FS.04 Security Accreditation Scheme for UICC Production ... · The GSMA Security Accreditation Scheme for UICC Production (SAS-UP) is a voluntary scheme through which UICC suppliers

GSM Association Non-confidential Official Document FS.04 - Security Accreditation Scheme for UICC Production - Standard

Security Accreditation Scheme for UICC Production - Standard

Version 6.0 14 March 2016

This is a Non-binding Permanent Reference Document of the GSMA

Security Classification: Non-confidential Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is confidential to the Association and is subject to copyright protection. This document is to be used only for the purposes for which it has been supplied and information contained in it must not be disclosed or in any other way made available, in whole or in part, to persons other than those permitted under the security classification without the prior written approval of the Association.

Copyright Notice Copyright © 2016 GSM Association

Disclaimer The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document. The information contained in this document may be subject to change without prior notice.

Antitrust Notice The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.

V6.0 Page 1 of 27


Table of Contents

1 Introduction 4 1.1 Overview 4 1.2 Background 4 1.3 Scope 4 1.4 Intended Audience 5 1.5 Related Documents 5 1.6 Definitions 5 1.7 Abbreviations 6 1.8 References 6 1.9 Conventions 7

2 Definition of Processes 7 3 The Process Models 8

3.1 Personalisation Process 8 3.2 The Actors 8

4 The Assets 9 4.1 Introduction 9 4.2 Assets Classification 9 4.3 Asset Characteristics 9 4.4 Incoming Sensitive Components (ISC) 10 4.5 Partly Finished Products (PFP) 10 4.6 Finished Products (FIN) 10 4.7 Personalisation Rejects (PRJ) 10 4.8 Sensitive information (SEN) 11 4.9 Cryptographic Keys (KEY) 11

5 The Threats 12 5.1 Introduction 12 5.2 Direct Threats Description 12 5.3 Indirect Threats Description 13 5.4 Application of Threats in the Process 13

6 Security Objectives 14 6.1 Introduction 14 6.2 Security Objectives for the Sensitive Process 14 6.3 Security Objectives for the Environment 14

7 Security Requirements 15 7.1 Introduction 15 1 Policy, strategy and documentation 15 2 Organisation and Responsibility 16 3 Information 16 4 Personnel Security 17 5 Physical Security 17 6 Production data management 19 7 Logistics and Production Management 19

V6.0 Page 2 of 27


8 Computer and Network Management 22 Annex A Assets 25 Annex B Document Management 27

B.1 Document History 27 B.2 Other Information 27

V6.0 Page 3 of 27


1 Introduction

1.1 Overview The GSMA Security Accreditation Scheme for UICC Production (SAS-UP) is a voluntary scheme through which UICC suppliers (including Embedded UICC suppliers) subject their operational sites to a comprehensive security audit to ensure that adequate security measures to protect the interests of mobile network operators (MNO) have been implemented.

MNOs are dependent on suppliers to control risks; to ensure that adequate security is in place. Confidence is improved by the introduction of an auditable SAS standard, which can be applied consistently to UICC suppliers. The purpose of the SAS-UP standard is to:

• Minimise risks to MNOs introduced by UICC production (including Embedded UICC production).

• Provide a set of auditable requirements, together with the associated SAS-UP methodology and guidelines, to allow UICC suppliers to provide assurance to their customers that risks are controlled.

• Support SAS for Subscription Management (SAS-SM) by facilitating the accreditation of UICC suppliers producing Embedded UICCs and maintaining associated interfaces to entities performing Subscription Management – Data Preparation (SM-DP) and Subscription Management – Secure Routing (SM-SR) roles.

Functional requirements and security objectives applicable to UICC suppliers are herein outlined.

1.2 Background This SAS standard has been created and developed within GSMA through collaboration between representatives from MNOs, UICC suppliers and the GSMA-appointed auditing companies. The GSMA is responsible for updating the SAS standard. A review of the scheme and its documentation takes place with MNOs, UICC suppliers and the appointed auditors annually.

1.3 Scope Sites eligible for auditing include only those carrying out activities within the scope of this document, as follows:

• Generation of personalisation data for UICC and Embedded UICC • UICC and Embedded UICC personalisation • Value-added fulfilment of UICCs and Embedded UICCs

The security objectives have been achieved by defining:

• Card life cycle and processes • Assets to be protected • Risk and threats • Security requirements.

V6.0 Page 4 of 27


This document is not intended to be a UICC or Embedded UICC production protection profile.

To further reduce the risks for MNOs, it is acknowledged that the security objectives must continue to be met after the personalisation phases where the supplier is responsible for delivery.

1.4 Intended Audience • Security professionals and others within UICC supplier organisations responsible for

SAS-UP implementation and compliance. • SAS-UP auditors • MNOs.

1.5 Related Documents The security objectives and requirements described in this document are supported by the GSMA SAS Methodology for UICC Production [1] and the GSMA SAS Guidelines for UICC Production [2].

1.6 Definitions

Term Description Actor Person who is involved in, or can affect, the Sensitive Process

Business Continuity

Capability of a UICC supplier to continue production at acceptable predefined levels (as determined by customer requirements) following a failure incident.

Common Criteria

Criteria used as the basis for evaluation of security properties. The evaluation results help in determining whether or not the product is secure

Duplicate Two or more assets of the same nature showing a set of information that should be individual according to the correct process

Embedded UICC

A UICC which is not easily accessible or replaceable, is not intended to be removed or replaced in a device, and enables the secure changing of profiles.

Environment Environment of use of the sensitive process limited to the security aspects

Key Refers to any logical key (e.g. cryptographic key)

Physical keys The keys and/or combinations used for vaults, safes and secure cabinets

Reject Finished or partially finished product containing sensitive information which has been ejected from the process.

Restricted areas, high security areas

Areas off-limits to unauthorised personnel in which assets are stored and processed

Secure storage Specific area set aside dedicated to the protection of assets.

Sensitive Process

The Sensitive Process represents the security evaluation field, covering the processes and the assets within those processes

Subscription Manager Data Preparation

Role that prepares MNO profiles for Embedded UICCs and manages the secure download and installation of these profiles onto a Embedded UICC.

Subscription Manager

Role that securely performs Embedded UICC platform management command functions and the transport of profile management commands.

V6.0 Page 5 of 27


Term Description Secure Routing

Universal Integrated Circuit Card

A smart card that conform to the specification written and maintained by the ETSI Smart Card Platform.

1.7 Abbreviations

Term Description ASI Additional Sensitive Information

EIS eUICC Information Set

FIN Finished Products

GSMA GSM Association

HSM Hardware Security Module

ISC Incoming Sensitive Components characterise the process sensitive inputs such as information, products, files, keys, etc.

ISI Incoming Sensitive Information characterise the process sensitive inputs such as requests, files and keys.

IT Information Technology

MNO Mobile Network Operator

OSI Outgoing Sensitive Information characterise the process sensitive outputs such as responses, files and keys.

PFP Party Finished Products

PRJ Personalisation Rejects

SEN Sensitive Information

SAS-SM Security Accreditation Scheme for Subscription Management Roles

SGP.nn Prefix identifier for official documents belonging to GSMA SIM Group

SM-DP Subscription Manager – Data Preparation

SM-SR Subscription Manager – Secure Routing

SP Sensitive Process

UICC Universal Integrated Circuit Card

1.8 References

Ref Doc Number Title

[1] PRD FS.05 GSMA SAS Methodology for UICC Production, latest version available at www.gsma.com/sas

[2] PRD FS.06 GSMA SAS Guidelines for UICC Production, available to participating sites from [email protected]

[3] - GSMA SAS-UP Audit analysis, available to participating sites from [email protected]

[4] RFC 2119 “Key words for use in RFCs to Indicate Requirement Levels”, S. Bradner, March 1997. Available at http://www.ietf.org/rfc/rfc2119.txt

V6.0 Page 6 of 27

http://www.gsma.com/sas

mailto:[email protected]


http://www.ietf.org/rfc/rfc2119.txt


The following additional references will apply only in the context of the Embedded UICC.

Ref Doc Number Title [5] SGP.01 Embedded SIM Remote Provisioning Architecture

[6] SGP.02 Remote Provisioning Architecture for Embedded UICC Technical Specification

1.9 Conventions The key words “must”, “must not”, “required”, “shall”, “shall not”, “should”, “should not”, recommended”, “may”, and “optional” in this document are to be interpreted as described in RFC2119 [4].”

2 Definition of Processes The UICC product life-cycle can be broken down into a number of phases:

# Title Description 1. Software development Basic software and operating system development; application

software development, integration and validation

2. IC design IC development; hardware development, initialisation and test program development, integration and validation, initialisation of identification information and delivery keys

3. Production Manufacture, assembly and testing of the card or other device to be personalised.

4. Personalisation Receipt and processing of input data; production data generation and preparation; output data generation, preparation and transfer. Receipt and management of physical assets for personalisation, personalisation of assets, packaging and delivery. Re-work of defective or reject personalised assets

5. User Commences when the network operator takes responsibility for the personalised device. Includes the operator’s storage, distribution and activation of the device and subsequent use by the customer.

6. End-of-life When the card reaches a stage where it can no longer perform the functions for which it was produced

Table 1 - UICC product life-cycle

This SAS-UP standard is defined only for activities within phase 4 – Personalisation. Remote provisioning and management of the Embedded UICC is out of the scope of this standard.

V6.0 Page 7 of 27

https://infocentre2.gsma.com/gp/wg/SGP/OfficialDocuments/Forms/Official%20Document/docsethomepage.aspx?ID=2&FolderCTID=0x0120D5200072B7664C9B6C41A5A2203ED59788C6B200B7DD38F151D844A683065B0BA90F5F8A00127E7ACA1F2A764E9482DA008E21F277&List=1efe2dc7-eb94-4f89-bb08-8cf4a7cbfd81&RootFolder=%2Fgp%2Fwg%2FSGP%2FOfficialDocuments%2FSGP%2E01%20Embedded%20SIM%20Remote%20Provisioning%20Architecture%20v1%2E1%20%28Current%29

https://infocentre2.gsma.com/gp/wg/SGP/OfficialDocuments/Forms/Official%20Document/docsethomepage.aspx?ID=6&FolderCTID=0x0120D5200072B7664C9B6C41A5A2203ED59788C6B200B7DD38F151D844A683065B0BA90F5F8A00127E7ACA1F2A764E9482DA008E21F277&List=1efe2dc7-eb94-4f89-bb08-8cf4a7cbfd81&RootFolder=%2Fgp%2Fwg%2FSGP%2FOfficialDocuments%2FSGP%2E02%20Remote%20Provisioning%20Architecture%20for%20Embedded%20UICC%20Technical%20Specification%20v3%2E0%20%28Current%29


3 The Process Models The life cycle is used to depict the security target implementation. The representation of the steps within the process is based on product and data flows. All possible combinations are not described and chronological order is not necessarily represented.

3.1 Personalisation Process The personalisation process includes customer data in various forms throughout the process and could include the rework process.

Supplies reception

Incoming filesreception

Documents reception

File treatment

Cardspersonalization

Confidentialdocuments

personalization

Non confidentialdocuments

personalization

Packaging

Supplies delivery

Outgoing filesdelivery

Figure 1- Personalisation Process

3.2 The Actors There are four classes of actor:

1. Internal Authorised – [INT_AUTH] - employees authorised to access the SP and supporting environment

2. Internal Unauthorised – [INT_UNAU] - employees not authorised to access the SP, but who can access the supporting environment

3. External Authorised – [EXT_AUTH] - third party with authority to access the SP and supporting environment

4. External Unauthorised – [EXT_UNAU] - third party not authorised to access the SP or supporting environment

V6.0 Page 8 of 27


4 The Assets

4.1 Introduction Within the processes described above, assets are highly regarded and their security must be protected. Most assets are located in the personalisation process. However, customer specific requirements may make certain chips more sensitive if the production cycle involves additional steps prior to the personalisation process.

This document is limited to the production of UICCs for a single issuer. Other products are not part of the subject matter. The assets are laid on in tabular form below.

Incoming sensitive components (ISC) Incoming files (ISC_INF)

Algorithms (ISC_ALG)

Information and Keys (MNO_INF, MNO_KEY, ASI_KEY)

IMSI (ISC_IMS)

Non-personalised embedded UICCs / devices (ISC_DEV)

Partly finished products (PFP) UICCs /devices not completely personalised (PFP_SIM)

Finished products(FIN) Personalised UICCs / devices (FIN_SIM)

Outgoing files (FIN_OUF)

Sensitive information (SEN) Customer Information (SEN_CUI)

Management Data (SEN_MAD)

Profile Metadata (SEN_EIS)

Personalisation Rejects (PRJ) UICCs/Devices (PRJ_SIM)

Table 2: Assets

4.2 Assets Classification The assets that require protection are in various forms within the personalisation processes. The protection required can be complex, unless classes are arranged logically. A classification table is contained in Annex A.

4.3 Asset Characteristics Files and data are transmitted, stored and used in many media and transport forms.

V6.0 Page 9 of 27


Finished products and partly finished products may be used as examples that only follow the same security rules as the corresponding assets when they contain customer data.

4.4 Incoming Sensitive Components (ISC) Incoming sensitive components such as algorithms, products, files and keys are supplied to the manufacturing sites and can be sent between production sites.

Incoming sensitive components include:

• Incoming files containing classified information which must be protected in terms of integrity, confidentiality, and availability commensurate with the highest class of information contained in the file [ISC _INF]

• Information and Keys [MNO_INF, MNO_KEY] whose confidentiality, integrity and availability must be protected

• Algorithms [ISC_ALG] which must be protected in terms of availability, confidentiality, and integrity.

• UICCs [ISC_DEV] for personalisation

4.5 Partly Finished Products (PFP) Partly finished products come from ISC transformations or ISC usage inside the same production site.

Partly finished products include:

• UICCs not completely personalised [PFP_SIM]

These assets must be protected in terms of availability and integrity. Traceability must also be ensured.

4.6 Finished Products (FIN) Finished products are made up of:

• UICCs or other devices successfully personalised [FIN_SIM] • Outgoing files [FIN_OUF]

• [A_OUT_FIL1] must be protected in availability, integrity and confidentiality as they contain sensitive information e.g. Ki

• [A_OUT_FIL2] must be protected in availability and integrity. They do not contain sensitive information e.g. PIN and PUK

• [A_OUT_FIL3] only need to have the integrity preserved as they do not contain sensitive information e.g. MSISDN

• [A_OUT_FIL4] must be protected in confidentiality, integrity and availability preserved in the context of [5] and [6] e.g. eUICC information or OTA Keysets.

In all cases, if the files contain different classes of data the higher class shall prevail.

4.7 Personalisation Rejects (PRJ) Personalisation rejects are:

V6.0 Page 10 of 27


• UICCs [PRJ_SIM], confidentiality must be protected

The integrity and traceability of these assets must be assured until they are destroyed.

4.8 Sensitive information (SEN) Sensitive information is:

• Customer information [SEN_CUI], information from the personalisation site that is created or can be obtained inside or by a third party attack. Customer information can be recorded in the following devices:

• Security elements [DE_SEC] such as mother UICCs, batch UICCs, security modules etc.

• Random number generators [DE_RNG] • Transmission and ciphering systems [DE_TRA] • Testing systems [DE_TST] • Production file systems [DE_PRD]

• Management Data [SEN_MAD], information on the management of batches and UICCs. This can consist of:

• [SEN_PRD] production data which, if it contains classified information, must be protected in terms of integrity, confidentiality, and availability.

• [SEN_MAT] traceability information which should allow the supplier identify the person, or group of persons, who worked on a batch

• [SEN_MAU] audit information which should be available in relation to the recorded production history of a UICC/batch of UICCs for up to 12 months, subject to local laws.

• Embedded UICC information [SEN_EIS], information in the context of [5] and [6] received and exchanged with MNO and SM-SR.

The integrity of sensitive information must be assured and the confidentiality protected. Sensitive information includes all files, particularly working, temporary or safeguarded files that contain the information outlined above.

4.9 Cryptographic Keys (KEY) • Secret [ASI_KEY] whose confidentiality, integrity and availability must be protected. • Private keys [KEY_PRI] whose authenticity, confidentiality, integrity and availability

must be protected. • Public keys [KEY_PUB] whose authenticity, integrity and availability must be

protected.

V6.0 Page 11 of 27


5 The Threats

5.1 Introduction The threat analysis has been completed to identify the main threats to the UICC supplier. The list is not intended to be exhaustive.

The main threats to data are loss of availability, confidentiality and integrity.

The threats are listed in sections 7.2 and 7.3 independently of the process step concerned. In 8.4 each threat is associated to a step in the production process.

In the threat description, data means all type of data assets described in section 6.

5.2 Direct Threats Description

Threats Actors Assets Description T_DOUB_TEC

PFP_SIM, FIN_SIM, SEN_MAD

Physical duplicate or mismatch creation resulting from a technical mistake/bug

T_DOUB_REW INT_AUTH INT_UNAU EXT_AUTH

PFP_SIM, FIN_SIM, SEN_MAD, PRJ_SIM,

Physical duplicate creation resulting from non destroyed material after a rework (error or malevolence)

T_DOUB_REU INT_AUTH INT_UNAU

PFP_SIM, FIN_SIM, SEN_MAD, PRJ_SIM

Physical duplicate creation resulting from reused sensitive information (error or malevolence)

T_LOSS INT_AUTH INT_UNAU EXT_AUTH EXT_UNAU

ALL SENSITIVE ASSETS Loss or theft of classified assets (1, 2)

T_CONT INT_AUTH INT_UNAU EXT_AUTH EXT_UNAU

FIN_SIM, PFP_SIM, PRJ_SIM, ISC_DEV

Accidental or deliberate cross-contamination of assets in the production environment

T_DISC INT_AUTH INT_UNAU EXT_AUTH EXT_UNAU

ALL ASSETS CONTAINING CLASSIFIED INFORMATION

Disclosure of classified information

T_MODIF INT_AUTH INT_UNAU EXT_AUTH

ALL ASSETS CONTAINING CLASSIFIED INFORMATION

Unauthorised modification of classified information causing loss of integrity through error or malevolence

Table 3 - Direct Threats Description

Additional threats can result from combinations of those threats listed above.

V6.0 Page 12 of 27


5.3 Indirect Threats Description

Threats Actors Assets Description T_SEF ANY ANY Accidental or deliberate security

failure.

Table 4 - Indirect Threats Description

5.4 Application of Threats in the Process

T_D

OU

B_T

EC

T_D

OU

B_R

EW

T_D

OU

B_R

EU

T_LO

SS

T_C

ON

T

T_D

ISC

T_M

OD

IF

T_SE

F

Customer Order Reception Incoming files reception Production data generation and preparation Internal and external transfer of production data Output data generation and preparation Outgoing files delivery Incoming materials receipt, storage and issue Pre personalisation Materials transfer to personalisation UICC/device personalisation UICC / device packaging Supplies delivery (finished products) Transport between sites

Table 5 - Application of Threats in the Process

V6.0 Page 13 of 27


6 Security Objectives

6.1 Introduction The supplier is responsible to ensure that assets are protected from the security risks to which they are exposed, as defined by the security objectives. It is this protection that provides assurance to the MNOs. The security objectives relate to both the sensitive process and its environment. All the objectives must be addressed but higher levels of assurance are needed depending on the asset classification.

6.2 Security Objectives for the Sensitive Process

# Objective Threat Description 1 The SP must control the

production process T_DOUB_TEC T_DOUB_REW T_DOUB_REU T_LOSS T_MODIF T_CONT

To prevent clone, mismatch, anomalies

2 The SP must control, manage and protect data against loss of integrity and confidentiality

T_DOUB_REU T_LOSS T_DISC T_MODIF

To prevent: • any disclosure of assets • any non-conforming finished product

due to loss of integrity

3 The SP must guarantee a secure product flow

T_DOUB_REU T_LOSS T_DISC T_SEF T_CONT

To prevent theft, loss, misappropriation of assets

4 The SP must manage the elements that are specified as auditable

T_MODIF To look for possible or real security violation

5 The SP must be designed in such a way that independence of different customer files (asset) is always achieved

T_DISC To prevent one customer’s data being disclosed to another customer

Table 6 - Security Objectives for the Sensitive Process

6.3 Security Objectives for the Environment

# Objective Threat Description 1 The SP environment must

manage the elements that are specifically auditable

T_SEF To look for possible or real security violation

2 The SP environment must guarantee a secure product flow

T_SEF To prevent theft, loss or misappropriation of assets

Table 7 - Security Objectives for the Environment

V6.0 Page 14 of 27


7 Security Requirements

7.1 Introduction In order to consider the personalisation processes secure, certain requirements must be met. These requirements are considered as minimum-security requirements for the environment in which the SP is used.

The requirements of the SAS-UP standard should be met by established processes / controls for which evidence of correct operation exists.

It is recognised that it is possible to use any other mechanisms or tools other than those described in this section if they achieve the same security objective. For a worked example of how the standard could be achieved refer to the SAS-UP Guidelines [2].

NOTE: Numbering of the sections and requirements below restarts at (1) and applies independently of other sections in this document.

1 Policy, strategy and documentation

The security policy and strategy provides the business and its employees with a direction and framework to support and guide security decisions within the company.

1.1 Policy

1.1.1 A clear direction shall be set and supported by a documented security policy which defines the security objectives and the rules and procedures relating to the security of the SP, sensitive information and asset management.

1.1.2 Employees shall understand and have access to the policy and its application should be checked periodically.

1.2 Strategy

1.2.1 A coherent security strategy must be defined based on a clear understanding of the risks. The strategy shall use periodic risk assessment as the basis for defining, implementing and updating the site security system. The strategy shall be reviewed regularly to ensure that it reflects the changing security environment through ongoing re-assessment of risks.

1.3 Business Continuity Planning

1.3.1 Business continuity measures must be in place in the event of disaster.

1.4 Internal audit and control

V6.0 Page 15 of 27


1.4.1 The overall security management system shall be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure its continued correct operation.

2 Organisation and Responsibility

2.1 Organisation

2.1.1 To successfully manage security, a defined organisation structure shall be established with appropriate allocation of security responsibilities.

2.1.2 The management structure shall maintain and control security through a cross-functional team that co-ordinates identification, collation, and resolution, of security issues, independent of the business structure.

2.2 Responsibility

2.2.1 A security manager shall be appointed with overall responsibility for the issues relating to security in the SP.

2.2.2 Clear responsibility for all aspects of security, whether operational, supervisory or strategic, must be defined within the business as part of the overall security organization.

2.2.3 Asset protection procedures and responsibilities shall be documented throughout the SP.

2.3 Contracts and liabilities

2.3.1 In terms of contractual liability, responsibility for loss shall be documented. Appropriate controls and insurance shall be in place.

3 Information

The management of sensitive information, including its storage, archiving, destruction and transmission, can vary depending on the classification of the asset involved.

3.1 Classification

3.1.1 A clear structure for classification of information and other assets shall be in place with accompanying guidelines to ensure that assets are appropriately classified and treated throughout their lifecycle.

3.2 Data and media handling

3.2.1 Access to sensitive information and assets must always be governed by an overall ‘need to know’ principle.

3.2.2 Guidelines shall be in place governing the handling of data and other media, including a clear desk policy. Guidelines should describe the end-to-end ‘lifecycle management’ for sensitive assets, considering

V6.0 Page 16 of 27


creation, classification, processing, storage, transmission and disposal.

4 Personnel Security

A number of security requirements shall pertain to all personnel working within the SP.

4.1 Security in job description

4.1.1 Security responsibilities shall be clearly defined in job descriptions.

4.2 Recruitment screening

4.2.1 An applicant, and employee, screening policy shall be in place where local laws allow

4.3 Acceptance of security rules

4.3.1 All recruits shall sign a confidentiality agreement.

4.3.2 Employees shall read the security policy and record their understanding of the contents and the conditions they impose.

4.3.3 Adequate training in relevant aspects of the security management system shall be provided on an ongoing basis.

4.4 Incident response and reporting

4.4.1 Reporting procedures shall be in place where a breach of the security policy has been revealed. A clear disciplinary procedure shall be in place in the event that a staff member breaches the security policy.

4.5 Contract termination

4.5.1 Clear exit procedures shall be in place and observed with the departure of each employee.

5 Physical Security

A building is part of the site where UICCs or components are produced, personalised and/or stored. Buildings in which sensitive assets are processed shall be strongly constructed. Constructions and materials shall be robust and resistant to outside attack. Manufacturers must ensure assets are stored within high security areas and restricted areas by using recognised security control devices, staff access procedures and audit control logs.

5.1 Security plan

Layers of physical security control shall be used to protect the SP according to a clearly defined and understood strategy. The strategy shall apply controls relevant to the assets and risks identified through risk assessment.

5.1.1 The strategy shall be encapsulated in a security plan that:

V6.0 Page 17 of 27


5.1.1.1 defines a clear site perimeter / boundary

5.1.1.2 defines one or more levels of secure area within the boundary of the site perimeter

5.1.1.3 maps the creation, storage and processing of sensitive assets to the secure areas

5.1.1.4 defines physical security protection standards for each level of secure area

5.2 Physical protection

5.2.1 The protection standards defined in the security plan shall be appropriately deployed throughout the site, to include:

5.2.1.1 deterrent to attack or unauthorized entry

5.2.1.2 physical protection of the building and secure areas capable of resisting attack for an appropriate period

5.2.1.3 mechanisms for early detection of attempted attack against, or unauthorized entry into, the secure areas at vulnerable points

5.2.1.4 control of access through normal entry / exit points into the building and SP to prevent unauthorized access

5.2.1.5 effective controls to manage security during times of emergency egress from the secure area and building

5.2.1.6 mechanisms for identifying attempted, or successful, unauthorized access to, or within the site

5.2.1.7 mechanisms for monitoring and providing auditability of, authorised and unauthorised activities within the SP

5.2.2 Controls deployed shall be clearly documented and up-to-date.

5.2.3 Controls shall be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

5.3 Access control

5.3.1 Clear entry procedures and policies shall exist which cater for the rights of employees, visitors and deliveries to enter the SP. These considerations shall include the use of identity cards, procedures governing the movement of visitors within the SP, delivery/dispatch checking procedures and record maintenance.

5.3.2 Access to each secure area shall be controlled on a ‘need to be there’ basis. Appropriate procedures shall be in place to control, authorise, and monitor access to each secure area and within secure areas.

V6.0 Page 18 of 27


Regular audits shall be undertaken to monitor access control to the secure area.

5.4 Security staff

5.4.1 Security staff are commonly employed by suppliers. Where this is the case the duties shall be clearly documented and the necessary tools and training shall be supplied.


5.5.1 Physical security controls shall be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

6 Production data management

Suppliers will be responsible for lifecycle management of class 1 data used for personalisation. Information and IT security controls must be appropriately applied to all aspects of lifecycle management to ensure that data is adequately protected. The overall principle shall be that all data is appropriately protected from the point of receipt through storage, internal transfer, processing and through to secure deletion of the data.

6.1 Data transfer

6.1.1 Suppliers shall take responsibility to ensure that electronic data transfer between themselves and other third parties is appropriately secured.

6.2 Access to sensitive data

6.2.1 Suppliers shall prevent direct access to sensitive production data. User access to sensitive data shall be possible only where absolutely necessary. All access must be auditable to identify the date, time, activity and person responsible.

6.3 Data generation

6.3.1 As part of the personalisation process secret data may be generated and personalized into the UICC. Where such generation takes place:

6.3.1.1 The quality of the number generator in use shall be subject to appropriate testing on a periodic basis. Evidence of testing, and successful results, shall be available.

6.3.1.2 Clear, auditable, controls shall be in place surrounding the use of the number generator to ensure that data is taken from the appropriate source.

6.4 Cryptographic keys

V6.0 Page 19 of 27


6.4.1 Cryptographic keys used for data protection shall be generated, exchanged and stored securely.

6.5 Auditability and accountability

6.5.1 The production process shall be controlled by an audit trail that provides a complete record of, and individual accountability for:

6.5.1.1 data generation and processing

6.5.1.2 personalisation

6.5.1.3 re-personalisation

6.5.1.4 access to sensitive data

6.5.1.5 production of customer output files

6.5.2 Auditable dual-control and 4-eyes principle shall be applied to sensitive steps of data processing.

6.6 Data integrity

6.6.1 Controls shall be in place to ensure that the same, authorized, data from the correct source is used for production and supplied to the customer.

6.7 Duplicate production

6.7.1 Controls shall be in place to prevent duplicate production.

6.8 Public key certificates

6.8.1 The supplier certificate shall be signed by a CA (Certificate Authority) authorized by and acting on behalf of the GSMA.

6.8.2 Public key certificates shall be generated, exchanged and stored securely.


6.9.1 Production data controls shall be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

7 Logistics and Production Management

7.1 Personnel

7.1.1 Clear security rules shall govern the manner in which employees engaged in such activities should operate within the SP. Relevant guidelines shall be in place and communicated to all relevant staff.

7.2 Order management

V6.0 Page 20 of 27


7.2.1 The ordering format shall be agreed between operator and supplier and rules to preserve the integrity of the ordering process shall be in place.

7.3 Raw materials

7.3.1 Raw materials classified as lower than class 2 (plastic sheets, GSM generic components, blank mailers, etc.) are not considered to be security sensitive. However, appropriate controls shall be established for stock movements. The availability of these assets must be ensured.

7.3.2 Raw materials classified as class 2 (e.g. non-personalised devices) are considered to be security sensitive. Controls shall be established that:

7.3.2.1 Account for stock movement

7.3.2.2 Prevent unauthorised access

7.3.2.3 Preserve the integrity of batches

7.3.2.4 Prevent availability of class 2 assets within the production environment undermining the quantity control and reconciliation mechanism for class 1 assets.

7.4 Control, audit and monitoring

7.4.1 The production process shall be controlled by an audit trail that:

7.4.1.1 ensures that the quantities of class 1 assets created, processed, rejected and destroyed are completely accounted for

7.4.1.2 ensures that the responsible individuals are traceable and can be held accountable

7.4.1.3 demands escalation where discrepancies or other security incidents are identified.

7.4.2 The stock of all Class 1 assets must be subject to end-to-end reconciliation in order that every element can be accounted for.

7.4.3 Auditable dual-control and 4-eyes principle shall be applied to sensitive steps of the production process, including:

7.4.3.1 control of the quantity of assets entering the personalisation process

7.4.3.2 authorization of re-personalisation for rejected UICCs

7.4.3.3 control of the quantity of assets packaged for dispatch to customers

7.4.3.4 destruction of rejected assets

V6.0 Page 21 of 27


7.4.4 Application of 4-eyes principle shall be auditable through production records and CCTV.

7.4.5 Regular audits shall be undertaken to ensure the integrity of production controls and the audit trail.

7.4.6 Suppliers must demonstrate an ability to prevent unauthorised duplication within the production process during personalisation and re-personalisation.

7.4.7 Suppliers must demonstrate an ability to preserve the integrity of batches within the production environment to prevent:

7.4.7.1 cross-contamination of assets between batches

7.4.7.2 uncontrolled assets in the production environment undermining the integrity of the asset control mechanism.

7.5 Destruction

7.5.1 Rejected sensitive assets must always be destroyed according to a secure procedure and logs retained.

7.6 Storage

7.6.1 Personalised product shall be stored securely prior to dispatch to preserve the integrity of the batches. Where personalised product is stored for extended periods additional controls shall be in place.

7.7 Packaging and delivery

7.7.1 Packaging of goods shall be fit for the intended purpose and strong enough to protect them during shipment. Appropriate measures shall be in place to ascertain whether or not goods have been tampered with.

7.7.2 Secure delivery procedures shall be agreed between the customer and the supplier which shall include agreed delivery addresses and the method of delivery.

7.7.3 Collection and delivery notes must be positively identified. Goods shall only be handed over following the production of the appropriate authority documents. A receipt should be obtained.


7.8.1 Production security controls shall be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

8 Computer and Network Management

V6.0 Page 22 of 27


The secure operation of computer and network facilities is paramount to the security of data. In particular, the processing, storage and transfer of Class 1 information, which if compromised, could have serious consequences for the MNO, must be considered. Operation of computer systems and networks must ensure that comprehensive mechanisms are in place to preserve the confidentiality, integrity and availability of data.

8.1 Policy

8.1.1 A documented IT security policy shall exist which shall be well understood by employees.

8.2 Segregation of roles and responsibilities

8.2.1 Responsibilities and procedures for the management and operation of computers and networks shall be established. Security related duties shall be segregated from operational activities to minimise risk.

8.3 Access control

8.3.1 Physical access to sensitive computer facilities shall be controlled.

8.3.2 An access control policy shall be in place and procedures shall govern the granting of access rights with a limit placed on the use of special privilege users. Logical access to IT services shall be via a secure logon procedure.

8.3.3 Passwords shall be used and managed effectively.

8.3.4 Strong authentication shall be deployed where remote access is granted.

8.4 Network security

8.4.1 Systems and data networks used for the processing and storage of sensitive data shall be housed in an appropriate environment and logically or physically separated from insecure networks.

8.4.2 Data transfer between secure and insecure networks must be strictly controlled according to a documented policy defined on a principle of minimum access.

8.4.3 The system shall be implemented using appropriately configured and managed firewalls incorporating appropriate intrusion detection systems.

8.4.4 Controls shall be in place to proactively identify security weaknesses and vulnerabilities and ensure that these are addressed in appropriate timescales

8.5 System security

V6.0 Page 23 of 27


8.5.1 Systems configuration and maintenance

8.5.1.1 Security requirements of systems shall be identified at the outset of their procurement and these factors shall be taken into account when sourcing them.

8.5.1.2 System components and software shall be protected from known vulnerabilities by having the latest vendor-supplied security patches installed.

8.5.1.3 System components configuration shall be hardened in accordance with industry best practice

8.5.1.4 Change control processes and procedures for all changes to system components shall be in place.

8.5.1.5 Processes shall be in place to identify security vulnerabilities and ensure the associated risks are mitigated.

8.5.1.6 Comprehensive measures for prevention and detection of malware and viruses shall be deployed across all vulnerable systems.

8.5.1.7 Unattended terminals shall timeout to prevent unauthorised use and appropriate time limits should be in place.

8.5.2 System back-up

8.5.2.1 Back-up copies of critical business data shall be taken regularly. Back-ups shall be stored appropriately to ensure confidentiality and availability.

8.6 Audit and monitoring

8.6.1 Audit trails of security events shall be maintained and procedures established for monitoring use.

8.7 External facilities management

8.7.1 If any sub-contracted external facilities or management services are used, appropriate security controls shall be in place. Such facilities and services shall be subject to the requirements stated in this document.


8.8.1 IT security controls shall be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

V6.0 Page 24 of 27


Annex A Assets Code Asset Class Products FIN_SIM Finished UICCs 1

PFP_SIM UICC / device not completely personalised 1

PRJ_SIM Personalised rejected UICC 1

Info

rmat

ion

ISC_ALG Incoming algorithms 1

SEN_CUI Customer information

MNO_KEY MNO Cryptographic keys (e.g. Ki, OP, OPC, OTA keys... ISD and SSD keys) 1

KEY

Clear cryptographic keys/key components protecting class 1 assets for confidentiality and integrity. An asset protected by these cryptographic keys is considered a class 2 asset.

1

ASI_KEY

A cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public.

1

KEY_PRI The private component of the asymmetric key pair 1

KEY_PUB The public component of the asymmetric key pair 2

MNO_INF Information in the context of [5] and [6] (e.g. POL 1 for profile) 1

Products ISC_DEV Incoming devices before entering personalisation process 2

Info

rmat

ion

SEN_MAD

Management data. Information on the management of batches and UICCs. This may contain:

• Production data, which may contain classified information

• Traceability information, which should allow the supplier to identify the person(s) who, worked on a batch

• Audit information related to the recorded production history of a UICC or batch of UICCs.

If a file managed Class 1 information, these information have to be Class 1 protected and the file Class 2 protected

2

SEN_EIS

Embedded UICC information in the context of [5] and [6]. If a file manages Class 1 information, the information has to be Class 1 protected and the file has to be Class 2 protected

2

ISC_INF Incoming files. If the file contains class 1 information, it needs to be protected as a class 1 2

FIN_OUF Outgoing files. If the file contains class 1 information (E.g. Ki, EIS), this information has to be Class 1

2

V6.0 Page 25 of 27


Code Asset Class protected.

ISC_KEY_PIN UICC PIN 2

ISC_KEY_PUK Unblocking PIN 2

ISC_IMS International Mobile Subscriber Information 2

V6.0 Page 26 of 27


Annex B Document Management

B.1 Document History

Version Date Brief Description of Change Editor / Company

3.1.0 24 Jul 2003 Stable version in use. James Moran, GSMA

3.2.2 16 Nov 2006

Significant clarifications added to security requirements to aid interpretation by auditees. New coversheet.

James Messham, FML

3.2.4 11 Sep 2008

New logo Minor updates Appendix B removed

James Messham, FML

3.3 16 Oct 2012

Applied updated GSMA document template and version numbering. David Maxwell, GSMA

4.0 5 Mar 2013 Remove embedding process from scope of SAS and update assets, threats and security requirements as appropriate

James Messham, FML

4.1 10 Apr 2013

Replaced term “smart card” with “UICC” to clarify that non-card form factor (e.g. M2M) products are included in SAS scope.

David Maxwell, GSMA

4.2 7 Aug 2013 Correction of minor error: removed duplicated column in Table 7 - Application of Threads in the Process

David Maxwell, GSMA

4.3 30 Oct 2013

Removed design media from scope of SAS James Messham, FML

5.0 23 Apr 2014

Integrate the SM-SR & SM-DP ecosystem. Removed personalisation of PIN mailers from SAS scope. General editorial update, including re-numbering of requirements.

SAS subgroup

6.0 14 Mar 2016

Update certificate handling requirements and separation of remote access requirement

SAS subgroup

B.2 Other Information

Type Description Document Owner SAS Certification Body

Editor / Company David Maxwell, GSMA

It is our intention to provide a quality product for your use. If you find any errors or omissions, please contact us with your comments. You may notify us at [email protected]

Your comments or suggestions & questions are always welcome.

V6.0 Page 27 of 27
