GSMA Network Equipment Security Assurance Product Development & Lifecycle Management Process Audit in detail

Coronavirus COVID-19 Notice

Audit travel and workplace attendance restrictions caused by the COVID-19 outbreak are preventing NESAS audit teams from visiting equipment vendor development sites to conduct product development and lifecycle management process audits. The GSMA recognises the potential for these unprecedented restrictions to negatively impact NESAS and security assurance generally.
As an exceptional arrangement, the GSMA is temporarily waiving the requirement for NESAS audits to be conducted at equipment vendor sites. The GSMA recognises the feasibility of conducting remote audits and the ability of auditors to assess if each of the NESAS security requirements has been satisfied. Consequently, audits may be performed remotely with prior approval from the GSMA.
NESAS Participation
Equipment vendors wishing to participate in NESAS and have their development and product lifecycle management processes safely assessed are invited to contact the GSMA to discuss the options available.

Network equipment vendors define their own product development and lifecycle management processes and apply security best practices throughout those processes from planning and design, through to implementation, building and testing, culminating in release and delivery.

The vendors assess the processes’ level of compliance to the NESAS product development and lifecycle management security requirements – as defined by the industry through GSMA.

They demonstrate the implementation of and adherence to these processes to their choice of Appointed GSMA NESAS Auditors, who assess compliance to the NESAS requirements.

What is an equipment vendor process assessment?

Mobile network equipment vendors, like all hardware/software suppliers, have defined internal processes which they follow for product development and maintenance. In order to develop secure products, these processes need to integrate security controls. NESAS requires certain security controls to exist at each equipment vendor and it seeks to verify, through a self-assessment and independent audit, that the vendor has put these security controls in place and that it adheres to them. Implementing these security requirements ensures the risk of design flaws and implementation errors is mitigated and security-focused maintenance of developed products (e.g. patch management) is demonstrated to be in place.

Is the vendor development and lifecycle process assessment a documentation-only review?

The audit starts with an assessment of the documented processes, which entails a desktop documentation review. Later, an on-site audit will enable the audit team determine if the documented processes are applied in practice.

Who, or what event, triggers a vendor processes assessment?

It is solely at the discretion of the equipment vendor to approach one of the GSMA-appointed auditors to request it to conduct an audit of its processes. The vendor may be encouraged to do so by mobile network operator customers who require their vendors to undergo a NESAS vendor processes assessment.

If the vendor’s processes have undergone a change after the assessment, then this should trigger a re-assessment. Additionally, if further requirements are added to NESAS, this may necessitate a reassessment.

Who performs a vender processes assessment?

NESAS defines how the assessment is performed and it consists of two steps. The first involves the vendor carrying out a self-assessment and, if satisfied that it meets the requirements, it can claim conformance. The second step involves an independent auditing company assessing if the vendor’s processes satisfy the defined security requirements and verifying if the processes have been applied and are complied with. The auditing companies are appointed by GSMA and equipment vendors can choose from those that are shortlisted by GSMA. The GSMA appoints competent auditors based on defined eligibility criteria following competitive requests for the proposal process.

If you would like to know more or speak to someone about the scheme, please get in touch.

Contact Us