Baseline Security Controls 05 February 2020: This Is A Non-Binding Permanent Reference Document of The GSMA
Baseline Security Controls 05 February 2020: This Is A Non-Binding Permanent Reference Document of The GSMA
Baseline Security Controls 05 February 2020: This Is A Non-Binding Permanent Reference Document of The GSMA
Copyright Notice
Copyright © 2020 GSM Association
Disclaimer
The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept
any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document.
The information contained in this document may be subject to change without prior notice.
Antitrust Notice
The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.
V2.0 Page 1 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Table of Contents
1 Introduction 3
1.1 Background 3
1.2 Scope 3
1.3 Intended Audience 3
1.4 How to use this Document 3
1.5 Terms of Use 5
1.6 Abbreviations 5
1.7 Definitions 8
1.8 References 11
2 Baseline Security Controls 13
2.1 Business Controls 13
2.2 Technological Controls 17
2.2.1 User Equipment and Mobile Equipment Controls 17
2.2.2 (e)UICC Management Controls 18
2.2.3 Internet of Things Controls 19
2.2.4 Radio Network Controls 19
2.2.5 Roaming and Interconnect Controls 21
2.2.6 Core Network Management Controls 22
2.2.7 Network Operations Controls 24
2.2.8 Security Operations Controls 28
Annex A A Security Controls Checklist 31
A.1 Checklist Spreadsheet 31
Annex B Policy Outlines 32
B.1 Policy Document Outline Table 32
Annex C Document Management 35
C.1 Document History 35
C.2 Other Information 35
V2.0 Page 2 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
1 Introduction
1.1 Background
Mobile Network Operators provide the backbone for mobile telecommunication technologies.
At enterprise level the industry offers a wide array of services, diversifying from traditional
connectivity into content and managed services. At the same time 5.1 billion [1] users
depend on Operators to maintain their connectivity; an item considered a basic human right
under UN Article 19 [2]. This results in a mixed threat landscape of traditional IT, radio and
mobile related threats.
Based on this position the industry has a responsibility to secure customer information and
services. The GSMA has developed the following baseline security controls to help
Operators understand and develop their security posture to a foundation (base) level.
These controls are not binding; this is a voluntary scheme to enable an Operator to assess
and understand their own security controls. The GSMA do not require access to the results
but are suitably positioned to discuss specific output and identify remedial resources if
desired.
1.2 Scope
This document outlines a specific set of security controls that the mobile telecommunications
industry should consider deploying. The solution description identifies specific advice that
would allow the Operator to fulfil the control objectives.
These controls stand separate to, but may be supported by, local market legislation and
regulation. They do not replace or override local regulations or legislation in any territory.
Their purpose is to enhance and supplement security levels within the mobile
telecommunications industry.
NOTE Failure to populate the checklist with accurate information will reduce its
effectiveness.
V2.0 Page 3 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
How the controls are implemented is the responsibility of the Operator and specifics are not
covered in this document. It is expected that internal implementation documentation or
solutions are understood and approved by the Operator’s Chief Information Security Officer
(CISO) or equivalent. These are baseline (minimum) controls; if the assessed Operators
have already implemented security controls that are considered more secure than those
listed in this document the GSMA does not recommend reducing the security level
implemented.
The GSMA recognises the industry standard work by the Centre for Internet Security (CIS)
Controls [3] and has aligned to these wherever appropriate. Where the controls have been
used this is referenced into the Reference field. It should be noted that as CIS is focussed
upon general computing cyber-security, therefore not all CIS controls are incorporated within
the baseline: only those relevant to typical Operator systems.
It is also not rational to universally adopt a target maturity of Level 5 for all controls: only
what is appropriate and proportionate for each of those controls. Typically, an organisation
will first identify a strategic plan for maturity improvement over time. For instance, a limited
set of the most significant controls could be targeted for improvement in Year 1, further
controls improved in Year 2, within a strategic five-year plan aiming for an eventual target
level of maturity profile tuned for each of the controls. An example is provided in the
companion Annex A Excel tool, which is used to self-assess maturity.
V2.0 Page 4 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
1.6 Abbreviations
Term Description
3DES Triple Data Encryption Standard
3GPP 3rd Generation Partnership Project
AES Advanced Encryption Standard
API Application programmable interface
AUSF Authentication Server Function
BAU Business as Usual
BC Business Continuity
BCM Business Continuity Management
BSI British Standards Institute
BSS Business support services
BSIMM Building Security in Maturity Model
CA Certificate Authority
CAB Change Approval Board
V2.0 Page 5 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Term Description
CASB Cloud Access Security Broker
CIS Centre for Internet Security
CISO Chief Information Security Officer
CKMS Cryptographic Key Management System
CPE Customer Premise Equipment
CRL Certificate Revocation List
CSIRT Computer Security and Incident Response Team
DES Data Encryption Standard
ECIES Elliptic Curve Integrated Encryption Scheme
EIR Equipment Identity Register
EPC Evolved Packet Core
ETSI European Telecommunications Standards Institute
eUICC Embedded UICC
FASG Fraud and Security Group
FFG Fire, Flood and Gas
FTP File Transfer Protocol
FTPS File Transfer Protocol Secure
GGSN Gateway GPRS support node
GPRS General Packet Radio Services
GRC Governance, Risk and Compliance
GSM Global System for Mobile – 2G Network
GSMA GSM Association
GT Global Title
GTP GPRS Tunnelling Protocol
HLR Home Location Register
HSM Hardware Security Module
HSS Home Subscriber Server
HTTPS Secure Hypertext Transfer Protocol
HVAC Heating, Ventilation and Air Conditioning
IDPS Intrusion detection and prevention services
IETF Internet Engineering Task Force
IMEI International Mobile Equipment Identity
IoT Internet of Things
IP Internet Protocol
IPsec Internet Protocol Security
IPX Internetwork Packet Exchange
iUICC Integrated UICC
LTE Long Term Evolution - 4G Network
V2.0 Page 6 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Term Description
MAP Mobile Application Part
MME Mobility Management Entity
MMS Multimedia Messaging Service
MMSC Multimedia Messaging Service Centre
NAS Non-Access Stratum
NE Network Element
NESAS Network Equipment Security Assurance Scheme
NFV Network Function Virtualisation
NIST National Institute for Science and Technology (US)
NR New Radio
OEM Original equipment manufacturer
OSINT Open Source Intelligence
OTA Over the air
PAM Privileged Account Management
PDN GW Packet Data Network Gateway
PIN Personal Identity Number
PKI Public Key Infrastructure
PMN Public Mobile Network
PRD Permanent Reference Document
RAEX Roaming Exchange
RAN Radio Access Network
RCS Rich Communication Services
RFC Request for Comment
RSA Rivest–Shamir–Adleman
SAE System Architecture Evolution
SAML Security Assertion Mark-up Language
SAS Security Accreditation Scheme
SDLC Software Development Lifecycle
SFTP Secure File Transfer Protocol
SGSN Serving GPRS Support Node
SGW Serving Gateway
SIEM Security Information and Event Management
SIGTRAN Signalling Transport
SIM Subscriber Identity Module
SLT Security Leadership Team
SMS Short Message Service
SOAR Security Orchestration, Automation and Response
SOC Security Operations Centre
V2.0 Page 7 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Term Description
SS7 Signalling System 7
SSL Secure Sockets Layer
STP Signal Transfer Point
SUCI SUbscription Concealed Identifier
T-ISAC Telecommunication Information Sharing and Analysis Centre
TDE Transparent Data Encryption
TMSI Temporary Mobile Station Identity
TRE Tamper Resistant Element
UE User equipment
UICC Universal integrated circuit card
UMTS Universal Mobile Telecommunication Service - 3G Network
UTRAN UMTS Terrestrial RAN
VLAN Virtualised Local Area Network
VPN Virtual Private Network
1.7 Definitions
Term Description
Anomaly A deviation from the common rule.
Authentication
Server Function The AUSF performs UE authentication in 5G networks.
(AUSF)
Technology used to control access to cloud tenants and users in a
Cloud Access
distributed cloud computing environment. Typically incorporated single-sign
Security Broker
on and ticketing methods such as SAML to control access to cloud resources
(CASB)
and direct requests over load balanced infrastructures.
According to 3GPP the core network consists of different technology and
infrastructure depending on the generation of mobile telecommunications
network:
GSM: Circuit switching network elements (NE)
Core Network
UMTS: Packet switching and Circuit Switching NE
GPRS: Packet switching NE
LTE: Evolved packet core (EPC) NE
5G: 5G NE
A framework and services that provide for the generation, establishment,
control, accounting, and destruction of cryptographic keys and associated
Cryptographic Key management information. It includes all elements (hardware, software, other
Management equipment, and documentation); facilities; personnel; procedures; standards;
System and information products that form the system that establishes, manages,
and supports cryptographic products and services for end entities (NIST SP
800-57).
LTE’s core network, consisting of the Home Subscriber Server (HSS),
Evolved Packet
serving Gateway (SGW), Packet Data Network Gateway (PDN GW) and
Core
Mobility Management Entity (MME) [4].
V2.0 Page 8 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Term Description
A UICC which is not easily accessible or replaceable, is not intended to be
Embedded UICC
removed or replaced in the Device and enables the secure changing of
(eUICC)
subscription Profiles.
GSMA Fraud and
A working group focused on the fraud and security needs of the mobile
Security Group
ecosystem.
(FASG)
Gateway GPRS
The GGSN is responsible for the internetworking between the GPRS
Support Node
network and external packet switched networks.
(GGSN)
General Packet
GPRS is a protocol used to carry packet-switched data traffic on mobile
Radio Service
telecommunications networks.
(GPRS)
GPRS Tunnelling GTP is a set of protocols used to carry GPRS signalling and user plane
Protocol (GTP) traffic within the mobile telecommunications network.
Hardware Security A HSM is a dedicated hardware component used to securely manage key
Module (HSM) material and/or sensitive processing
Home Subscriber A Home Subscriber Server (HSS) is a database within an LTE network that
Server (HSS) contains user-related and subscriber-related information [4].
Interception Interception attacks include any attacks (passive or active) where the
attacker attempts to intercept or re-route traffic/data for their own gains.
IPX Provider The part of the IPX Network that is operated by one IPX Provider. All IPX
Network Provider Networks together build the global IPX Network.
A UICC implemented on a Tamper Resistant Element (TRE) that is
Integrated UICC
integrated into a System-on-Chip (SoC), optionally making use of remote
(iUICC)
volatile/non-volatile memory
Implement appropriate customer relationship management, accounting and
Know your utilisation systems to understand customer requirements and behaviours. It
customer can also refer to due diligence in establishing and operating customer
accounts and monitoring for breaches of usage conditions.
Maturity Model A broadly recognized tool, with increasing levels, that assesses the maturity
of the implementation of business strategies and controls (including
information security management). The model proposed for the purposes of
this document is defined in Table 1 on page 5.
Mobility The MME handles the signalling related to mobility and security for E-
Management Entity UTRAN access in LTE networks. The MME is responsible for the tracking
(MME) and the paging of UE in idle-mode. It is the termination point of the Non-
Access Stratum (NAS) [4].
Multimedia The multimedia messaging service is a standard way to send messages that
Messaging Service include multimedia content to and from a mobile phone over a cellular
Centre (MMSC) network. The MMSC acts as a relay or forwarding station for these
messages.
Mobile Network A mobile network Operator carries out provisioning, billing and engineering
Operator (MNO) for mobile services. A full member of the GSMA.
New Radio 5G’s radio interface
V2.0 Page 9 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Term Description
Any active component on the network involved in sending, receiving,
processing, storing, or creating data packets and/or voice traffic. In the
mobile network, components like the Serving GPRS Support Node (SGSN),
Network Element Gateway GPRS Support Node (GGSN), Mobility Management Entity (MME),
Serving Gateway (SGW), Packet Data Network Gateway (PGW), Home
Location Register (HLR), Home Subscriber Server (HSS), and GTP firewall,
as well as routers and gateways, are network elements.
NESAS is a voluntary network equipment security assurance scheme
Network Equipment operated and maintained by GSMA, with contributions from 3GPP, covering
Security Assurance the methodology and security targets for equipment under test. It defines a
Scheme (NESAS) globally applicable security baseline that network equipment vendors can
meet.
Organization This is a term that can apply to any member, manufacturer, Operator or
business entity within the scope of the GSMA membership.
Packet Data
The PDN GW provides connectivity from mobile devices to external packet
Network Gateway
data networks in LTE networks.
(PDN GW)
Physical security Security controls to protect physical components of a network.
Privileged Account System that controls access to and accounts for use of privileged user
Management functions and security critical functions. It can also add additional rules-
(PAM) based authentication layers for exercise of privileges.
SOAR represents a combination of technology and disciplines to control
Security
security operation of resource allocation (compute, storage, network and
Orchestration,
peripheral access) and mobility within virtualized, containerised,
Automation and
compartmentalized, cloud computing and/or distributed data centre
Response (SOAR)
environments.
Security
The SAS is a GSMA certification scheme providing assurance that suppliers
Accreditation
manufacture and/or manage UICCs, eUICCs and iUICCs in a secure way.
Scheme (SAS)
The SGW is the point of interconnect between the radio-side and the LTE
Serving Gateway
EPC; the gateway serves the UE by routing the incoming and outgoing IP
(SGW)
packets [4].
The SGW is the point of interconnect between the radio-side and the EPC;
Serving Gateway
the gateway serves the UE by routing the incoming and outgoing IP packets
(SGW)
[4].
Short Message Also known as text messaging that uses standardised communication
Service (SMS) protocols to exchange short text messages
Short Message
A SMSC is a network element in the mobile telephone network which
Service Centre
delivers SMS messages.
(SMSC)
SS7 is a protocol allowing phone networks to exchange information needed
Signalling System 7
for managing subscriber mobility and connections, and routing calls and text
(SS7)
messages.
Signal Transfer A STP is a router that relays SS7 messages between certain network
Point (STP) elements.
V2.0 Page 10 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Term Description
User Equipment
Devices used by the end user.
(UE)
Universal
The UICC is the smart card used in mobile terminals to manage subscriber
Integrated Circuit
credentials and network access.
Card (UICC)
An organisation offering a product or service used by the mobile
Vendors
telecommunications industry.
Virtual Private
A VPN extends a private network across a public network.
Network (VPN)
A vulnerability is generally a set of conditions that allow the violation of an
Vulnerability
explicit or implicit security policy.
1.8 References
Ref Document Link
[1] GSMA Intelligence Global Mobile Trends GSMAi
[2] UN Human Rights Council Article 19
[3] Centre for Internet Security (CIS) Controls CIS Controls
[4] The Evolved Packet Core 3GPP EPC
NIST SP 800-57 Recommendation for Key Management Part
[5] NIST SP 800-57
2
GSMA Coordinated Vulnerability Disclosure (CVD)
[6] GSMA CVD
Programme
[7] Bringing science to software security BSIMM
Effective Business Continuity Management Guidelines for
[8] GSMA BCM Guidelines
Mobile Network Operators
GSMA Network Equipment Security Assessment Scheme
[9] GSMA NESAS
(NESAS)
[10] IMEI Security Technical Design Principles GSMA
[11] Requirements for Mobile Device Software Security Updates PRD FS.25
[12] SG.15 Guidance for Operators on security mechanisms PRD SG.15
[13] Anti-Theft Device Feature Requirements PRD SG.24
[14] GSMA IMEI Database GSMA IMEI Database
[15] SAS Certified Sites SAS Certified Sites
[16] SIM Alliance S@T Specifications S@T Specifications
[17] GSMA Security Manual PRD FS.30
Recommendation for Random Number Generation Using
[18] NIST SP 800-90A
Deterministic Random Bit Generators
[19] FS.28 Security Guideline for UICC credential protection PRD FS.28
Security Requirements for Cryptographic Modules (FIPS140-
[20] FIPS1402
2)
[21] GSMA eUICC Compliance eUICC Compliance
V2.0 Page 11 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 12 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
NOTE The numbered items given under the Solution Description do not correspond
to the maturity levels used to score the controls. Rather, these indicate a
sequence of controls that can be applied to each Objective.
V2.0 Page 13 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
These controls are likely to be understood and managed by the security leadership team
(SLT), this team would be able to comment on how these controls are implemented.
V2.0 Page 14 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 15 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 16 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 17 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 18 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 19 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 20 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 21 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 22 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 23 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 24 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 25 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 26 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
Monitor and analyse core, radio and 1. Enable audit logging and deliver data
enterprise network traffic for potential to SIEM/log server for analysis for
internal or external attacks. relevant threat vectors
2. Correlate log data to allow cross
referencing
3. Enable system logging to include
details such as an event source, date,
user, timestamp (UTC), source
NO-007
addresses, destination addresses,
and other useful elements.
4. On a regular basis, tune SIEM
system to better identify actionable
events and decrease event noise.
5. Ensure integrity of audit data (e.g.
copy to write-once media or apply
digital signatures to log collections)
V2.0 Page 27 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 28 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 29 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 30 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
FS.31 Baseline
Security Controls - Annex A Questions 3.2.xlsx
V2.0 Page 31 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 32 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 33 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
V2.0 Page 34 of 35
GSM Association Non-confidential
Official Document FS.31 - Baseline Security Controls
It is our intention to provide a quality product for your use. This document is an early version
that can be updated with subject experiences and suggested improvements or additions, or
if you find any errors or omissions. You may send these via email to us at
[email protected]
V2.0 Page 35 of 35