Standards Driven Security Assurance for Mobile Networks
DOI:
https://doi.org/10.13052/jicts2245-800X.321Keywords:
3GPP, accreditation, development lifecycle, evaluation, evidence, mobile industry, mobile network, network equipment, product lifecycle, regulation, regulator, security, security assurance, security assurance scheme, security requirement, specification, standardisation, test caseAbstract
A new security assurance scheme for mobile network infrastructure equipment is described in this article. In introducing an effective security assurance scheme, constraints need to be considered as the environment in which the scheme is introduced defines some boundaries. Technology is not the only aspect that counts and it is necessary to achieve a real balance between technical and organisational security improvement, visibility of security levels of network equipment, operational feasibility, and market acceptance and participation. The end goal is to involve a range of stakeholders that need to commit to the scheme so the likely effectiveness, cost, effort and complexity are important parameters that need to be taken into consideration. The mobile industry operates worldwide and thrives on the development of open standards by multiple standards development organisations. Solutions that are designed and agreed must meet the needs of all involved stakeholders around the world to secure support for their delivery to market. This paper explains how standardisation works in and for the mobile industry and introduces the objectives, the constraints, the reasons for developing a security assurance scheme, and describes the proposed scheme for mobile network equipment and lifecycle processes. The article illustrates that the new Network Equipment Security Assurance Scheme (NESAS), as it is called, meets the various and different needs of mobile network operators, network equipment vendors, and regulators in a time of ever growing complexity of mobile networks.
Downloads
References
3GPP Specifications. 3rd Generation Partnership Program (3GPP), [online]. Available at: www.3gpp.org/ftp/specs/
3rd Generation Partnership Program (3GPP), [online]. Available at: www.3gpp.org
Alliance for Telecommunications Industry Solutions (ATIS), [online]. Available at: www.atis.org
Schneier, B. (2004). Secrets & Lies – Digital Security in a Networked World. Hoboken, NJ: Wiley Publishing Inc.
CIS Security Benchmarks. Center for Internet Security (CIS), [online]. Available at: benchmarks.cisecurity.org/
Common Criteria for Information Technology Security Evaluation (CC), [online]. Available at: www.commoncriteriaportal.org
Gollmann, D. (2005). Computer Security, 2nd ed. Hoboken, NJ: John Wiley & Sons Ltd.
E. A. Roback. (2000). Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, 800–823. Gaithersburg, MD: U.S. Department of Commerce, National Institute of Standards and Technology (NIST) Special Publication [online].Available at: csrc.nist.gov/publications/nistpubs/800-23/sp800-23.pdf
European Telecommunications Standards Institute (ETSI), [online]. Available at: www.etsi.org
Hillebrand, F. (ed.). (2013). The Creation of Standards for Global Mobile Communication, [online]. Available at: www.etsi.org/images/files/news/ CreationOfStandardsForGlobalMobileCommunication.epub.
GSM Association (GSMA), [online]. Available at: www.gsma.com
McGraw, G. How to develop security the secure, Gary McGraw way, Internet Blog on SearchSecurity [online]. Available at: search security. techtarget.com/opinion/Gary-McGraw-on-software-security-assurance-Build-it-in-build-it-right
McGraw, G. (2006). Software security – building security. Boston: Addison-Wesley.
Government of India, Ministry of Communications and IT, Department of Telecommunications, Security Certification of Telecom Equipment within India, New Delhi, India, letter, 31 July 2015 [online]. Available at: www.dot.gov.in/sites/default/files/u10/Letter%20related%20to%20 extension%20of%20Security%20Certification%20Time%20(1) 3.pdf
Hamidovic, H. (2012). Fundamental concepts of IT security assurance, Vol. 2, ISACA [online]. Available at: www.isaca.org/Journal/archives/ 2012/Volume-2/Documents/12v2-Fundamental-Concepts.pdf
International Organisation for Standardisation ISO/IEC 17025:2005. General requirements for the competence of testing and calibration laboratories [online]. Available at: www.iso.org/iso/catalogue detail.htm?cs number=39883.
International Organisation for Standardisation ISO/IEC 27000:2014. Information technology – Security techniques – Information security management systems – Overview and vocabulary, [online]. Available at: www.iso.org/iso/catalogue detail?csnumber=63411
Sauter, M. (2010). From GSM to LTE: an introduction to mobile networks and mobile broadband. Hoboken, NJ: John Wiley & Sons.
Making Security Measurable, Software Assurance, mitre.org, October 2013 [online]. Available at: measurablesecurity.mitre.org/directory/ areas/softwareassurance.html.
Shirey, R. (2007). Internet Security Glossary, Version 2, RFC 4949, IETF [online]. Available at: www.ietf.org/rfc/rfc4949.txt
Davis, R. E. (2009). Ensuring Information Assets Protection, lulu.com [online]. Available at: books.google.de/books?id=yCtXPh5rwdoC&
Security Assurance Scheme (SAS). GSMA Association [online]. Available at: www.gsma.com/aboutus/leadership/committees-and-groups/ working-groups/fraud-security-group/security-accreditation-scheme
Software Security Assurance (Wikipedia). (2015). Version from 13 January 2015 [online].Available at: en.wikipedia.org/wiki/Software security assurance
Telecommunication Technology Committee (TTC) [online].Available at: www.ttc.or.jp
