The following rules apply to maintaining HSM integrity:
1. When in use, the unit must be in a secure environment (see section: Measures to Protect HSM Secure Area).
2. If the unit needs to be transported for repair (or other reason):
· The movement of the device must be monitored and recorded.
· A trusted courier must be used.
· Investigations must be instigated if the integrity of the unit in transit is in doubt, or if it arrives substantially late.
3. On arrival at a secure location, the unit and its packaging must be inspected for signs of tampering prior to installation (see section: Initial Inspection Procedure).
4. In normal usage, the unit must be periodically inspected for signs of tampering (see section: Periodic Inspection Procedure).
5. Any unit that appears to have been tampered with must be withdrawn from service as soon as possible, and its key material must be destroyed.
The following precautions should be taken:
1. Procedures must exist so that movement of HSM devices from one location to another may be monitored and recorded.
2. This record should be verified periodically to provide a high level of confidence in the location of all units in use.
3. If records show any discrepancy in the location of a unit, this must be investigated, and consideration should be given to withdrawing the unit in question.