Professional Documents
Culture Documents
Non-confidential
Copyright Notice
Copyright 2012 GSM Association
Disclaimer
The GSM Association (Association) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document. The information contained in this document may be subject to change without prior notice.
Antitrust Notice
The information contain herein is in full compliance with the GSM Associations antitrust compliance policy.
V3.3
Page 1 of 28
Non-confidential
Table of Contents
1 The GSM Association SAS 1.1 Introduction 1.2 Objectives of the Scheme Introduction 2.1 Overview 2.2 Scope Definitions 3.1 Common Abbreviations 3.2 Glossary 3.3 References 3.4 Conventions Definition of Processes The Process Models 5.1 Embedding Process 5.2 Personalisation Process 5.3 The Actors The Assets 6.1 Introduction 6.2 Assets Classification 6.3 Asset Characteristics 6.4 Incoming Sensitive Components (ISC) 6.5 Partly Finished Products (PFP) 6.6 Finished Products (FIN) 6.7 Personalisation Rejects (PRJ) 6.8 Embedded Rejects (ERJ) 6.9 Sensitive information (SEN) Security Objectives 7.1 Introduction 7.2 Security Objectives for the Sensitive Process 7.3 Security Objectives for the Environment The Threats 8.1 Introduction 8.2 Direct Threats Description 8.3 Indirect Threats Description 8.4 Application of Threats in the Process Security Requirements 9.1 9.2 9.3 9.4 9.5 9.6
V3.3
4 4 4 5 5 5 6 6 6 6 6 7 8 8 9 9 10 10 11 11 11 11 11 12 12 12 14 14 14 14 15 15 15 16 16 17 17 17 18 18 19 20
Page 2 of 28
4 5
Introduction Policy, strategy and documentation Organisation and Responsibility Information Personnel Security Physical Security
Non-confidential
9.7 Production data management 9.8 Logistics and Production Management 9.9 Computer and Network Management Annex A Assets Annex B B.1 B.2 Document Management Document History Other Information
21 22 24 27 28 28 28
V3.3
Page 3 of 28
Non-confidential
There are numerous security risks faced by every GSM operator. The supplier may introduce certain risks, the consequences of which will be borne by the GSM operator. Operators are dependent on suppliers to control risks, and to provide confidence that adequate security is in place. Operator confidence is improved by the introduction of an auditable standard, which is applied to all GSM suppliers. SAS is a voluntary scheme whereby smart card suppliers subject themselves to a comprehensive audit at every production site. In the future SAS may be compatible with the banking domain criteria, thus offering the opportunity to benefit from similar approaches.
1.2
The reason why the following security standard has been prepared is: to address the security risks introduced by suppliers and manufacturers to every GSM operator to provide a set of auditable security requirements to allow GSM suppliers provide assurance to their customers that potential risks are under control and that appropriate security measures are in place.
V3.3
Page 4 of 28
Non-confidential
2 Introduction
2.1 Overview
This standard has been created and developed under the supervision of a GSM Association (GSMA) working group comprised of representatives from GSM network operators, smart card suppliers participating in SAS, and the GSMA-appointed auditing companies. The GSM Association is responsible for updating the security standards and a review with the smart card industry and the appointed auditors will take place every 12 months during the life of the scheme. Functional requirements and security objectives applicable to smart card embedding sites and personalisation sites are outlined. Sites eligible for auditing include only those where embedding and/or personalisation takes place with all other sites being outside the remit of the scheme. In order to be supported by a widely accepted method, the document was developed on the basis of the Common Criteria standard, the main smart card manufacturers being experienced in the protection profile definition and the application of appropriate security controls. However, this document is not intended to be a smart card production protection profile.
2.2
Scope
The scope of the document has been restricted to security issues relating to the supply and manufacture of smart cards for the GSM/3GSM community. Consistency of the security requirements has been achieved by defining: Card life cycle and processes Assets to be protected Risk and threats Security requirements.
To further reduce the risks for GSM/3GSM operators it is acknowledged that the security objectives must continue to be met after the personalisation phases where the supplier is responsible for delivery.
V3.3
Page 5 of 28
Non-confidential
3 Definitions
3.1
Term
SP ISC IT Actor
Common Abbreviations
Description
The Sensitive Process represents the security evaluation field, covering the processes and the assets within those processes Incoming Sensitive Components characterise the process sensitive inputs such as information, products, files, keys, etc. Information Technology Person who is involved in, or can affect, the target of evaluation
3.2
Term
Key
Glossary
Description
Refers to any logical key (e.g. cryptographic key) The keys and/or combinations used for vaults, safes and secure cabinets Areas off-limits to unauthorised personnel in which assets are stored and processed Criteria used as the basis for evaluation of security properties. The evaluation results help in determining whether or not the product is secure Environment of use of the sensitive process limited to the security aspects Two or more assets of the same nature showing a set of information that should be individual according to the correct process Specific area set aside dedicated to the protection of assets. Finished or partially finished product containing sensitive information which has been ejected from the process.
Physical keys Restricted areas, high security areas Common Criteria Environment Doubloon Secure storage Reject
3.3
Ref
[1] [2] [3] [4]
References
Title
GSMA SAS Methodology, latest version available at www.gsma.com/sas GSMA SAS Guidelines, available to participating sites from sas@gsm.org GSMA SAS Audit analysis, available to participating sites from sas@gsm.org Key words for use in RFCs to Indicate Requirement Levels, S. Bradner, March 1997. Available at http://www.ietf.org/rfc/rfc2119.txt
3.4
Conventions
The key words must, must not, required, shall, shall not, should, should not, recommended, may, and optional in this document are to be interpreted as described in RFC2119 [4].
V3.3
Page 6 of 28
Non-confidential
4 Definition of Processes
The smart card product life-cycle can be broken down into 7 phases: #
1. 2.
Title
Software development IC design
Description
Basic software and operating system development; application software development, integration and validation IC development; hardware development, initialisation and test program development, integration and validation, initialisation of identification information and delivery keys Component manufacturing, testing, preparation and transfer to the site IC reception and acceptance, modules manufacture, customer order, embedding, cutting, pre-personalisation and internal supply to personalisation stage or supply to external parties Receipt of supplies, documents and files, processing of files, recording of data on the card and documents, packing and delivery of supplies and files. Each of these steps could involve a re-work process Commences when the network operator takes responsibility for the cards. It includes the operators storage, distribution and activation of the cards and the subsequent customer use of the card. When the card reaches a stage where it can no longer perform the functions for which it was produced
3. 4.
5.
Personalisation
6.
User
7.
End-of-life
Table 1 - Smart card product life-cycle For the purposes of the security accreditation scheme, the standard is defined for smart card embedding and personalising processes only.
V3.3
Page 7 of 28
Non-confidential
5.1
Embedding Process
The embedding process is not as important as the personalisation process from a customer data point of view. Modules manufacture is included in the embedding process for the purpose of conducting audits however, where this activity does not take place on site it may be excluded and the awarded certificate will reflect this.
Card printing IC (wafer) reception
IC Acceptance
Cutting
Pre-personalization
Supplies delivery
V3.3
Page 8 of 28
Non-confidential
5.2
Personalisation Process
The personalisation includes customer data in various forms throughout the process and could include the rework process.
Packaging
5.3
The Actors
There are four classes of actor: Internal Authorised [INT_AUTH] - employees authorised to access the SP and supporting environment Internal Unauthorised [INT_UNAU] - employees not authorised to access the SP. But can access the supporting environment External Authorised [EXT_AUTH] - third party with authority to access the SP and supporting environment External Unauthorised [EXT_UNAU] - third party not authorised to access the SP or supporting environment
V3.3
Page 9 of 28
Non-confidential
6 The Assets
6.1 Introduction
Within the processes described above assets are highly regarded and their security must be protected. Most assets are located in the personalisation process. However, customer specific requirements may make certain chips more sensitive if the production cycle involves additional steps prior to the personalisation process. This document is limited to the production of smart cards for a single issuer. Other products are not part of the subject matter. The assets are laid on in tabular form below. Incoming sensitive components (ISC)
Incoming files (ISC_INF) Wafers (ISC_WAF) Algorithms (ISC_ALG) Keys (ISC_KEY) IMSI (ISC_IMS)
Finished products(FIN)
Smart cards (FIN_SIM) PIN mailers (FIN_PMA) Outgoing files (FIN_OUF)
Table 2: Assets
V3.3
Page 10 of 28
Non-confidential
6.2
Assets Classification
The assets that require protection are in various forms within the embedding and personalisation processes therefore the protection required can be complex unless arranged logically in classes. A classification table is contained in Annex A.
6.3
Asset Characteristics
Files and data are transmitted, stored and used in many media and transport forms. Finished products and partly finished products may be used as examples that only follow the same security rules as the corresponding assets when they contain customer data.
6.4
Incoming sensitive components such as algorithms, products, files and keys are supplied to the manufacturing sites and can be sent between production sites. Incoming sensitive components include: Wafers [ISC_WAF_2], must be protected in availability and integrity. Traceability must be ensured. Incoming files containing classified information which must be protected in terms of integrity, confidentiality, and availability commensurate with the highest class of information contained in the file [ISC _INF_] Keys [ISC _KEY_1] whose confidentiality, integrity and availability must be protected Algorithms [ISC_ALG_1] which must be protected in terms of availability, confidentiality, and integrity.
6.5
Partly finished products come from ISC transformations or ISC usage inside the same production site. Partly finished products include: ICs [PFP_MIC_2] Modules [PFP_MOD] Smart cards not completely personalised [PFP_SIM_2] PIN mailers not yet packaged [PFP_PMA]
These assets must be protected in terms of availability and integrity. Traceability must also be ensured.
6.6
V3.3
Finished products are made up of: Smart cards [FIN_SIM_1] PIN mailers [FIN_PMA] Outgoing files [FIN_OUF]
Page 11 of 28
Non-confidential
[A_OUT_FIL1] must be protected in availability, integrity and confidentiality as they contain sensitive information eg. Ki [A_OUT_FIL2] must be protected in availability and integrity. They do not contain sensitive information eg. PIN and PUK [A_OUT_FIL3] only need to have the integrity preserved as they do not contain sensitive information eg. MSISDN
In all cases, if the files contain different classes of data the higher class shall prevail.
6.7
Personalisation rejects are: Smart cards [PRJ_SIM], confidentiality must be protected Pin mailers [PRJ _PMA], confidentiality must be protected
The integrity and traceability of these assets must be assured until they are destroyed.
6.8
IC, module or smart card rejects, during the embedding process, have no specific security requirements except their destruction.
6.9
Sensitive information is: Customer information [SEN_CUI], information from the personalisation site that is created or can be obtained inside or by a third party attack. Customer information can be recorded in the following devices: Security elements [DE_SEC] such as mother cards, batch cards, security modules etc. Random number generators [DE_RNG] Transmission and ciphering systems [DE_TRA] Testing systems [DE_TST] Printing Ribbons [DE_RIB] Production file systems [DE_PRD]
Management Data [SEN_MAD], information on the management of batches and smart cards. This can consist of: [SEN_PRD] production data which, if it contains classified information, must be protected in terms of integrity, confidentiality, and availability. [SEN_MAT] traceability information which should allow the supplier identify the person, or group of persons, who worked on a batch [SEN_MAU] audit information which should be available in relation to the recorded production history of a card/batch of cards for up to 12 months, subject to local laws.
V3.3
Page 12 of 28
Non-confidential
The integrity of sensitive information must be assured and the confidentiality protected. Sensitive information includes all files, particularly working, temporary or safeguarded files that contain the information outlined above.
V3.3
Page 13 of 28
Non-confidential
7 Security Objectives
7.1 Introduction
As assets are exposed to risks which the smart card suppliers have to manage to ensure they are protected according to the security objectives. It is this protection that provides assurance to the GSM operators. The security objectives relate to both the sensitive process and its environment. All the objectives must be addressed but higher levels of assurance are needed depending on the asset classification.
7.2
#
1
Threat
T_DOUB_TEC T_DOUB_REW T_DOUB_REU T_LOSS T_MODIF T_DOUB_REU T_LOSS T_DISC T_MODIF
Description
To prevent clone, mismatch, anomalies
The SP must control, manage and protect data against loss of integrity and confidentiality The SP must guarantee a secure product flow The SP must manage the elements that are specified as auditable The SP must be designed in such a way that independence of different customer files (asset) is always achieved
To prevent: any disclosure of assets any non-conforming finished product due to loss of integrity To prevent theft, loss, misappropriation of assets To look for possible or real security violation To prevent one customers data being disclosed to another customer
T_DISC
7.3
#
1
Threat
T_SEF
Description
To look for possible or real security violation To prevent theft, loss or misappropriation of assets
T_SEF
V3.3
Page 14 of 28
Non-confidential
8 The Threats
8.1 Introduction
The threat analysis has been completed to identify the main threats to the smart card supplier. The list is not intended to be exhaustive. The main threats to data are loss of availability, confidentiality and integrity. The threats are listed 8.2 and 8.3 independently of the process step concerned. In 8.4 each threat is associated to a step in the production process. In the threat description, data means all type of data assets described above.
8.2
Threats
T_DOUB_TEC
Description
Physical doubloon or mismatch creation resulting from a technical mistake/bug Physical doubloon creation resulting from non destroyed material after a rework (error or malevolence) Physical doubloon creation resulting from reused sensitive information (error or malevolence) Loss or theft of classified assets (1, 2, 3) excluding the wafer and IC and module during the embedding process Disclosure of classified information
T_DOUB_REW
T_DOUB_REU
INT_AUTH INT_UNAU
T_LOSS
T_DISC
ALL ASSETS CONTAINING CLASSIFIED INFORMATION ALL ASSETS CONTAINING CLASSIFIED INFORMATION
T_MODIF
Unauthorised modification of classified information causing loss of integrity through error or malevolence
Table 5 - Direct Threats Description Additional threats can result from combinations of those threats listed above.
V3.3
Page 15 of 28
Non-confidential
8.3
T_SEF
Threats
Assets
ANY
Description
Accidental or deliberate security failure.
8.4
T_MODIF
T_LOSS
T_DISC
IC Reception IC Acceptance Modules Manufacturing Customer Order Reception Embedding Cutting Pre personalisation Supplies delivery to personalisation Supplies reception Documents reception Incoming files reception File treatment Card personalisation Confidential document personaliastion Non-confidential document personaliastion Packaging Supplies delivery (finished products) Outgoing files delivery Transport between sites
V3.3
Page 16 of 28
T_SEF
Non-confidential
9 Security Requirements
9.1 Introduction
In order to consider the card manufacturing and personalisation processes secure certain requirements must be met. These requirements, which are outlined below, are considered as minimum-security requirements applying to the environment in which the SP is used. The requirements of the Standard should be met by established processes / controls for which evidence of correct operation exists. It is recognised that it is possible to use any other mechanisms or tools other than those described in this section if they achieve the same security objective. For a worked example of how the standard could be achieved refer to the GSM Association SAS Security Guidelines which is available from the GSM Association headquarters.
9.2
The security policy and strategy provides the business and its employees with a direction and framework to support and guide security decisions within the company. 9.2.1 9.2.1.1
Policy
A clear direction should be set and supported by a documented security policy which defines the security objectives and the rules and procedures relating to the security of the SP, sensitive information and asset management. Employees should understand and have access to the policy and its application should be checked periodically.
9.2.1.2
9.2.2 9.2.2.1
Strategy
A coherent security strategy must be defined based on a clear understanding of the risks. The strategy should use periodic risk assessment as the basis for defining, implementing and updating the site security system. The strategy should be reviewed regularly to ensure that it reflects the changing security environment through ongoing re-assessment of risks.
9.2.3 9.2.3.1
V3.3
Page 17 of 28
Non-confidential
9.2.4 9.2.4.1
9.3
9.3.1
9.3.1.1
9.3.1.2
9.3.2 9.3.2.1
Responsibility
A security manager should be appointed with overall responsibility for the issues relating to security in the SP. Clear responsibility for all aspects of security, whether operational, supervisory or strategic, must be defined within the business as part of the overall security organization. Asset protection procedures and responsibilities should be documented throughout the SP.
9.3.2.2
9.3.2.3
9.3.3 9.3.3.1
9.4
Information
The management of sensitive information, including its storage, archiving, destruction and transmission, can vary depending on the classification of the asset involved. 9.4.1 9.4.1.1
Classification
A clear structure for classification of information and other assets should be in place with accompanying guidelines to ensure that assets are appropriately classified and treated throughout their lifecycle.
V3.3
Page 18 of 28
Non-confidential
9.4.2 9.4.2.1
9.4.2.2
9.5
Personnel Security
A number of security requirements should pertain to all personnel working within the SP. 9.5.1 9.5.1.1 9.5.2 9.5.2.1
Recruitment screening
An applicant, and employee, screening policy should be in place where local laws allow
9.5.3.3
9.5.4 9.5.4.1
9.5.5 9.5.5.1
Contract termination
Clear exit procedures should be in place and observed with the departure of each employee.
V3.3
Page 19 of 28
Non-confidential
9.6
Physical Security
A building is part of the site where smartcards or components are produced, personalised and/or stored. Buildings in which sensitive assets are processed should be strongly constructed. Constructions and materials should be robust and resistant to outside attack as manufacturers must ensure assets are stored within high security areas and restricted areas by using recognised security control devices, staff access procedures and audit control logs. 9.6.1
Security plan
Layers of physical security control should be used to protect the SP according to a clearly defined and understood strategy. The strategy should apply controls relevant to the assets and risks identified through risk assessment. 9.6.1.1 The strategy should be encapsulated in a security plan that: defines a clear site perimeter / boundary defines one or more levels of secure area within the boundary of the site perimeter maps the creation, storage and processing of sensitive assets to the secure areas defines physical security protection standards for each level of secure area 9.6.2 9.6.2.1
Physical protection
The protection standards defined in the security plan should be appropriately deployed throughout the site, to include: deterrent to attack or unauthorized entry physical protection of the building and secure areas capable of resisting attack for an appropriate period mechanisms for early detection of attempted attack against, or unauthorized entry into, the secure areas at vulnerable points control of access through normal entry / exit points into the building and SP to prevent unauthorized access effective controls to manage security during times of emergency egress from the secure area and building mechanisms for identifying attempted, or successful, unauthorized access to, or within the site mechanisms for monitoring and providing auditability of, authorised and unauthorised activities within the SP
9.6.2.2 9.6.2.3
Controls deployed should be clearly documented and up-to-date. Controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.
V3.3
Page 20 of 28
Non-confidential
9.6.3 9.6.3.1
Access control
Clear entry procedures and policies should exist which cater for the rights of employees, visitors and deliveries to enter the SP. These considerations should include the use of identity cards, procedures governing the movement of visitors within the SP, delivery/dispatch checking procedures and record maintenance. Access to each secure area should be controlled on a need to be there basis. Appropriate procedures should be in place to control, authorise, and monitor access to each secure area and within secure areas. Regular audits should be undertaken to monitor access control to the secure area.
9.6.3.2
9.6.4 9.6.4.1
Security staff
Security staff are commonly employed by suppliers. Where this is the case the duties should be clearly documented and the necessary tools and training shall be supplied.
9.6.5 9.6.5.1
9.7
Suppliers will be responsible for lifecycle management of class 1 data used for personalisation. Information and IT security controls must be appropriately applied to all aspects of lifecycle management to ensure that data is adequately protected. The overall principle should be that all data is appropriately protected from the point of receipt through storage, internal transfer, processing and through to secure deletion of the data.
9.7.1 9.7.1.1
Data transfer
Suppliers should take responsibility to ensure that electronic data transfer between themselves and other third parties is appropriately secured.
9.7.2 9.7.2.1
9.7.3 9.7.3.1
Data generation
As part of the personalisation process secret data may be generated and personalized into the smart card. Where such generation takes place:
V3.3
Page 21 of 28
Non-confidential
The quality of the number generator in use should be subject to appropriate testing on a periodic basis. Evidence of testing, and successful results, should be available. Clear, auditable, controls should be in place surrounding the use of the number generator to ensure that data is taken from the appropriate source.
9.7.4
Encryption keys
Encryption keys used for data protection should be generated, exchanged and stored securely.
9.7.5 9.7.5.1
9.7.5.2
Auditable dual-control and 4-eyes principle should be applied to sensitive steps of data processing.
9.7.6 9.7.6.1
Data integrity
Controls should be in place to ensure that the same, authorized, data from the correct source is used for production and supplied to the customer.
Duplicate production
Controls should be in place to prevent duplicate production.
9.8
9.8.1
9.8.1.1
V3.3
Page 22 of 28
Non-confidential
9.8.2 9.8.2.1
Order management
The ordering format should be agreed between operator and supplier and rules to preserve the integrity of the ordering process should be in place.
9.8.3 9.8.3.1
Raw materials
Raw materials used in smartcard production (plastic sheets, GSM generic components, blank mailers, etc.) are not considered to be security sensitive. However, appropriate controls should be established for stock movements. The availability of these assets must be ensured.
9.8.4 9.8.4.1
Design media
Design media such as films, plates, etc. should be under appropriate control to prevent counterfeiting.
9.8.5 9.8.5.1
9.8.5.2
The stock of all Class 1 and 2 assets must be subject to end-to-end reconciliation in order that every element can be accounted for. Auditable dual-control and 4-eyes principle should be applied to sensitive steps of the production process, including: control of the quantity of assets entering the personalisation process control of the quantity of assets packaged for dispatch to customers destruction of rejected assets
9.8.5.3
9.8.5.4
Application of 4-eyes principle should be auditable through production records and CCTV. Regular audits should be undertaken to ensure the integrity of production controls and the audit trail. Suppliers must demonstrate an ability to prevent unauthorised duplication within the production process during personalisation and re-personalisation.
9.8.5.5
9.8.5.6
V3.3
Page 23 of 28
Non-confidential
9.8.6 9.8.6.1
Destruction
Rejected cards must always be destroyed according to a secure procedure and logs retained.
9.8.7 9.8.7.1
Storage
Personalised cards should be stored securely prior to dispatch to preserve the integrity of the batches. Where personalised cards are stored for extended periods additional controls should be in place.
9.8.8 9.8.8.1
9.8.8.2
9.8.8.3
9.8.9 9.8.9.1
9.9
The secure operation of computer and network facilities is paramount to the security of data. In particular, the processing, storage and transfer of Class 1 information, which if compromised, could have serious consequences for the Operator, must be considered. Operation of computer systems and networks must ensure that comprehensive mechanisms are in place to preserve the confidentiality, integrity and availability of data. 9.9.1 9.9.1.1
Policy
A documented IT security policy should exist which should be well understood by employees.
V3.3
Page 24 of 28
Non-confidential
9.9.2 9.9.2.1
Access control
Physical access to sensitive computer facilities should be controlled. An access control policy should be in place and procedures should govern the granting of access rights with a limit placed on the use of special privilege users. Logical access to IT services should be via a secure logon procedure. Passwords should be managed effectively and strong authentication should be deployed where remote access is granted.
9.9.3.3
9.9.4 9.9.4.1
Network security
Systems and data networks used for the processing and storage of sensitive data should be housed in an appropriate environment and logically or physically separated from insecure networks. Data transfer between secure and insecure networks must be strictly controlled according to a documented policy defined on a principle of minimum access.
9.9.5 9.9.5.1
Virus controls
Comprehensive virus detection and prevention measures should be deployed across all vulnerable systems.
9.9.6 9.9.6.1
System back-up
Back-up copies of critical business data should be taken regularly. Back-ups should be stored appropriately to ensure confidentiality and availability.
9.9.7 9.9.7.1
9.9.8 9.9.8.1
V3.3
Page 25 of 28
Non-confidential
9.9.9 9.9.9.1
9.9.10 9.9.10.1
9.9.11 9.9.11.1
V3.3
Page 26 of 28
Non-confidential
Annex A
Products
Assets
Asset
Finished smart cards Personalised rejected smart Incoming algorithms Personal key Administration key Key for personalising smart cards Over The Air. Transport key key used to encrypt Ki Local key Key used by manufacturer to manage access to incoming and outgoing information Customer information Incoming wafers Partly finished IC Partly finished module Partly finished smart card Embedding reject smart card Not completely personalised PIN mailer Personalised PIN mailers Personalised rejected PIN mailer Management data. Information on the management of batches and smart cards. This may contain: Production data, which may contain classified information
Code
FIN_SIM PRJ_SIM ISC_ALG ISC_KEY_Ki Information ISC_KEY_ADM ISC_KEY_OTA ISC_KEY_KT ISC_KEY_LK SEN_CUI ISC_WAF PFP_MIC PFP_MOD Products PFP_SIM ERJ_SIM PFP_PMA FIN_PMA PRJ_SIM
Class
1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2
SEN_MAD
Traceability information, which should allow the supplier to identify the person(s) who, worked on a batch Audit information related to the recorded production history of a card or batch of cards. If a file managed Class 1 information, these information have to be Class 1 protected and the file Class 2 protected
Information
Incoming files. If the file contains class 1 information, it needs to be protected as a class 1 Outgoing files. If the file contains class 1 information (E.g Ki), this information has to be Class 1 protected. Smart card PIN Unblocking PIN International Mobile Subscriber Information
2 2 2 2 2
V3.3
Page 27 of 28
Non-confidential
Annex B
B.1
Document Management
Document History
Date
24 Jul 2003 16 Nov 2006
Version
3.1.0
Editor / Company
James Moran, GSMA James Messham, FML
3.2.2
3.2.4
3.3
B.2
Type
Other Information
Description
SAS Certification Body David Maxwell, GSMA
It is our intention to provide a quality product for your use. If you find any errors or omissions, please contact us with your comments. You may notify us at prd@gsm.org Your comments or suggestions & questions are always welcome.
V3.3
Page 28 of 28