FS.15 Network Equipment Security Assurance Scheme – Development Lifecycle Assessment Methodology

Saturday 5 Oct 2019 | NESAS |

FS.15 Network Equipment Security Assurance Scheme – Development Lifecycle Assessment Methodology image

NESAS covers the auditing of a vendor’s development and lifecycle processes against the security requirements defined under NESAS and the independent tesing of manufactured network equipment by a competent test laboratory.

This document describes the audit and assessment process that is carried out on a Vendor’s Development and Product Lifecycle processes under NESAS. It may also be used by auditors and vendors in preparation for an audit.

Audience: Auditor, Technical security practitioner

Resource technology specifics: Radio access network (RAN), Core network

Resource type: Process or procedure

Resource enforcement: Voluntary

Resource certification type: Third-party audit

Advantage Disadvantage
Vendors:
• Demonstrates commitment to security and reduces risks for customers
• Leads to fewer individual audits
• Provides accreditation from the world’s leading mobile industry representative body
• Delivers a world-class security review of security-related processes
• Offers a uniform approach to security audits
• Avoids fragmentation and potentially conflicting security assurance requirements in different markets
Operators:
• No need to spend money and time conducting individual vendor audits
• Audits are conducted by highly-qualified individuals at no cost to the operator
• The scheme sets a rigorous security standard requiring a high-level of vendor commitment
• Offers peace of mind that vendors have implemented appropriate security measures and practices
Suppliers:
• Up-front and ongoing cost of investment in compliant security controls and certificationOperators:
• Visibility of certification status only; no first-hand view of security controls
• NESAS requirements may not provide coverage of bespoke operator requirements.