Ericsson’s Security Reliability Model
For many years, Ericsson has systematically developed a state-of-the-art model to incorporate security and privacy considerations into all phases of product development. The result of this effort is a well-established internal governance framework for security and privacy by design, the Security Reliability Model (SRM).
SRM is the framework that Ericsson uses to deliver on security and privacy ambitions across the product portfolio. Its key characteristics are that it:
- Defines the product security and privacy ambition level
- Ensures the implementation of appropriate security and privacy features and functions
- Follows up and measures actual product security and privacy status
- Enables Product Near Security Services
Ericsson's internal directive defines how responsibilities and authorities are distributed between different roles and functions to ensure, manage and control product security and privacy across Ericsson product portfolio.
Security Reliability Model (SRM) defines a set of security and privacy baseline requirements for Ericsson products. Those requirements are derived from decades of experience and additionally from sources in the telecom and IT industry, including standards, customer policies and regulation.
The product organization responsible for each Ericsson product will analyze, decide and document the applicability and compliance to the given security and privacy requirements, with a risk-based approach. Risk Assessment and Privacy Impact Assessment processes are used to identify and prioritize a list of security and privacy functions which are required to mitigate known risks to an acceptable level.
Assurance activities are divided into three levels; basic, advanced and tailored level. All basic level assurance activities relevant to the product shall be performed by the product development Advanced level activities can be performed for parts of products with need of high security and privacy assurance. Tailored level activities are used for products, or parts thereof, where product specific assurance requirements exist.
The documentation aspect in SRM defines security and privacy specific customer documents. The documents defined in SRM are the Hardening Guidelines, Security and Privacy User Guide, and the Security Test Results report.
Product Near Security Services
Ericsson's product-near security services are currently handled separately by the service organizations and are independently defined by the products.