Our client is a leader in the delivery of m-commerce services, formed as a consortium of the largest mobile operators in the world.
Client Requirement and Business Drivers
Our client has set up a state of the art mobile commerce infrastructure that supports a variety of services to millions of customers. These services include delivery of mobile wallet services, customer loyalty programmes, messaging and marketing services. The service allows businesses such as banks, retailers and advertisers to connect to customers using a consistent set of data standards and technologies, but still deliver a multitude of services to mobile devices.
The business model behind the delivery of the services depends critically on it being always available, 24x7x365. The system must deliver this availability across a large variety of mobile devices to the largest single customer base of any operator in this field. The service depends heavily on the fact that it is able to deliver at the right time in the right place to the right customers.
Underpinning this critical availability requirement is a fundamental expectation of its millions of customers that their personal data will be kept confidential and that wallet transactions are secure.
Engaging at CISO level for this cutting edge project, Commissum was been tasked with providing critical assurance across the technology platform through its CREST testing services. This was a complex project from both the perspective of the various technologies, many of which were developed specifically for the delivery of the service, and because of the multi-stakeholder environment.
Commissum was called upon to engage across the multiple stakeholders to assist the CISO in managing expectation and ensuring completion within tight project timescales. The stakeholder environment included the client, but also the mobile operator shareholders, multiple hosting vendors, application developers, infrastructure build and support vendors and additional third party consultants.
Through our experience of such complex assurance projects and understanding the varying concerns of the stakeholders, we were able to smooth the way for all parties to reach agreement on both the scope of security assessment required and mechanisms for delivery.
The services we delivered included:
- Initial detailed scoping of the requirements for comprehensive testing to satisfy the various stakeholders
- A detailed risk assessment of the risks that could be posed by the actual testing process with mitigation plans that satisfied all parties and allowed the comprehensive schedule of testing to progress
- External security assessment of all perimeter elements
- Internal security testing and vulnerability scanning across multiple networks
- Application security assessment
- Testing of web services for mobile delivery
- Security configuration review of critical servers and network components
- Remediation recommendations and plan
The initial security review was conducted within tight timescales, with our team working flexibly with the multiple vendors, accommodating inevitable schedule changes. The client continues to engage Commissum for further phased roll-out of services and upgrades, and essential ongoing assurance.