FS.31基线安全控制v5.0

Baseline Security ControlsVersion 5.029 April 2025 Security Classification: Non-confidential Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is subject tocopyright protection. This document is to be used only for the purposes for which it has been supplied and information contained in it must not bedisclosed or in any other way made available, in whole or in part, to persons other than those permitted under the security classification withoutthe prior written approval of the Association. Copyright Notice Copyright © 2025 GSM Association Disclaimer The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not acceptany responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document.The information contained in this document may be subject to change without prior notice. Compliance Notice The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy. This Permanent Reference Document is classified by GSMA as an Industry Specification, as such it has been developed and is maintained byGSMA in accordance with the provisions set out in GSMA AA.35 - Procedures for Industry Specifications. GSM AssociationOfficial Document FS.31 – Baseline Security Controls Table of Contents 1Introduction 1.1Background31.2Scope31.3Intended Audience31.4How to use this Document51.5Terms of Use61.6Abbreviations71.7Definitions101.8References13 2Baseline Security Controls 16 2.1Business Controls162.2Technological Controls222.2.1(e)UICC Management Controls232.2.2User Equipment and Mobile Equipment Controls232.2.3Internet of Things Controls242.2.4General Security Requirements Controls252.2.5Radio Network Operational Controls272.2.6Network Architecture Controls282.2.7Network Infrastructure Controls332.2.8Network Services Controls482.2.9Core Network Management Controls512.2.10Mobile Edge Computing Platform Controls582.2.11Network Operations Controls642.2.12Orchestration and VNF Security Controls702.2.13Security Operations Controls712.2.14Roaming and Interconnect Controls73 GSM AssociationOfficial Document FS.31 – Baseline Security Controls 1Introduction 1.1Background Mobile Network Operators provide the backbone for mobile telecommunication technologies.At enterprise level the industry offers a wide array of services, diversifying from traditionalconnectivity into content and managed services. At the same time 5.1 billion[1]usersdepend on Operators to maintain their connectivity; an item considered a basic human rightunder UN Article 19[2]. This results in a mixed threat landscape of traditional IT, radio andmobile related threats. Based on this position the industry has a responsibility to secure customer information andservices. The GSMA has developed the following baseline security controls to helpOperators understand and develop their security posture to a foundation (base) level. These controls are not binding; this is a voluntary scheme to enable an Operator to assessand understand their own security controls. The GSMA does not require access to theresults but are suitably positioned to discuss specific output and identify remedial resourcesif desired. 1.2Scope This document outlines a specific set of security controls that the mobile telecommunicationsindustry should consider deploying. The solution description identifies specific advice thatwould allow the Operator to fulfil the control objectives. These controls stand separate to, but may be supported by, local market legislation andregulation. They do not replace or override local regulations or legislation in any territory.Their purpose is to enhance and supplement security levels within the mobiletelecommunications industry. 1.3Intended Audience This document has been created as a list of controls, supported by a separate checklist ofquestions related to the controls. It is recommended that the checklist be completed by aperson, or team, associated with the controls. For example, and as shown in the followingtable: •The corporate security team could be assigned Section2.1.•The device team could be assigned Sections2.2.1to2.2.3.•The mobile network team could be assigned Section2.2.4.•The radio network team could be assigned Section2.2.5.•The network engineering team could be assigned Sections2.2.6to2.2.8and2.2.10.•The core network team could be assigned Section2.2.9.•The network operations team could be assigned Sections2.2.11and2.2.12.•The network security team could be assigned Section2.2.13. GSM AssociationOfficial Document FS.31 – Baseline Security Controls •The roaming team could be assigned Section2.2.14. It is recognised that team structures vary from one network operator to another and that theallocation of security responsibilities also varies. The division of respo