Network equipment vendors define their own product development and lifecycle management processes and apply security best practices throughout those processes from planning and design, through to implementation, building and testing, culminating in release and delivery.
The vendors assess the processes’ level of compliance to the NESAS product development and lifecycle management security requirements – as defined by the industry through GSMA.
They demonstrate the implementation of and adherence to these processes to their choice of Appointed GSMA NESAS Auditors, who assess compliance to the NESAS requirements.
Mobile network equipment vendors, like all hardware/software suppliers, have defined internal processes which they follow for product development and maintenance. In order to develop secure products, these processes need to integrate security controls. NESAS requires certain security controls to exist at each equipment vendor and it seeks to verify, through a self-assessment and independent audit, that the vendor has put these security controls in place and that it adheres to them. Implementing these security requirements ensures the risk of design flaws and implementation errors is mitigated and security-focused maintenance of developed products (e.g. patch management) is demonstrated to be in place.
The audit starts with an assessment of the documented processes, which entails a desktop documentation review. Later, an on-site audit will enable the audit team determine if the documented processes are applied in practice.
It is solely at the discretion of the equipment vendor to approach one of the GSMA-appointed auditors to request it to conduct an audit of its processes. The vendor may be encouraged to do so by mobile network operator customers who require their vendors to undergo a NESAS vendor processes assessment.
If the vendor’s processes have undergone a change after the assessment, then this should trigger a re-assessment. Additionally, if further requirements are added to NESAS, this may necessitate a reassessment.
NESAS defines how the assessment is performed and it consists of two steps. The first involves the vendor carrying out a self-assessment and, if satisfied that it meets the requirements, it can claim conformance. The second step involves an independent auditing company assessing if the vendor’s processes satisfy the defined security requirements and verifying if the processes have been applied and are complied with. The auditing companies are appointed by GSMA and equipment vendors can choose from those that are shortlisted by GSMA. The GSMA appoints competent auditors based on defined eligibility criteria following competitive requests for the proposal process.
If you would like to know more or speak to someone about the scheme, please get in touch.