Increasing U(SIM) security, lowering business risks
The Universal Integrated Circuit Card (UICC) in GSM devices, and its SIM (for GSM) and USIM (for 3G & LTE) applications play a fundamental role in ensuring the security and integrity of mobile services, subscriber accounts and related services and transactions. To safeguard the integrity of the UICC, and (U)SIM authentication data, it is essential that UICC suppliers’ manufacturing environments are secure.
The GSMA’s Security Accreditation Scheme (SAS) enables all GSM operators, regardless of their resources or experience, to assess UICC suppliers’ security. The SAS is a voluntary scheme through which suppliers subject their production sites and processes to a comprehensive security audit. Successful sites are awarded security accreditation for a period of two years. The scheme benefits both UICC suppliers and network operators in the following ways:
Advantages to suppliers
- Demonstrates commitment to security and reduces risks for customers
- Means fewer individual operator inspections
- Provides certification from the world’s leading wireless industry representative body
- Delivers a world-class security review of operations
- Offers a uniform approach to security audits
Advantages to mobile operators
- No need to spend money and time conducting individual audits
- Audits are conducted by highly-qualified individuals at no cost to the operator
- The scheme sets a rigorous security standard requiring a high-level of supplier commitment
- Offers peace of mind that suppliers have implemented appropriate security measures
SAS audits of UICC manufacturing sites cover the following areas
- Security policy, strategy and documentation
- Security organisation and responsibility
- Information security
- Personnel security
- Physical security
- Production data management
- Logistics and production management
- Computer and network management
The GSMA developed the UICC supplier auditing standard and methodology in collaboration with UICC suppliers and world-class security auditing companies FML and ChaseWaterford, which conduct the audits on behalf of the GSMA. A certification body is maintained within the GSMA to oversee and develop the scheme and to formally award accreditation. A brochure describing the scheme is available here.
The GSMA widely publicises supplier sites that gain accreditation under the scheme, highlighting to its members the benefits of acquiring UICCs and other products from such sites. GSMA also provides advice to its members on how to use SAS. Accredited suppliers may use the special SAS supplier logo on their promotional materials, increasing visibility of their accredited status among mobile operators.
The Security Accreditation Scheme is well-established and has accredited some of the industry’s largest UICC suppliers. The scheme is currently open to all UICC suppliers, regardless of location, and the GSMA welcomes the participation of all interested parties.
For further information, or to register an interest in participating in SAS, contact the GSMA by completing an online form or sending email to sas@gsma.com.
UICC (Universal Integrated Circuit Card) is the hardware used in mobile devices that contains SIM and/or USIM applications enabling access to GSM, UMTS/3G and LTE networks.
SIM (Subscriber Identity Module) is an application residing on a UICC that enables access to GSM networks.
USIM (Universal Subscriber Identity Module) is an application residing on a UICC that enables access to UMTS/3G and LTE networks.
(U)SIM refers to SIM and/or USIM applications.
