GSMA Network Equipment Security Assurance Process Audit in detail

Coronavirus COVID-19 Notice

Travel and workplace attendance restrictions due to COVID-19 are still preventing NESAS audit teams from conducting on-site product development and lifecycle management process audits. The GSMA recognises how these unprecedented restrictions can negatively impact NESAS and security assurance generally.

So, as an exceptional arrangement, the GSMA is temporarily waiving the requirement for conducting NESAS audits at equipment vendor sites. The GSMA recognises the feasibility of conducting remote audits and the ability of auditors to assess if each of the NESAS security requirements has been satisfied. Consequently, remote audits are possible with prior approval from the GSMA.

NESAS Participation

Equipment vendors wishing to participate in NESAS and safely assess their product development and lifecycle management processes, please contact the GSMA to discuss the options available.

Significantly, network equipment vendors define their own product development and lifecycle management processes, applying security best practices throughout. From planning and design to implementation, building and testing — all the way to release and delivery.

What does the NESAS Process Audit involve?

In essence, the vendors assess their processes’ level of compliance to the NESAS product development and lifecycle management security requirements – as defined by the industry through the GSMA.

Then they demonstrate the implementation of and adherence to these processes to their choice of Appointed GSMA NESAS Auditor. After which, they assesses compliance to the NESAS requirements.

Frequently Asked Questions

What is an equipment vendor process assessment?

Mobile network equipment vendors have internal processes for product development and maintenance. To develop secure products, NESAS requires that these processes integrate certain security controls. Since these reduce the risk of design flaws and implementation errors, as well as demonstrate that security maintenance of developed products is in place (e.g. patch management). Therefore, NESAS seeks to verify that the vendor has these security controls and processes in place and is adhering to them. It does this through a self-assessment and independent audit.

Is the vendor development and lifecycle process assessment a documentation-only review?

The audit starts with an assessment of the processes, which involves a desktop documentation review. Later, the audit team conducts and on-site audit to determine if the vendor is applying the processes in practice.

Who, or what event, triggers a vendor process assessment?

It is solely at the discretion of the equipment vendor. They choose to approach one of the GSMA-appointed auditors to request an audit of their processes. The vendor might do this because their mobile network operator customers require that the vendors they work with undergo a NESAS process assessment.

If the vendor’s processes change after the assessment, then this should trigger a re-assessment. Additionally, if further requirements are added to NESAS, this may necessitate a reassessment.

Who performs a vendor process assessment?

NESAS defines how the assessment is performed and it consists of two steps. The first is where the vendor carries out a self-assessment. If they believe their processes meet the requirements, they can claim conformance. The second step involves an independent auditing company. They assess if the processes satisfy the security requirements and verify if the vendor is applying their processes.

The GSMA appoint the auditing companies and equipment vendors can choose theirs from the shortlist. The GSMA appoints competent auditors based on eligibility criteria, following a competitive proposal process.

If you would like to know more or speak to someone about the scheme, please get in touch.