Tech-invite3GPPspaceIETF RFCsSIP

Content for  TR 33.916  Word version:  17.0.0

Top   Top   Up   Prev   None
1…   4…   5…   6…   7…   A…


A  Summary of SECAM documentsp. 37

Phase Sub-phase Deliverable Published by
Methodology buildingConsensus on threats3GPP
Security Assurance process
Security Assurance Specifications
Test methodology and skills requirementsSECAM Accreditation Body / GSMA
Test laboratories accreditation and monitoring rules
Network product development and network product lifecycle management Process Assurance requirements
AccreditationMethodology AccreditationAccreditation reportAccreditor
Audit and accreditation Evidence of successful accreditation of vendor network product development and network product lifecycle management process
Evidence of successful accreditation of Security Compliance test laboratories
Evidence of successful accreditation of Basic Vulnerability Test laboratories
SECAM Accreditation Body / GSMA
EvaluationSCAS instantiationInstantiation of SCASVendor
Vendors Development process compliance For the accreditation:
Design documentation [free-form]
Operational guidance [free-form]
Version and configuration management plan [free-form]
Flaw remediation documentation [free-form]
Process to ensure code quality documentation [free-form]
Vendor's development sites protection [free form]
Before any network product evaluation:
Network Product Development and network product lifecycle management process self-evaluation report providing evidences that the network product was developed under the accredited process [free-form]
Security compliance testing Security Compliance Testing reportVendor or third-party
Basic Vulnerability TestingBasic Vulnerability Testing report
Monitoring, dispute resolutionInformal guidance document. Accreditation revocation listSECAM Accreditation Body / GSMA
Dispute resolution-Operator claims

B  Summary of actors involved in SECAMp. 38

Actor Tasks and Responsibilities
3GPP Describe SECAM in the security assurance process documentation (i.e. the present document) Provide SCASes for individual Network Product Classes:
  • Describe and model the network product class: Compile a complete list of features/capabilities considered relevant for evaluation
  • Define the security problem: Identify which assets in the model of the network product class require protection and how these assets can be exploited by an attacker. The security problem definition also contains the security objectives of the network product class under analysis (i.e. which assets require what type of protection), and defines an attacker potential the network product class is supposed to resist. Also, undertaking of a threat analysis
  • Identify the security requirements and test cases: Detail security requirements to reduce/counteract the risks outlined by the threat analysis as well as a description of the test cases and where possible with expected test results. Or, detail environment assumptions to countermeasure to mitigate the risks.
  • Verify the Security Requirements: Once the security requirements have been identified it is verified that the security objectives are met by these security requirements, and that every security requirement contributes to defending an identified security objective.
Define the expected skills and tools for security compliance test laboratories based on the Security Functional Requirements in the SCASes. Specify general Basic Vulnerability Testing requirements as a SCAS module. This general SCAS module will then be linked and potentially amended by SCASs for individual Network Product Classes. This SCAS module does not specify individual tools but rather BVT categories and the conditions under which the usage of suitable tools are required.
SECAM Accreditation Body Describe the rules for accreditation and monitoring of development and test laboratories. Develop Vendor network product development and network product lifecycle management process assurance requirements as well as related evaluation activities generic to all network product classes in a dedicated document. Assess the skills of the test laboratory in conducting an evaluation for conformance to 3GPP SCAS requirements for a given network product class or range of classes; This includes assessing the test laboratory's skill in selecting tools for performing the evaluation. Assess the test laboratory's ability to comply with the test methodology (for security compliance Testing and Basic Vulnerability Testing laboratories). Administer the evaluation of the security relevant part of the Vendor network product development and network product lifecycle management process during an initial accreditation. Provide a process to resolve conflicts.
(Accredited) Vendor Ensure Vendor network product development and network product lifecycle management process assurance compliance. Provide SCAS instantiation document. Provide self-declaration after evaluation:
  • give a short summary and conclusion of all the evaluation reports
  • declare all tests conducted by the vendors are correctly carried out and all the documents provided by the vendors are authentic without intentional deception.
(Accredited) Vendor or (accredited) third-party Test laboratory All Test laboratories:
  • Assess that the vendor documentation and processes are complete sufficiently defined to begin the evaluation
  • Validate the elements (scope of evaluation, instantiated assets…) which will not be modified during the evaluation
Special for Security compliance testing Test laboratories:
  • Check whether a SCAS instantiation written by a vendor is a correct instantiation of the SCAS of the network product class and whether it is a good basis for evaluating the network product.
  • Confirm that the SCAS being instantiated for a given 3GPP network product and the network product for evaluation are consistent.
  • Do Security Compliance Testing according to SCAS instantiation.
  • Deliver Security Compliance Testing report (cf. clause
For Basic Vulnerability Testing Test laboratories:
  • Do Basic Vulnerability Testing.
  • Deliver Basic Vulnerability Testing report (cf. clause 7.2.4)
Operator Operator security acceptance decision: Examines the network product, the compliance reports and the test laboratories accreditation published by the SECAM Accreditation Body and decides if the results are sufficient according to its internal policies.

$  Change Historyp. 40

Up   Top