Increasing security, lowering business risks
The Universal Integrated Circuit Card (UICC) in mobile devices, and its applications and data play a fundamental role in ensuring the security of the network, the subscriber’s account and related services and transactions. To safeguard the integrity of UICCs, of Embedded UICCs (eUICCs) with remote provisioning capabilities, and of their applications and data, it is essential that the supplier environment and processes that are used to manufacture and/or manage UICCs and eUICCs are secure.
The GSMA’s Security Accreditation Scheme (SAS) enables mobile operators, regardless of their resources or experience, to assess the security of their UICC and eUICC suppliers, and of their eUICC subscription management service providers. Two schemes operate under SAS:
- SAS for UICC Production (SAS-UP): This is a well-established scheme through which UICC and eUICC manufacturers subject their production sites and processes to a comprehensive security audit. Successful sites are awarded security accreditation for a period of one year, extending to two further years upon each successful renewal. This scheme has accredited some of the industry’s largest suppliers. GSMA also provides advice to its members on how to benefit from SAS-UP.
- SAS for Subscription Management (SAS-SM): To ensure industry confidence in the security of remote provisioning for eUICCs, a related security auditing and accreditation scheme exists for the providers of eUICC subscription management services.
Both schemes benefits both suppliers and mobile operators in the following ways:
Advantages to suppliers
- Demonstrates commitment to security and reduces risks for customers
- Means fewer individual operator inspections
- Provides certification from the world’s leading wireless industry representative body
- Delivers a world-class security review of operations
- Offers a uniform approach to security audits
- Part of GSMA remote SIM provisioning compliance scheme for eUICC production and subscription management
Advantages to mobile operators
- No need to spend money and time conducting individual audits
- Audits are conducted by highly-qualified individuals at no cost to the operator
- The scheme sets a rigorous security standard requiring a high-level of supplier commitment
- Offers peace of mind that suppliers have implemented appropriate security measures
SAS audits of UICC and eUICC manufacturing sites cover the following areas
- Security policy, strategy and documentation
- Security organisation and responsibility
- Information security
- Personnel security
- Physical security
- Certificate and key management
- Sensitive process data management
- Logistics and production management
- Computer and network management
SAS audits of subscription management entities cover these areas, plus service management functions specific to remote SIM provisioning.
The GSMA has developed the auditing standards, requirements and methodologies for SAS in collaboration with SIM suppliers and world-class security auditing companies FML and ChaseWaterford (for SAS-UP) and NCC Group and SRC Security Research & Consulting GmbH (for SAS-SM), which conduct the audits on behalf of the GSMA. Supporting guidelines are available on request to help sites interpret the security standards and requirements.
The GSMA publicises supplier sites that gain accreditation under the scheme, highlighting to its members the benefits of acquiring UICCs, eUICCs and subscription management services from such sites. Accredited suppliers may use the special SAS supplier logo on their promotional materials, increasing visibility of their accredited status among mobile operators.
How to Apply
The Security Accreditation Scheme is open to all UICC and eUICC suppliers and providers of subscription management services, regardless of location, and the GSMA welcomes the participation of all interested parties.
Audit applications should be submitted to GSMA several months in advance to increase the likelihood of the SAS audit teams being available to conduct an audit on or near the dates requested by the auditee. As a guide:
|If SAS audit application is submitted …||
3 months before requested audit dates,
then GSMA will try to schedule audit within …
4 weeks of requested dates
2 months before requested audit dates
6 weeks of requested dates
1 month before requested audit dates
8 weeks of requested dates
Common document (applies to both schemes)
FS.17 SAS Consolidated Security Requirements v2
A guidelines document that helps participating supplier sites to interpret the consolidated security requirements is available on request.