The SECAM Accreditation Body describes the rules and processes for accreditation and monitoring of:
vendor development and product lifecycle processes and
test laboratories, whether they are vendor-owned or third-party test laboratories.
In order to be allowed to conduct the evaluation in the scope of the SECAM scheme, the vendors or third-party test laboratories demonstrate they have the skills, working practices and resources to participate in the process. This is achieved by an "audit and accreditation" to evaluate and demonstrate that the test laboratories have the necessary competence, expertise, equipment, methodologies, and processes to conduct an evaluation for conformance to 3GPP SCAS requirements.
All vendors (with or without a test laboratory) will be subject to:
a quality qualification;
an audit and accreditation of network product development and network product lifecycle management process.
The quality and reliability of these demonstrations are of paramount importance to the integrity of the scheme.
In order to manage the accreditations the SECAM Accreditation Body maintains a list of accredited test laboratories and vendors.
A formalized dispute resolution process for accreditation and all the other processes that are defined by the SECAM Accreditation Body is establised, as the denial or delay of accreditation may have far-reaching consequences.
A high-level overview of the processes and activities that are defined by the SECAM Accreditation Body is provided in [7].
The evaluation of the security relevant part of the Vendor network product development and network product lifecycle management processes is done as part of the vendor accreditation process by the SECAM Accreditation Body.
Vendor network product development and network product lifecycle management processes assurance requirements as well as related evaluation activities generic to all network product classes are defined by the SECAM Accreditation Body. The vendor will define their own processes and describe them in written format. During an audit, the processes will be evaluated and their application on development activities in practice will be verified. An accreditation will be awarded, if the requirements are met.
Lifecycle management consists of establishing discipline and control in the updates of network product during its development and maintenance. Lifecycle management controls are important during normal improvement of network product as well as for vulnerability/security flaw remediation (documentation used to track vulnerability/security flaw, remediation procedure with relation to corrective actions for each identified vulnerability/security flaw…).
The vendor accreditation for network product development and network product life cycle management processes will provide assurance for these aspects in SECAM.
The Vendor network product development and network product lifecycle management processes assessment covers a vendor's engineering processes and does not necessarily apply only to a single network product. This means that the results of one assessment may apply to more than one network product. Vendors can submit their generic network product development and network product lifecycle management processes or a subset of them for auditing and accreditation. Generic network product development and network product lifecycle management processes are usually used during development of all or some products of the same vendor. As different network product development and network product lifecycle management processes could be utilized within the organization of one vendor, e.g. due to mergers or acquisitions, vendors could obtain and hold accreditation for different generic network product development and network product lifecycle management processes.
Once the vendor obtains accreditation and as long as the accreditation has not expired, vendors are allowed to produce development process compliance declarations for the "network product development and network product lifecycle management processes compliance validation" task on their own.
At the beginning of a SECAM evaluation of a product, the Vendor will have to provide a development process compliance declaration to the compliance tester containing a rationale showing that the generic accredited process was effectively applied in the network product development and network product lifecycle management of the network product under evaluation.
Requirements and accreditation procedures for vendor development lifecycle process and product lifecycle maintenance process accreditation are specified in [9].
It is avoided that vendors need to obtain a large number of accreditations for their network product development and network product lifecycle management process. The number of requirements is relatively small (an order of magnitude of ten) to keep evaluation cost reasonable and focus on critical controls. As much as possible from existing standards is reused.
The accreditation is performed by the SECAM Accreditation Body, and consists of:
assessing the skills of the vendor's or third-party test laboratories in conducting an evaluation for conformance to 3GPP SCAS requirements for a given network product class or range of classes;
assessing the compliance to Test methodology (for security compliance Testing and Basic Vulnerability Testing laboratories).
A test laboratory can be accredited for any combination of 3GPP SCAS documents. During the audit for the accreditation the test laboratory demonstrates its competence, expertise, methodology and processes, to an auditor , by undertaking the tests on a concrete network product. If the test laboratory is capable of performing all the tests of the selected SCAS documents, accreditation is granted for the selected SCAS documents. Accreditation is limited to the selected SCAS documents and thereby to the respective network product classes covered by the selected SCAS documents.
Test laboratory accreditation requirements and the accreditation procedure are specified in [8].
The SECAM Accreditation Body monitors different kinds of accredited actors within the scheme:
Vendors development and product lifecycle processes, which are expected to comply with the Security Assurance requirements.
Test laboratories (for security compliance testing and Basic Vulnerability Testing), which are expected to comply with the Test Methodology and skills requirements.
Monitoring activities lead the SECAM Accreditation Body to maintain the status of these actors (accredited or not accredited).
The SECAM Accreditation Body provides a process to resolve conflicts when an accredited operator shows evidence of inconsistencies in:
Vendor Development process activities (inconsistencies in analysis of compliance against Security assurance process).
Test laboratories (for security compliance testing and Basic Vulnerability Testing) activities (inconsistencies in analysis of compliance against SCAS).
In the event that evaluation findings in the evaluation report are in dispute for a network product (for example: by re-doing the tests an operator finds opposite results to the ones provided by the vendors or third-party laboratories in the evaluation report), this methodology also provides a dispute resolution mechanism. This case is believed to be rare and would arise if one or several of the actors (vendors or third-party laboratories) are cheating in the evaluation or compilation of evaluation results of a 3GPP network product.
The entity responsible for deciding that a declaration should be revoked, based on the evidences and the details of the dispute procedure, is the SECAM Accreditation Body.
The dispute resolution process is specified in [7].