 40 copies/minute (LTR) Speed MP 5001: 50 copies/minute (LTR) Recovery Time 10 seconds (from Auto Off) Power Source 120V/60Hz/12A Dimensions 26.4" (W) x 35.8" (H) x 26.6" (D) Weight 213.8 lbs. Standard Paper 550 sheets x 2 trays Capacity 100-Sheet Bypass Tray Optional Paper 550 sheets x 2 trays OR Capacity 2,000 x 1; 1,200-Sheet Large Capacity Tray (LCT) Paper Size 5.5"x 8.5" to 11" x 17" Paper Weight Tray 1 & 2: 16 - 45 lb. Bond/ 60 - 169 g/m2 Bypass: 14 - 58 lb. Bond/52 - 220 g/m2 Duplex: 16 - 45 lb. Bond/60 - 169 g/m2 Reduction Ratios 25%, 50%, 65%, 73%, 78%, 85%, 93% Enlargement Ratios 121%, 129%, 155%, 200%, 400% Zoom 25% to 400% in 1% increments Standard Features Auto Magnification, Auto Paper Select, Auto Tray Switch, Background Numbering, Booklet/Magazine Copy, Center/Border Erase, Chapters, Combine Mode, Cover Insertion, Date Stamp, Directional Magnification, Document Server (3,000 File Capacity), Double Copy, Electronic/ Rotate Sorting, English Preset Stamps, Full-Color VGA Touch Screen, Java VM Card Type F, 8 Job Presets, 10 Job Programs, Negative/Positive, OHP Slip Sheet, Page Number Stamp, Paper Designate, Sample Copy, Series Copy, Simplified Display, 500 User Codes, User Stamps Page Description Languages Print Resolution Fonts for PCL 5e/6 Fonts for PS3 Standard Features Optional Features Scanning Speed Scanning Resolution Grayscale Scan Area Standard Interfaces Optional Interfaces Protocol Memory Capacity Standard Features File Formats Standard PCL 5e/6 and Adobe PostScript3 (Optional) Up to 600 dpi 35 Intellifonts, 10 Truetype Fonts, 13 International Fonts 136 PostScript Fonts Sample/Locked/Hold/Stored Print PDF Direct Print BW: 61 ipm (@200 dpi); FC: 33 ipm (@200 dpi) Up to 600 dpi 256 levels Up to 11" x 17" 10BaseT/100BaseTX Ethernet Wireless LAN (802.11a/b/g), Gigabit Ethernet TCP/IP, SMTP, SMB, FTP, POP3, NCP Shared with Copier Memory Embedded Scan-to-Email, HDD, Folder, URL Single-Page and Multi-Page TIFF, PDF, High Compression PDF, Single-Page JPEG

SR3020 Booklet Finisher (Option)
Paper Size Paper Weight 5.5" x 8.5" - 11" x 17" 14 to 43 lb. Bond/52 to 163 g/m2 (Proof Tray) 14 to 68 lb. Bond/52 to 256 g/m2 (Shift Tray) Proof Tray: 250 sheets (8.5" x 11" or smaller) 50 sheets (8.5" x 14" or larger) Shift Tray: 2,000 sheets (8.5" x 11") LEF 1,000 sheets (8.5" x 11" - 11" x 17") SEF 100 sheets (5.5" x 8.5") 50 sheets (8.5" x 11") 30 sheets (8.5" x 14" or larger) 1 staple/3 positions; 2 staples/2 positions 30 sets (2 - 5 sheets) 15 sets (6 - 10 sheets) 10 sets (11 - 15 sheets) 25.8" (W) x 24.2" (D) x 37.8" (H) 5.5" x 8.5" - 11" x 17" 14 to 43 lb. Bond/52 to 163 g/m2 (Proof Tray) 14 to 68 lb. Bond/52 to 256 g/m2 (Shift Tray) Proof Tray: 250 sheets (8.5" x 11" or smaller) 50 sheets (8.5" x 14" or larger) Shift Tray: 3,000 sheets (8.5" x 11") LEF 1,500 sheets (8.5" x 11" - 11" x 17") SEF 50 sheets (8.5" x 11") 30 sheets (8.5" x 14" or larger) 1 staple/3 positions; 2 staples/1 position 25.8" (W) x 24.2" (D) x 37.8" (H) 8.5" x 11"/Ato 45 lb. Bond/60 - 169 g/m2 1,200 sheets 13.7" (W) x 21.3" (D) x 11.4" (H) 5.5" x 8.5" - 11" x 17"/A5 - Ato 45 lb. Bond/60 to 169 g/msheets x 2 22.8" (W) x 24.4" (D) x 10.2" (H) 8.5" x 11"/Ato 45 lb. Bond/60 to 169 g/m2 2,000 sheets 22.8" (W) x 24.4" (D) x 10.2" (H)

Stack Capacity

Scanner Specifications (Standard)
Staple Capacity Staple Position Saddle Stitch Dimensions Paper Size Paper Weight

SR3030 Finisher (Option)

Fax Specifications (Option)
PSTN, PBX ITU-T Gx 200/100 dpi (Standard) 400 x 400 dpi (Optional) Compression Method MH, MR, MMR, JBIG Scanning Speed 0.40 seconds (LEF) Modem Speed 33.6 Kbps with Auto Fallback Transmission Speed G3: 3 seconds per page (MMR Compression) G3: 2 seconds per page (JBIG Compression) Memory 4 MB standard (320 pages) 28 MB maximum (2,240 pages) Memory Backup 1 hour Auto Dials 2,000 (with HDD) Group Dials 100 (max. 500 numbers per group) ID Code Programming 4 digits User Function Key 3 keys Standard Features Book Transmission, Dual Access, Image Rotation, LAN-Fax Capability, Internet Faxing (T.37), IP Faxing (T.38), Fax Forwarding to E-mail/HDD/Folder Optional Features Simultaneous operation of up to 3 lines (G3 x 3) Circuit Compatibility Resolution Stack Capacity

Staple Capacity Staple Position Dimensions Paper Size Paper Weight Paper Capacity Dimensions Paper Size Paper Weight Paper Capacity Dimensions Paper Size Paper Weight Paper Capacity Dimensions
RT3000 Large Capacity Tray (Option)
PB3040 Paper Feed Unit (Option)
PB3050 Large Capacity Tray (Option)
Security Features (Standard)
S/MIME, IPsec Communication, Locked Print Password Encryption, Encrypt Address Book, SSL Secure Socket Layer, PDF Encryption
Printer Specifications (Standard)
Print Speed CPU Standard Interfaces Optional Interfaces Memory Capacity Network Protocol Network Operating Systems MP 4001: 40 ppm MP 5001: 50 ppm RM7035C-533 MHz 10BaseT/100BaseTX, USB 2.0 IEEE 802.11a/b/g Wireless LAN, Bluetooth, Gigabit Ethernet, IEEE 1284 Parallel Interface Board Type A Shared with Copier Memory TCP/IP, IPX/SPX, AppleTalk Windows Vista/2000/XP/ Server 2003/2008, Netware 3.12, 3.2, 4.1, 4.11, 5.0, 5.1, 6.0, 6.5, UNIX; Sun Solaris, HP-UX, SCO OpenServer, RedHat Linux, IBM AIX, Mac OS 8.6 - 9.2x, OS X 10.1 or later, SAP R/3, NDPS Gateway, IBM iSeries/ AS/ 400 using OS/400 Host Print Transform, Citrix Metaframe Web SmartDeviceMonitor, SmartDeviceMonitor, Web Image Monitor
One-Bin Tray BN3040 (Option)
Paper Size Paper Weight Paper Capacity Paper Size Paper Weight 5.5" x 8.5" - 11" x 17"/A3 - Ato 28 lb. Bond/60 - 196 g/msheets 5.5" x 8.5" - 11" x 17"/A5 - Ato 68 lb. Bond/52 to 256 g/m2 (Proof Tray) 14 to 42 lb. Bond/52 to 163 g/m2 (Shift Tray) Proof Tray: 250 sheets (8.5" x 11" or smaller) 50 sheets (8.5" x 14" or larger) Shift Tray: 1,000 sheets (8.5" x 11" or smaller) 500 sheets (8.5" x 14" or larger) 50 sheets (8.5" x 11") 30 sheets (8.5" x 14" or larger) 1 staple/2 positions; 2 staples/1 position 10.7" (W) x 20.5" (D) x 31.2" (H)
Additional Options for MP 4001/MP 5001
Bluetooth Interface Unit Type 3245, Bridge Unit Type BU3030, DOSS Type I, FAC33 Cabinet, Fax Type 5001, File Format Converter Type E, G3 Interface Type 5000, Gigabit Ethernet Board Type A, Handset Type 1018, HDD Encryption Unit Type A, IEEE 1284 Parallel Interface Board Type A, IEEE 802.11a/b/g Interface Unit Type J, Key Counter Bracket Type H, Optional Counter Interface Type A, PostScript3 Type 5000, Punch Kit Type 3260 (for SR3020 & SR3030), Scanner Accessibility Option Type 4045, 32 MB Fax Memory, Removable HDD and Additional Removable HDD, 3L68-17 USB External Keyboard, Hardware 4 Pack Bundle of PPDM

Some accessories require additional equipment or may be prerequisite for other options.

SR790 Finisher (Option)

Staple Capacity Staple Position Dimensions

Utilities

www.ricoh-usa.com
Bringing Ricoh Value to Your Organization Ricoh technology offers a diverse portfolio of solutions to help your organization stay competitive and move ahead. Let Ricoh show you how to empower your business to improve critical processes, keep information secure, ensure compliance and promote environmental sustainability while reducing the total cost of ownership.
Ricoh Americas Corporation, Five Dedrick Place, West Caldwell, NJ 07006 Ricoh and the Ricoh Logo are registered trademarks of Ricoh Company, Ltd. All other trademarks are the property of their respective owners. Print speed may be affected by network, application or PC performance. Specifications and external appearances are subject to change without notice. Products are shown with optional features.

An "administrator" is a user who is registered on the TOE as an administrator. One to four administrators can be registered for the TOE. Administrator roles for administrators include user administration, machine administration, network administration, and file administration. Administrators may have concurrent administrator roles, and administrator roles can be assigned to one or more administrators. One default administrator is registered and assigned all four administrator roles as a factory setting. When the TOE is being installed, the administrators who are selected by the responsible manager change the settings of their own administrator IDs, passwords, and administrator roles. Table 1 describes the duties involved in each administrator role. Table 1: List of administrator roles Administrator role User administration Machine administration Network administration File administration Explanation about duties involved Managing general users. Managing machines and performing audits. Managing the TOE's network connections. Managing the documents stored in the TOE.

1.4.3.3

Supervisor
The "supervisor" is a user who manages administrator passwords and changes them. One supervisor must be registered for the TOE. A default supervisor is registered for the TOE as a factory setting. The person selected to be a supervisor by the responsible manager can change the supervisor ID and password of the default supervisor. 1.4.3.4 General User
A "general user" is an authorised TOE user who is registered in the Address Book by a user administrator. General users can store document data in the TOE and perform operations on the document data.
Page 17 of 81 1.4.3.5 Customer Engineer
A customer engineer (hereafter "CE") is an expert in maintenance of the TOE and is employed by manufacturers, technical support service companies, and sales companies. 1.4.4 Logical Boundaries of TOE
The logical boundaries of the TOE comprise the functions provided by the TOE. This section describes the "Basic Functions", which is the service provided by the TOE to users, and the "Security Functions", which counter threats to the TOE. These functions are outlined in Figure 3.
Figure 3: Logical boundaries of TOE 1.4.4.1 Basic Functions

Service Mode Lock Function The M aintenance Function is used by CEs who receive a request from the machine administrator to perform maintenance on the TOE from the Operation Panel. The Service Mode Lock Function prevents the M aintenance Function being used. In this evaluation, the Service Mode Lock Function set to "On". Telephone Line Intrusion Protection Function This function is for devices equipped with a Fax Unit. It restricts communication over a telephone line to the TOE, so that the TOE receives only permitted data. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 23 of 81 MFP Control Software Verification Function This function verifies the integrity of the MFP Control Software by checking the integrity of an executable code installed in the FlashROM.

Protected Assets

This section describes the protected assets of this TOE (document data and print data). 1.4.5.1 Document Data
Document data is imported from outside the TOE by various methods, and can be either stored in the TOE or output by it. Document data stored in the TOE can be deleted. Importing Document Data Document data can be imported by the following two methods: 1. 2. From a scanner Document data is created from the scanned image of a paper original that is imported to the TOE. From the network or from a device connected to the USB Port Document data is created from print data received through the network or the USB Port that is then converted to a format that the TOE can handle.
Storing Document Data Document data stored inside the TOE is stored in the D-BOX. The D-BOX protects the document data from unauthorised access and leakage. Outputting Document Data Document data can be output by the following five methods: 1. 2. 3. 4. 5. Sent by e-mail to a client computer (to the e-mail address). Sent to an SMB or FTP server. Downloaded by a client computer. Printed out. Sent as a fax.
When output using methods 1 to 3, document data is protected from leakage, and tampered data can be detected. 1.4.5.2 Print Data
Print data is data in which a print or fax image is written. It is generated from the document files in a client computer by the printer or fax drivers installed on the client computer when it is printed or faxed, respectively. Print data is imported to the TOE via the internal network or the USB Port. When passing from
Page 24 of 81 a client computer to the TOE through the internal network, print data is protected from leakage, and tampered data can be detected.

Page 25 of 81

2 Conformance Claims
This section describes the conformance claim.

CC Conformance Claim

The CC conformance claim of this ST and TOE is as follows: CC version for which this ST claims conformance Part 1: Introduction and general model September 2006 Version 3.1 Revision 1 (Japanese translation ver.1.2) CCMB-2006-09-002 Part 2: Security functional components September 2007 Version 3.1 Revision 2 (Japanese translation ver.2.0) CCMB-2007-09-002 Part 3: Security assurance components September 2007 Version 3.1 Revision 2 (Japanese translation ver.2.0) CCMB-2007-09-003 Functional requirements: Part 2 conformance Assurance requirements: Part 3 conformance
PP Claims, Package Claims
This ST and TOE do not conform to any PPs. This ST claims conformance to the following package: Package: EAL3 conformant

Conformance Rationale

Since this ST does not claim conformance to PPs, there is no rationale for PP conformance.

Page 26 of 81

3 Security Problem Definitions
This section provides details of threats, organisational security policies, and assumptions.

Threats

Defined and described below are the assumed threats related to the use and environment of this TOE. The threats defined in this section are attacks by unauthorised persons with knowledge of published information about TOE operations and such attackers are capable of potential security attacks. T.ILLEGAL_USE (Abuse of TOE) Attackers may read or delete document data by gaining unauthorised access to the TOE through the device's interfaces (the Operation Panel, network interface, USB Port, or SD card interface). T.UNAUTH_ACCESS (Access violation to protected assets stored in TOE) Authorised TOE users may breach the limits of authorised usage and access document data through the external TOE interfaces (the Operation Panel, network interface, or USB Port) that are provided for them. T.ABUSE_SEC_MNG (Abuse of Security Management Function) Persons not authorised to use Security Management Functions may abuse them. T.SALVAGE (Salvaging memory) Attackers may remove the HDD from the TOE and disclosed document data. T.TRANSIT (Interceptions and tampering on communication path) Attackers may illegally obtain, leak, or tamper with document data or print data sent or received by the TOE via the internal network. T.FAX_LINE (Intrusion from telephone line) Attackers may gain access to the TOE through telephone lines.

Organisational Security Policies
The following security policy is assumed for organisations that demand integrity of the software installed in its IT products.
Page 27 of 81 P.SOFTWARE (Software integrity checking) Measures shall be provided for verifying the integrity of MFP Control Software, which is installed in the FlashROM of the TOE.

Assumptions

Defined and described below are the assumptions related to the use and environment of this TOE: A.ADMIN (Assumption for administrators) Administrators shall have sufficient knowledge to operate the TOE securely in the roles assigned to them and will instruct general users to operate the TOE securely also. Additionally, administrators shall not abuse their permissions maliciously. A.SUPERVISOR (Assumption for supervisor) Supervisor shall have sufficient knowledge to operate the TOE securely in the roles assigned to him/her, and shall not abuse his/her permissions maliciously. A.NETWORK (Assumption for network connections) When the network that the TOE is connected to (the internal network) is connected to an external network such as the Internet, the internal network shall be protected from the external network.

Page 28 of 81

4 Security Objectives
This section describes the security objectives of the TOE and its security objectives of the operational environment and their rationale.
Security Objectives for TOE
The following define the security objectives of the TOE. O.AUDIT (Audit) The TOE shall record Security Function-related events in an audit log, and provides the machine administrator with a function for reading the audit logs, allowing the machine administrator to detect whether or not a security intrusion has occurred. O.I&A (Identification and Authentication) The TOE shall perform identification and authentication of users prior to their use of the TOE Security Functions, and allows successfully authenticated users to use the functions for which they have permission. O. DOC_ACC (Access control to protected assets) The TOE shall ensure general users have access to document data according to their permissions to process document data. The TOE shall also allow the file administrator to delete document data stored in the D-BOX. O. MANAGE (Security management) The TOE shall only allow specified users to manage its Security Functions, TSF data, and security attributes. Such users are required to maintain the TOE security. O.MEM.PROTECT (Prevention of disclosure of data stored in memory)

The TOE shall convert the format of the document data stored on the HDD into a format that is difficult to decode. O. NET.PROTECT (Protection of network communication data)
The TOE shall protect document data and print data travelling over the communication network from interception, and detect any tampering. O.GENUINE (Protection of integrity of MFP Control Software) The TOE shall provide TOE users with a function that verifies the integrity of the MFP Control Software, which is installed in the FlashROM.
Page 29 of 81 O.LINE_PROTECT (Prevention of intrusion from telephone line)
The TOE shall prevent unauthorised access to the TOE from a telephone line connected to the Fax Unit.
Security Objectives of Operational Environment
The following describes the security objectives of the operational environment. OE.ADMIN (Trusted administrator) The responsible manager of the MFP shall select trusted persons as administrators and instructs them on their administrator roles. Once instructed, administrators then shall instruct general users, familiarising them with the compliance rules for secure TOE operation as defined in the administrator guidance for the TOE. OE.SUPERVISOR (Trusted supervisor)
The responsible manager of the MFP shall select a trusted person as a supervisor and instructs him/her on the role of supervisor. OE.NETWORK (Network environment for TOE connection) If the internal network, to which the TOE is connected, is connected to an external network such as the Internet, the organisation that manages operation of the internal network shall close any unnecessary ports between the external and internal networks (e.g. by employing a firewall)
Security Objectives Rationale
This section describes the rationale of the security objectives. If all security objectives are fulfilled as explained in the following, the security problems defined in " 3 Security Problem Definitions" are solved: all threats are countered, all organisational security policies enforced, and all assumptions upheld.

Tracing

This section describes the correspondence between the previously described "3.1 Threats", "3.2 Organisational Security Policies" and "3.3 Assumptions", and either "4.1 Security Objectives for TOE" or "4.2 Security Objectives of Operational Environment" with Table 3. The "v" in the table indicates that each of the elements of the TOE Security Environment is satisfied by security objectives. Table 3 demonstrates that each security objective corresponds to at least one threat, organisational security policy, or assumption. As indicated by the shaded region in Table 3, assumptions are not upheld by TOE security objectives.

FAU_STG.1 FAU_STG.4 FCS_CKM.1
Auditable events not recorded. <Individually-defined auditable events> 1. HDD cryptographic key
Page 35 of 81 Functional requirements Actions which should be auditable object value(s) excluding any sensitive information (e.g. secret or private keys). FCS_COP.1 a) Minimal: Success/failure, and type of cryptographic operation. b) Basic: Any applicable cryptographic mode(s) of operation, subject and object attributes. None a) Minimal: Successful requests to perform an operation on an object covered by the SFP. b) Basic: All requests to perform an operation on an object covered by the SFP. c) Detailed: The specific security attributes used in making an access check. None a) Minimal: Decisions to permit requested information flows. b) Basic: All decisions on requests for information flow. c) Detailed: The specific security attributes used in making an information flow enforcement decision. d) Detailed: Some specific subsets of the information that has flowed based upon policy goals (e.g. auditing of downgraded material). a) Minimal: the reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g. disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal). None a) Minimal: Rejection by the TSF of any tested secret; b) Basic: Rejection or acceptance by the TSF of any tested secret; c) Detailed: Identification of any changes to the defined quality metrics. Auditable events of TOE generation (Outcome: Success/Failure) <Individually-defined auditable events> 1. Storage of document data successful 2. Reading of document data successful <Individually-defined auditable events> 1. Storage of document data successful 2. Reading of document data successful 3. Deletion of document data successful

FDP_ACC.1 FDP_ACF.1

FDP_IFC.1 FDP_IFF.1
a) Minimal 1. Fax Function: Reception

FIA_AFL.1

a) Minimal 1. Lockout start 2. Lockout release

FIA_ATD.1 FIA_SOS.1

b) Basic 1. Newly creating authentication information of general users (Outcome: Success/Failure) 2. Changing authentication information of general users
Page 36 of 81 Functional requirements Actions which should be auditable Auditable events of TOE (Outcome: Success/Failure) 3. Changing administrator authentication information (Outcome: Success/Failure) 4. Changing supervisor authentication information (Outcome: Success/Failure) FIA_UAU.2 Minimal: Unsuccessful use of the authentication mechanism; Basic: All use of the authentication mechanism. None a) Minimal: Unsuccessful use of the user identification mechanism, including the user identity provided; b) Basic: All use of the user identification mechanism, including the user identity provided. a) Minimal: Unsuccessful binding of user security attributes to a subject (e.g. creation of a subject). b) Basic: Success and failure of binding of user security attributes to a subject (e.g. success or failure to create a subject). a) Basic: All modifications of the values of security attributes. Basic 1. Login (Outcome: Success/Failure)

FDP_IFF.1

Simple security attributes Hierarchical to: Dependencies: No other components. FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation.

FDP_IFF.1.1

The TSF shall enforce the [assignment: telephone line information flow SFP] based on the Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 42 of 81 following types of subject and information security attributes: [assignment: subjects or information and their corresponding security attributes shown inTable 12]. Table 12: Security attributes corresponding to subjects or information Type Subject Subject Information Subjects or information Fax process on Fax Unit Fax reception process on Controller Board Data received from a telephone line Security attributes No security attributes No security attributes Data type
(Note: "Data type" means the type of data received from a telephone line and indicates whether this is fax or non-fax data.) FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: after the type of received data from a telephone line is recognised as fax data, the fax process on the Fax Unit allows Fax Reception on the Controller Board to let data received from a telephone line pass]. FDP_IFF.1.3 The TSF shall enforce the [assignment: no additional information flow control SFP rules]. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [assignment: no rules, based on security attributes that explicitly authorise information flows]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: no rules, based on security attributes that explicitly deny information flows]. 6.1.4 Class FIA: Identification and Authentication Authentication failure handling Hierarchical to: Dependencies: No other components. FIA_UAU.1 Timing of authentication.
FIA_AFL.1.1 TSF shall detect when [selection: an administrator (refinement: the machine administrator) configurable positive integer within [assignment: 1 to 5]] unsuccessful authentication attempts occur related to [assignment: the consecutive numbers of times of authentication failure for each user in the authentication events shown in Table 13]. Table 13: List of authentication events Authentication events User authentication using the control panel Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 43 of 81 User authentication using TOE from client computer Web browser User authentication when printing from client computer User authentication when faxing from client computer

Table 18: List of TSF data management TSF data Authentication information of general users (a data item of general user information) Operations Newly create, change, delete Change Supervisor authentication information Administrator information authentication Change Change User roles User administrator
Applicable general users of general user information Supervisor Supervisor Applicable administrator of administrator authentication information Machine administrator Machine administrator Machine administrator Machine administrator General users, user administrator, network administrator, file administrator, supervisor User administrator User administrator Machine administrator Machine administrator Machine administrator
Number of Attempts before Lockout Setting for Lockout Release Timer Lockout time Date and time of system clock Date setting, time setting (hour, minute, second)
Query, modify Query, modify Query, modify Query, modify Query
Minimum Password Length Password Complexity Setting HDD cryptographic key Audit logs Service mode lock setting
Query, modify Query, modify Query, newly create Query, delete entirely Query, modify
Page 48 of 81 TSF data Operations Query User roles General users, User administrator, Network administrator, File administrator, Supervisor User administrator Supervisor Machine administrator User administrator Applicable general users of S/MIME user information General users User administrator, General users
Lockout Flag for general users Lockout Flag for administrators Lockout Flag for supervisor S/MIME User Information (a data item of general user information)
Query, modify Query, modify Query, modify Query, newly create, delete, change Query
Destination Information for Deliver to Folder

FMT_SMF.1

Specification of Management Function Hierarchical to: Dependencies: No other components. No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following Management Functions: [assignment: list of specifications of Management Functions described in Table 19: List of specifications of Management Functions Functional requirements FAU_GEN.1 FAU_SAR.1 None a) Maintenance (deletion, modification, addition) of the group of users with read access right to the audit records. None None a) Maintenance (deletion, modification, addition) of actions to be taken in case of audit storage failure. None None None Management requirements a) Management of the machine administrator from administrator roles. None: Actions are fixed and not an object of management. Management items ].

Class FTP: Trusted path/channels Inter-TSF trusted channel Hierarchical to: Dependencies: No other components. No dependencies.

FTP_ITC.1

FTP_ITC.1.1
The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure.

FTP_ITC.1.2 FTP_ITC.1.3

The TSF shall permit [selection: the TSF] to initiate communication via the trusted channel. The TSF shall initiate communication via the trusted channel for [assignment: Deliver to Folders from TOE to SMB server (IPSec) service and Deliver to Folders from TOE to FTP server (IPSec) service].
Trusted path Hierarchical to: Dependencies: No other components. No dependencies.
FTP_TRP.1.1 The TSF shall provide a communication path between itself and [selection: remote] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from [selection: modification and disclosure]. FTP_TRP.1.2 The TSF shall permit [selection: the TSF remote users] to initiate communication via the , trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for [selection: initial user authentication, [assignment: TOE web service, printing service from a client computer, fax service from a client computer, and e-mail service to a client computer from the TOE]]. Table 20 shows the services that require the trusted path defined in FTP_TRP.1.3 and used by each user who communicates via trusted path described in FTP_TRP.1.2.
Page 53 of 81 Table 20: Services requiring trusted paths Related persons for communication TSF Remote users Services that require a trusted path E-mail service to client computer from TOE (S/MIME) Initial user authentication (SSL) TOE web service from client PC (SSL) Printing service from client PC (SSL) Fax service from client PC (SSL)

Page 54 of 81

Security Assurance Requirements
The evaluation assurance level of this TOE is EAL3. Table 21 lists the assurance components of the TOE. These components meet evaluation assurance level 3 (EAL3). Other requirements are not included. Table 21: TOE security assurance requirements (EAL3) Assurance classes ADV: Development ADV_ARC.1 ADV_FSP.3 summary ADV_TDS.2 AGD: Guidance documents AGD_OPE.1 AGD_PRE.1 ALC: Life-cycle support ALC_CMC.3 ALC_CMS.3 ALC_DEL.1 ALC_DVS.1 ALC_LCD.1 ASE: Security Target evaluation ASE_CCL.1 ASE_ECD.1 ASE_INT.1 ASE_OBJ.2 ASE_REQ.2 ASE_SPD.1 ASE_TSS.1 ATE: Tests ATE_COV.2 ATE_DPT.1 ATE_FUN.1 ATE_IND.2 AVA: Vulnerability assessment AVA_VAN.2 Assurance components Security architecture description Functional specification with complete

Page 57 of 81 d) Reliable record of time of event To fulfil O.AUDIT , a reliable record of the times when events occurred should be available, as this will help identify security breaches. For this, FPT_STM.1 provides a trusted time stamp. User identification and authentication
Following are the rationale behind the functional requirements corresponding to O.I&A in Table 22, and these requirements are included to fulfil the O.I&A specification. a) Identify and authenticate users before they use the TOE. To fulfil O.I&A, user identification and authentication shall be performed prior to allowing user access to the TOE Security Functions. For this, FIA_UID.2 identifies users prior to their use of TOE Security Functions, and FIA_UAU.2 authenticates identified users. Allow successfully identified and authenticated users to use the TOE. To fulfil O.I&A, users who authenticate successfully before they use any TOE Security Functions shall be allowed use of the functions they have permission for. For this, FIA_ATD.1 and FIA_USB.1 bind successfully identified and authenticated users with relevant subjects. Association and maintenance of the subjects with security attributes is also performed by FIA_ATD.1 and FIA_USB.1. Complicate decoding of passwords. To fulfil O.I&A, passwords for user authentication shall be protected from others while they are being entered, and must not be easily guessable. For this, FIA_UAU.7 prevents passwords being viewed by displaying masking characters (*: asterisks or : bullets) in place of each password character entered in the authentication feedback area. FIA_SOS.1 accepts only passwords that satisfy the Minimum Password Length and password character combination specified by the user administrator, and it enables only passwords that are not easily guessable. FIA_AFL.1 also reduces the possibility of users guessing passwords by locking out users when their number of authentication attempts reaches the number specified by the machine administrator. The authentication attempts include user authentication attempts from the Operation Panel, the Web browser of a client computer, or a client computer when printing or faxing. Control of access to protected assets
Following are the rationale behind the functional requirements corresponding to O.DOC_ACC in Table 22, and these requirements are included to fulfil the O.DOC_ACC specification. a) Specify access control to document data and perform operations. To fulfil O.DOC_ACC, each user shall be allowed to perform operations on document data according to the operation permissions for document data set for each type of subject associated with the users and each security attribute associated with the subject. For this, FDP_ACC.1 and FDP_ACF.1 allow the administrator to delete document data if the administrator's role associated with the administrator process is the file administrator. For general users, FDP_ACC.1 and FDP_ACF.1 allow storage of document data, and when the general user IDs associated with general user processes are registered in the document data ACL of a document, Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.

The TOE logs the date and time of events by referencing the date and time of the internal system clock. By the above, FPT_STM.1 (Reliable time stamps) is satisfied. 7.1.2 SF.I&A User Identification and Authentication Function
To allow authorised users to operate the TOE according to their roles and authorisation, the TOE identifies and authenticates users prior to their use of the TOE Security Functions. Following are the explanations of each functional item in "SF.I&A User Identification and Authentication Function" and their corresponding functional requirements.
Page 67 of 81 7.1.2.1 User Identification and Authentication
The TOE displays a login window when users attempt to use the TOE Security Functions from the Operation Panel or the Web Service Function. This window requires the user to enter their ID and password, and then identifies and authenticates the user based on the entered user IDs and passwords. The TOE also identifies and authenticates the user based on the user ID and password sent from the client computer when the TOE receives a request from the client computer for printing or transmitting faxes. The TOE binds successfully authenticated users to the processes available to them (general user processes, administrator processes, or supervisor processes) according to their user roles (general users, administrators, or supervisor), associates each process with the security attributes of that role, and maintains those bindings and associations. If the user is a general user, the TOE binds the general user to general user processes, associates general user processes with a general user ID and the document data default ACL, and maintains those bindings and associations. If the user is an administrator, the TOE binds the administrator to administrator processes, associates administrator processes with the administrator ID and the administrator roles, and maintains those bindings and associations. If the user is a supervisor, the TOE binds the supervisor to supervisor processes, associates supervisor processes with the supervisor ID, and maintains those bindings and associations. Authentication methods vary according to the user's role. Table 26 shows the authentication methods for each user role. Table 26: User roles and authentication methods User roles General users Administrators Supervisor Authentication methods Check if the general user ID and password entered by the user match a general user ID and corresponding password registered in the Address Book. Check if the administrator ID and password entered by the user match an administrator ID and corresponding password registered to the TOE. Check if the supervisor ID and password entered by the user match a supervisor ID and corresponding password registered to the TOE.

Machine administration

Machine Control Data Operation Panel
Stored Data Protection Function Store and Print Function
Stored Documents Fax Transmission Direct Print Function Immediate Transmission Internal networks Document file owner Document data
Document data default ACL Document data ACL File administration

Document file user

References
Following are the documents referenced in this document. Copyright (c) 2010 RICOH COMPANY, LTD. All Rights Reserved.
Page 81 of 81 CC Version 3.1 Revision 2 Evaluation Criteria: "English version" Common Criteria for Information Technology Security Evaluation Version3.1 Part 1: Introduction and general model Revision 1(CCMB-2006-09-001) Part 2: Security functional components Revision 2(CCMB-2007-09-002) Part 3: Security assurance components Revision 2(CCMB-2007-09-003) "Japanese-translated version" Common Criteria for Information Technology Security Evaluation Version3.1 Part 1: Introduction and general model Revision 1 [Japanese translation ver. 1.2] Part 2: Security functional components Revision 2 [Japanese translation ver. 2.0] Part 3: Security assurance components Revision 2 [Japanese translation ver. 2.0] Evaluation Methodology: "English version" Common Methodology for Information Technology Security Evaluation Version 3.1 Evaluation methodology Revision 2(CCMB-2007-09-0004) "Japanese-translated version" Common Methodology for Information Technology Security Evaluation version 3.1 Evaluation Methodology Revision 2 [Japanese translation ver. 2.0]