At this stage, supply chain management will wish to ensure that, from a security perspective, the necessary governance, processes, working practices and tools are in place within the vendor organisation to provide the necessary assurance.
- This might be managed through several phases e.g. as a supplier is assessed to become a preferred supplier, as a supplier bids to provide a specific solution and through the security testing and validation of that solution when it is delivered and deployed
- This stage considers not only the commercial terms, the technical specification, functional capability of the solution and the vendor’s ability to support that solution but also the capability of the vendor to meet the appropriate standards in terms of quality, reliability and security.
- This stage often involves a bidding or tendering process where security requirements and expectations must be clearly articulated, and bidders will need to provide the necessary assurance to the operator.
- This will need to include all aspects of the design, development, delivery, support and decommissioning of a solution and might typically be articulated in terms of clear governance, processes, qualified people, working practices, documentation to provide that assurance coupled with appropriate testing of specific solutions to provide the necessary assurance over all aspects of security
- Accreditation and certification with an appropriate framework or standard may be appropriate and desirable
- This might consist of an overall framework coupled with specific assurance or accreditation schemes managed by GSMA
- From a vendor’s perspective they too will have suppliers and sub-contractors who, without appropriate assurance, may introduce a source of vulnerability within their products and services. In this regard a vendor may require their suppliers to meet the necessary requirements to provide assurance on quality, reliability and security. This may be achieved by passing through or delegating requirements placed by the customer (i.e. the mobile operator) on to their suppliers or by the main vendor stipulating their own procedures for assurance and/or by requiring an industry recognised accreditation, as appropriate
- Suppliers and sub-contractors may only play a restricted role at certain stages of the solution lifecycle. In all cases due diligence should be performed to ensure that they have the necessary security controls in place to provide the necessary assurance.