The present document defines the complete Security Assurance Methodology (SECAM) evaluation process (evaluation, relation to SECAM Accreditation Body, roles, etc.) as well as the components of SECAM that are intended to provide the expected security assurance. It will thus describe the general scheme providing an overview of the entire scheme and explaining how to create and apply the Security Assurance Specifications (SCASs). It will detail the different evaluation tasks (vendor network product development and network product lifecycle management process assessment, Security Compliance Testing, Basic Vulnerability Testing and Enhanced Vulnerability Analysis) and the different actors involved. Enhanced Vulnerability Analysis is outside the scope of the present release of SECAM. The present document will help all involved parties to have a clear understanding of the overall process and the covered threats.
The concrete security requirements will be part of the Security Assurance Specifications (SCASs) for each network product class and not part of this overall process document. Some of the tasks described in the SECAM scheme are meant to be performed by 3GPP, while other tasks are meant to be performed by the SECAM Accreditation Body. This accreditation body has been agreed to be the GSMA. 3GPP maintains the overall responsibility for the SECAM scheme and creates the SCASs. The SECAM Accreditation Body is tasked to develop requirements on vendor network product development, the network product lifecycle management process, and SECAM-accreditation for vendors and test laboratories, and describe these requirements in separate documents that will complement the present document. The SECAM Accreditation Body defines its own scheme that covers all these tasks.