Access Control: Verify that all physical and logical resources (CLI, WebGUI, API) require explicit authorization.

Authentication: Confirm that both users and devices (M2M) are authenticated using strong mechanisms (e.g., Certificates, MFA).

Non-repudiation: Ensure that critical actions (config changes, administrative logins) are logged with non-repudiable proof (digital signatures or tamper-proof logs).

Data Confidentiality: Verify that data is encrypted at rest and in transit across all three planes (Control, Management, User).

Communication Security: Ensure that communication flows only between authorized endpoints (e.g., using whitelisted Peer-to-Peer GTTs).

Data Integrity: Confirm that data (including configuration files and signaling messages) cannot be modified undetected.

Availability: Verify that the system has redundancy (HA), DDoS protection, and rate-limiting to ensure service availability.

Privacy: Ensure that personally identifiable information (PII/SUPI) is obfuscated or encrypted.

OS Hardening: Confirm that only necessary ports/services are open on the underlying Linux/Unix OS.

Physical Security: Verify the node is located in a Tier-3/4 data center with restricted physical access.

Service Isolation: Ensure that different network services (e.g., SMSC vs. HLR) are logically separated (VLANs/VRFs).

API Security: Audit all REST/SOAP/Diameter interfaces for the "Top 10" vulnerabilities.

MFA Requirement: Any human-to-machine application access MUST require Multi-Factor Authentication.

Management Plane: Is the management traffic (SSH, SNMP) carried over a dedicated Out-of-Band (OOB) network?

Control Plane: Are signaling messages (SS7/Diameter) authenticated and filtered as per Q.3062/66?

End-User (Data) Plane: Is user traffic isolated and checked for malicious payloads (DPI/IPS)?