FS.15 Network Equipment Security Assurance Scheme – Development Lifecycle Assessment Methodology
NESAS covers the auditing of a vendor’s development and lifecycle processes against the security requirements defined under NESAS and the independent tesing of manufactured network equipment by a competent test laboratory.
This document describes the audit and assessment process that is carried out on a Vendor’s Development and Product Lifecycle processes under NESAS. It may also be used by auditors and vendors in preparation for an audit.
Audience: Auditor, Technical security practitioner
Resource technology specifics: Radio access network (RAN), Core network
Resource type: Process or procedure
Resource enforcement: Voluntary
Resource certification type: Third-party audit
• Demonstrates commitment to security and reduces risks for customers
• Leads to fewer individual audits
• Provides accreditation from the world’s leading mobile industry representative body
• Delivers a world-class security review of security-related processes
• Offers a uniform approach to security audits
• Avoids fragmentation and potentially conflicting security assurance requirements in different markets
• No need to spend money and time conducting individual vendor audits
• Audits are conducted by highly-qualified individuals at no cost to the operator
• The scheme sets a rigorous security standard requiring a high-level of vendor commitment
• Offers peace of mind that vendors have implemented appropriate security measures and practices
• Up-front and ongoing cost of investment in compliant security controls and certificationOperators:
• Visibility of certification status only; no first-hand view of security controls
• NESAS requirements may not provide coverage of bespoke operator requirements.