Insisting on openness and transparency, ZTE implements its cybersecurity governance via a top-down approach. Based on a "three lines of defense" security governance model, ZTE not only integrates its security policies into every phase of the product lifecycle, but also implements its cybersecurity assurance mechanism throughout a product lifecycle, thereby ensuring that product R&D, supply chain, production, engineering services, management of security incidents, independent verification and audits are all included. By developing cybersecurity baselines, underpinned by processes, and implementing closed-loop management for cybersecurity, ZTE enables end-to-end secure delivery of products and services.
ZTE attaches utmost importance to our customers' security values, abides by the relevant laws and regulations with respect to cybersecurity, end-to-end delivery of secure and trustworthy products and services. Cybersecurity is one of the highest priorities for ZTE's product development and delivery. We have established a holistic cybersecurity governance structure across the company's strategic development plan, taking into account relevant laws, regulations and standards, thereby fostering good security awareness for all employees and emphasizing the security of the entire process.
Elements of ZTE's Cybersecurity Strategy
ZTE's end-to-end cybersecurity assurance program adheres to six key elements: Standardization, Strict implementation, Traceability, supervision, Full transparency, and Trustworthiness.
Standardization- Respect global rules and standards, and develop a series of cybersecurity polices, standards, processes, and guidelines to ensure product security and help achieve business goals.
Strict implementation- Cybersecurity within each business unit is strictly implemented in accordance with relevant regulations, supported by an accountability system and "Product Security RedLines".
Comprehensive supervision- Ensure comprehensive supervision and management by implementing the three lines of defense security governance model.
Traceability - End-to-end product development activities are supported by evidential records and traceability, ensuring that problems can be detected and located quickly.
Full transparency - Open up our processes and procedures to allow customers, governments, and other stakeholders to validate our cybersecurity. Security detects and vulnerabilities are disclosed in a transparent way, and patches are released promptly.
Trustworthiness - Win customers' trust through open and transparent security governance activities and third-party security verification and certification.
A Three Lines of Defense Security Governance Model
Organizationally, ZTE implements a three lines of defense security governance model to ensure the security of its products and services from multiple perspectives. In the first line of defense, each business unit is responsible for implementing self-control over cybersecurity, using best-practice processes and procedures. The company's Product Security Department. is the second line of defense, responsible for independent security assessments and supervision. Finally, ZTE's Internal Control & Audit Department. as the third line of defense checks and audits the effectiveness of the first and second lines of defense. At the same time, ZTE accepts the security audits organized by customers and external third parties.
Developing Specialized Security Teams
ZTE organizes different types of security training to build security awareness and grow professional security skills, including high-level seminars, management training courses, awareness training for all employees, secure design training, training on penetration testing, and secure coding competitions. Such training activities not only improve the security of the company's products, but also foster a cybersecurity culture within the company.
ZTE attaches great importance to the cultivation of professional security talent. Currently, ZTE has more than 40 security certified experts including CISSP, CISA, CSSLP, CEH, CISP, CISAW and C-CCSK. ZTE shows strong security capabilities in terms of security architecture, security design principles, penetration testing, security audits, and security management.
End-to-End Secure Delivery
The security of every single part of the system could impact the entire system. However, the strength of a whole system is determined by the weakest part. ZTE's security governance includes R&D, supply chain, engineering services, incident management, and all support functions. Take R&D for example, the security controls are included in the phases of security requirements, secure design, secure coding, security testing, secure delivery, and secure Operations and Maintenance (O&M). The security of third parties' components is taken into consideration too. Take Supply Chain for another example, the security activities are involving purchasing, production, manufacturing, warehousing, shipment, and final delivery.
Response to Cybersecurity Incidents
ZTE's Product Security Incident Response Team (PSIRT) identifies and analyzes security incidents, tracks incident handling processes, and communicates closely with both internal and external stakeholders to disclose security vulnerabilities in a timely manner, thus ensuring that we mitigate the adverse effects of security incidents. As a member of the Forum of Incident Response and Security Teams (FIRST) and the CVE Numbering Authority (CNA), ZTE is collaborating with customers and stakeholders in a transparent manner to protect our customers' networks.
Independent Assessments and Verification
Under the three lines of defense security governance model, independent security assessments and verification are performed by the second line of defense to evaluate and supervise the front-line security practices. Based on risk control principles, independent security assessments and verification review cybersecurity from multiple perspectives. A supervision and control mechanism is implemented to further reduce security risks. Closed-loop management is used to track identified problems and ensure they are resolved. All these measures guarantee that ZTE's cybersecurity governance constantly keeps improving.
ZTE's security audits independently evaluate the robustness, soundness, and effectiveness of our cybersecurity assurance system. The aspects to be audited include organization and operation, risk management processes, control activities, and internal supervision. The company's security audits cover the end-to-end cybersecurity assurance process, which includes general cybersecurity governance, R&D security, supply chain security, service delivery security, security incident response, and independent security assessments. The goal is to realize the supervision and transparency for the whole cybersecurity management.
Cybersecurity lab is one of the measures taken by ZTE to increase transparency around the globe. The cybersecurity lab will operate in a “1+N” mode, with the core lab established in China and multiple remote access points set in China and other countries. With the geographical advantages brought about by a multi-country deployment, the cybersecurity lab will facilitate external security assessments for global customers, regulators, and other stakeholders by opening up product source code and documents, and by providing multi-dimensional security assessment services.
Third-Party Security Certification and Cooperation
In 2005, ZTE for the first time passed the ISO27001 Information Security Management System (ISMS) certification, which needs to be reviewed every year. In 2015, ZTE joined the Forum of Incident Response and Security Teams (FIRST), with an aim to enhance its response capability of security incidents. In 2017, ZTE passed the certification of ISO 28000 Supply Chain Security Management System. In April 2019, ZTE obtained the certificate for Qualification of Information Security Service (Level 1) certified by China Cybersecurity Review Technology and Certification Center. In July 2019, ZTE applied for and successfully became the 8th CNCERT Cybersecurity Emergency Response Service Support Organization and CNNVD (China National Vulnerability Database of Information Security) Technical Support Organization.
ZTE took on the position of the Vice Chairman of ITU-T SG17 and have long been active in international standards organizations such as 3GPP, IETF, ITU-T, and CSA, and security forums, playing a role of promoting the standardization in the security field. In terms of 5G security, ZTE participates in the preparation of SCAS_5G related protocols of 3GPP SA3, and leads the drafting of 2-5G eMBB P4-Task4 5G Security White Paper in the GTI project.
ZTE also actively cooperates with multiple third-party organizations to assess the security of its products, including source code audits, security design assessments, and penetration tests.
Based on ZTE's vision for cybersecurity, which is "Security in DNA, Trust through Transparency", ZTE's final objective is to provide our customers with trustworthy solutions and end-to-end security assurance throughout the entire lifecycle of a product. The company remains committed to communicating and cooperating with regulatory agencies, customers, partners and other stakeholders in an open and transparent manner to jointly create and improve a secure ecosystem for cybersecurity.