Skip to content

Security procedures

Safety procedures for the HSM operator/administrator or safety officer:

  1. Follow the Installation Procedure in the Configuration Manual when you receive the equipment;
  2. Change the smart cards' default PIN right after formatting;
  3. Immediately change the special operator's default authentication password master from the HSM and then change it periodically;
  4. Create operator-type users for each individual HSM administrator. This will ensure that administrative operations are individualized and recorded in the HSM 's audit trails (logs);
  5. Check the OEM security code immediately after Initialization to ensure the integrity of the equipment;
  6. Generate the Server Master Key with seed division for two parties other than the smart card custodians in the M of N scheme;
  7. Distribute the two M of N cards (2 of 2) to two different parties;
  8. Set the HSM to the correct operating mode (FIPS or non-FIPS) according to the local security policy;
  9. Check trust relationships between users frequently;
  10. Inspect the module with reasonable frequency for evidence of tampering in three areas of the equipment:
    1. seal labels, located on the sides;
    2. ventilation openings, located at the front and rear;
    3. physical ports for smart card reader and keyboard on the front and video and network on the back;
  11. Check the OEM security code reasonably often;
  12. Establish a policy for the systematic extraction, analysis and retention of logs
  13. Establish a backup policy for the HSM key base, using a strong password to protect the backup file;

Operator behavior relevant to the safe operation of the HSM:

  1. Use a strong password for remote authentication via API;
  2. Store the seed halves of the Server Master Key in separate, secure locations, with access from different sides;
  3. Remove the smart card from the reader after use;
  4. Keep the local console logically locked (locked shell) when not in use;
  5. Monitor the use of HSM resources (CPU and memory) at different times in the daily usage cycle (peak hours, idle hours, etc.);