4.2.1.2.6 Protecting data and information -- Data masking on integration analysis |
Home → NWDAF → 20.0.0 |
| 33521-h00 → 33521-h10 33521-h20 33521-i00 33521-j00 → 33521-k00 | |
| Test Name | TC_DATA_MASKING | |
| Threat Reference | TR 33.926 [ 4], clause 5.3.6.7, Personal Identification Information Violation |
|
| Requirement Name | Data masking on integration analysis about personal data |
|
| Requirement Reference | In accordance with industry best practice.. |
|
| Requirement Description | NWDAF can collect data from OAM, MDAF and/or 5GC NFs (e.g. AMF) etc. for analytics purposes. Since personal data of the users could be involved , there is a potential privacy impact. As the NWDAF can expose its service operations with a request for bulked data, anonymization of data fields shall be applied to avoid exposing undesired information, aggregation levels. |
|
| Test Purpose | Verify that no privacy-related information of the subscribers is disclosed to any entity who is not authorized to access such information. |
|
| Pre-Conditions | Privacy information list (contains e.g. PII, location data, network identifiers, session information; should be specified based on local policy, regulation and others).
The following entities are operational, integrated and simulated:
The data producer is configured to receive and accept subscription requests from the NWDAF for events according to TS 29.552 [6], clause 5.5.1.1. |
|
| Execution Steps |
|
|
| Expected Results | The analytics results do not reveal subscriber permanent identifier nor any other data listed on the Privacy information list. |
|
| Expected Format of Evidence | Evidence suitable for the interface, e.g. screenshot, pcap trace, log files containing the results. |
|
| PDFs | 910f575dd12365a62a614d0418ed112b | |
4.2.1.2.6 Protecting data and information -- Data masking on integration analysis |
Home → NWDAF → 18.0.0 |
| 33521-h00 → 33521-h10 33521-h20 33521-i00 33521-j00 → 33521-k00 | |
| Test Name | TC_DATA_MASKING | |
| Threat Reference | TR 33.926 [ 4], clause 5.3.6.7, Personal Identification Information Violation |
|
| Requirement Name | Data masking on integration analysis about personal data |
|
| Requirement Reference | TBA. |
|
| Requirement Description | NWDAF can collect data from UE, NF, OAM, etc. used for analytics. Personal data of the UE's user are involved also. When NWDAF uses such personal data in analytics with other information together, such data correlation operation could bind more personal information with the user's identity. Thus, privacy information about that specific user could be revealed to the person who is allowed to operate data correlation for analytics but not allowed to know the privacy information as the result of data correlation. Therefore, applicable measures (e.g. data masking) shall be applied to mitigate such privacy violation risk. |
|
| Test Purpose | Verify that no privacy information of operators' users is revealed to the party who is not allowed to have. |
|
| Pre-Conditions | The vendor shall provide the documentation describing how to create an account for accessing the analytics results. Privacy information list (should be specified based on local policy, regulation and others). |
|
| Execution Steps |
|
|
| Expected Results | The tester can create the account, and the account does not reveal subscriber permanent identifier. |
|
| Expected Format of Evidence | Evidence suitable for the interface, e.g. screenshot containing the results. |
|
| PDFs | 1f729942c1f97dbd71af40a0084ba1ef | |