huawei cloud compliance with iso/iec 27001

HUAWEI CLOUD Compliance withISO/IEC 27001

Issue 1.0

Date 2021-07-16

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: https://www.huawei.com

Email: [email protected]

Issue 1.0 (2021-07-16) Copyright © Huawei Technologies Co., Ltd. i

https://www.huawei.com

mailto:[email protected]

Contents

1 Overview....................................................................................................................................11.1 Scope of Application.............................................................................................................................................................. 11.2 Purpose of Publication and Target Audience.................................................................................................................11.3 Basic Definitions...................................................................................................................................................................... 1

2 ISO 27001 Introduction.......................................................................................................... 32.1 Framework and Main Contents of ISO 27001...............................................................................................................32.2 Applicable Organization of Standard............................................................................................................................... 4

3 The Certification Status of HUAWEI CLOUD.....................................................................5

4 HUAWEI CLOUD Security Responsibility Sharing Model............................................... 6

5 How HUAWEI CLOUD Meets ISO 27001 Requirements................................................. 85.1 ISO 27001 Requirement........................................................................................................................................................ 85.2 ISO 27001 Annex A (normative) Reference control objectives and controls..................................................... 9

6 HUWAEI CLOUD Helping Customers Respond to ISO 27001 Requirements...........696.1 A.8 Asset Management....................................................................................................................................................... 706.2 A.9 Access Control................................................................................................................................................................ 716.3 A.10 Cryptography................................................................................................................................................................ 716.4 A.12 Operations Security.................................................................................................................................................... 726.5 A.13 Communications Security........................................................................................................................................ 736.6 A.14 System Acquisition, Development and Maintenance..................................................................................... 746.7 A.15 Supplier Relationships............................................................................................................................................... 746.8 A.17 Information Security Aspects of Business Continuity Management......................................................... 75

7 Conclusion............................................................................................................................... 76

8 References............................................................................................................................... 77

9 Version History.......................................................................................................................78

HUAWEI CLOUD Compliance with ISO/IEC 27001 Contents

Issue 1.0 (2021-07-16) Copyright © Huawei Technologies Co., Ltd. ii

1 Overview

1.1 Scope of ApplicationThe information provided in this document applies to HUAWEI CLOUD and itsproducts and services available in HUAWEI CLOUD International website and thedata center nodes that carry these products and services.

1.2 Purpose of Publication and Target AudienceISO/IEC 27001:2013, issued by the International Organization for Standardization(ISO), is an internationally accepted and widely used standard for informationsecurity management system (ISMS). The standard could be used to helporganizations design and build information security management system. ISO27001 focuses on risk management and regularly evaluates risks and controls toensure the continuous operation of the organization’s ISMS.

HUAWEI CLOUD has built a comprehensive information security managementssystem based on ISO/IEC 27001:2013, developed the overall information securitypolicy of HUAWEI CLOUD, and obtained the ISO/IEC 27001:2013 certification.

This document describes HUAWEI CLOUD’s overall information security policiesand specific control measures by responding to the requirements of ISO/IEC27001:2013 and the 14 control domains in Appendix A, helping customersunderstand:

● Main control requirements of ISO/IEC 27001:2013 in various control domainsand HUAWEI CLOUD’s responses to the control requirements;

● HUAWEI CLOUD offers multiple products and services to customers to helpthem to comply with ISO/IEC 27001:2013.

1.3 Basic Definitions● HUAWEI CLOUD

HUAWEI CLOUD is the cloud service brand of the HUAWEI marquee,committed to providing stable, secure, reliable, and sustainable cloud services.

HUAWEI CLOUD Compliance with ISO/IEC 27001 1 Overview

Issue 1.0 (2021-07-16) Copyright © Huawei Technologies Co., Ltd. 1

● Customer (Tenant)Refers to the registered users who build business relationships with HUAWEICLOUD. In this whitepaper, customers have the same meaning of tenantwhich indicates the user organization that use the services provided byHUAWEI CLOUD. The term “tenant” is used in some scenarios in thisdocument.

● International Organization for StandardizationISO is an independent, non-governmental international organization with amembership of 165 national standards bodies. Through its members, it bringstogether experts to share knowledge and develop voluntary, consensus-based,market relevant International Standards that support innovation and providesolutions to global challenges.

HUAWEI CLOUD Compliance with ISO/IEC 27001 1 Overview


2 ISO 27001 Introduction

2.1 Framework and Main Contents of ISO 27001ISO/IEC 27001:2013 is the most widely used international information securitymanagement system guidance standard and best practice. It set out requirementsfor the establishment, implementation, maintenance and continuous improvementof an information security management system within the organization and forthe assessment and management of information security risks in accordance withthe needs of the organization.

ISO/IEC 27001:2013 Information technology - Security techniques - Informationsecurity management systems - Requirements consists of two main parts: therequirements and Appendix A. The requirements part provides recommendationsfor information security management for initiating, implementing and maintainingsecurity in the organization. Appendix A describes the requirements forestablishing, implementing, and documenting an Information SecurityManagement System (ISMS) and specifies the requirements for implementingsecurity controls based on the needs of independent organizations.

Controls are summarized into 14 control domains, when an organization properlyimplements security controls, they can help organizations achieve and maintaininformation security compliance by addressing specific issues identified in formalperiodic risk assessments.

The 14 security domains in ISO/IEC 27001:2013 and their brief introduction asfollows:

● A.5 Information security policies: Provide management guidance and supportfor information security based on business requirements and relevant lawsand regulation.

● A.6 Organization of information security: Establish a management frameworkto carry out the information security work of the organization.

● A.7 Human resource security: ensure that employees and outsourcing partiesunderstand and fulfill their information security responsibilities and protectthe company’s interests in the event of termination of employment.

● A.8 Asset management: Identify the organization’s information assets anddetermine the appropriate protection level based on the importance of the

HUAWEI CLOUD Compliance with ISO/IEC 27001 2 ISO 27001 Introduction


information assets. Ensure that information assets stored in the media are notcompromised or destroyed.

● A.9 Access control: Restricts access to information and information processingfacilities, guarantees authorized users’ access to systems and services, andprevents unauthorized access.

● A.10 Cryptography: Effective use of cryptographic techniques to protect theconfidentiality, authenticity and integrity of information.

● A.11 Physical and environmental security: Prevent unauthorized physicalaccess, damage and interference to information and information processingfacilities. Prevent assets from being lost, damaged, stolen, or endangering thesecurity of assets and business continuity.

● A.12 Operations security: Ensure correct and secure operation of informationprocessing facilities and adopt technical means to prevent malicious code. Usebackups to prevent data loss, use logging and monitoring to record situationsand generate evidence. Ensure the integrity of the operating system, preventthe exploitation of technical vulnerabilities, and minimize the impact of auditactivities on system operation.

● A.13 Communications security: Information in the network and its supportinginformation processing facilities shall be protected. Ensure the security ofinformation transmitted inside and outside the company.

● A.14 System acquisition, development and maintenance: Information securityis an integral part of the information system life cycle, and informationsecurity should be designed and implemented accordingly in the informationsystem development life cycle. Data used for testing shall be protected.

● A.15 Supplier relationships: Ensure that information assets accessible tosuppliers are protected. Maintain information security service deliveryconsistent with supplier agreements.

● A.16 Information security incident management: Manage information securityincidents in an effective way, including communicating about security eventsand risks.

● A.17 Information security aspects of business continuity management:Integrate information security continuity into business continuitymanagement. Information processing facilities shall be implemented withredundancy sufficient to meet availability requirements.

● A.18 Compliance: Avoid breach of laws, regulations, contractual obligationsand any security requirements relating to information security. Conductinformation security review and ensure that information security work iscarried out in accordance with organizational policies and procedures.

2.2 Applicable Organization of StandardThe requirements set out in ISO/IEC 27001:2013 are generic and are intended tobe applicable to all organizations, regardless of type, size or nature.

HUAWEI CLOUD Compliance with ISO/IEC 27001 2 ISO 27001 Introduction


3 The Certification Status of HUAWEICLOUD

With its own information security system and security control management,HUAWEI CLOUD has obtained the ISO/IEC 27001:2013 certification. Thecertification covers products and services released by HUAWEI CLOUD on itsofficial website, as well as data centers around the world.

For details about the certification scope and activity of ISO/IEC 27001:2013, seethe certificate of registration available on HUAWEI CLOUD Trust Center-Compliance.

HUAWEI CLOUD Compliance with ISO/IEC 27001 3 The Certification Status of HUAWEI CLOUD


https://www.huaweicloud.com/intl/en-us/securecenter/compliance.html#section-6

https://www.huaweicloud.com/intl/en-us/securecenter/compliance.html#section-6

4 HUAWEI CLOUD Security ResponsibilitySharing Model

Due to the complex cloud service business model, cloud security is not the soleresponsibility of one single party, but requires the joint efforts of both thecustomer and HUAWEI CLOUD. As a result, HUAWEI CLOUD proposes aresponsibility sharing model to help customers to understand the securityresponsibility scope for both parties and ensure the coverage of all areas of cloudsecurity. Below is an overview of the responsibilities sharing model between thecustomer and HUAWEI CLOUD:

Figure 4-1 Responsibility Sharing Model

As shown in the above model, the privacy protection responsibilities aredistributed between HUAWEI CLOUD and customers as below:

HUAWEI CLOUD: The primary responsibilities of HUAWEI CLOUD are developingand operating the physical infrastructure of HUAWEI CLOUD data centers; theIaaS, PaaS, and SaaS services provided by HUAWEI CLOUD; and the built-insecurity functions of a variety of services. Furthermore, HUAWEI CLOUD is also

HUAWEI CLOUD Compliance with ISO/IEC 270014 HUAWEI CLOUD Security Responsibility Sharing

Model


responsible for the secure design, implementation, and O&M of the multi-layereddefense-in-depth, which spans the physical, infrastructure, platform, application,and data layers, in addition to the identity and access management (IAM) cross-layer function.

Customer: The primary responsibilities of the customers are customizing theconfiguration and operating the virtual network, platform, application, data,management, security, and other cloud services to which a customer subscribes onHUAWEI CLOUD, including its customization of HUAWEI CLOUD service accordingto its needs as well as the O&M of any platform, application, and IAM servicesthat the customer deploys on HUAWEI CLOUD. At the same time, the customer isalso responsible for the customization of the security settings at the virtualnetwork layer, the platform layer, the application layer, the data layer, and thecross-layer IAM function, as well as the tenant's own in-cloud O&M security andthe effective management of its users and identities.

For details on the security responsibilities of both FIs and HUAWEI CLOUD, pleaserefer to the HUAWEI CLOUD Security White Paper released by HUAWEI CLOUD.

HUAWEI CLOUD Compliance with ISO/IEC 270014 HUAWEI CLOUD Security Responsibility Sharing

Model


https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf

5 How HUAWEI CLOUD Meets ISO 27001Requirements

The controls in the standard used in this document refer to GB/T22080-2016/ISO/IEC 27001:2013 Information technology – Security techniques –Information security management systems – Requirements published in 2016.

5.1 ISO 27001 RequirementHUAWEI CLOUD establishes and implements the information securitymanagement system (ISMS) according to ISO 27001, and maintains andcontinuously improves the system according to the PDCA cycle model in dailyoperations. In the initial phase of system establishment, the internal and externalenvironment is determined, and the requirements of related parties are identifiedto determine the scope of the information security through a top-downgovernance structure. The leadership decides and approves information securitypolicies and objectives, information security-related roles and responsibilities,formulates corresponding information security plans, allocates resources requiredfor information security activities, and provides support for other roles in thesystem. Promote continuous improvement of the system. To facilitate smoothcommunication with external parties, HUAWEI CLOUD has dedicated personnel tokeep in touch with administrative agencies, risk and compliance organizations,local authorities and regulatory agencies and establish contact points.

According to the ISO 27001 information security management systemrequirements, HUAWEI CLOUD has established information system documents,including documented information security policies and procedures, to guideHUAWEI CLOUD operations and information security management. Employeescan access published information security policies and procedures as authorized.The information security management system documents are reviewed at leastonce a year and updated as needed to reflect changes in business objectives orrisk environments. Changes to information security policies and procedures requiremanagement approval.

HUAWEI CLOUD has developed an information security risk assessment method toidentify risks from multiple dimensions, determine the possibility of risks based onthe completeness of security policies, security technologies, security audits, andperiodically assess information security risks are required. Risk assessment covers

HUAWEI CLOUD Compliance with ISO/IEC 270015 How HUAWEI CLOUD Meets ISO 27001

Requirements


various aspects of information security, including data protection andclassification, data retention and transmission locations, and compliance with lawsand regulations for the duration of data retention. The purpose of risk assessmentis to identify threats and vulnerabilities based on business processes and assetmanagement, formally record the assessment and develop a risk handling plan.The risk assessment report is approved by management upon completion.

HUAWEI CLOUD has established its own training mechanism and designedappropriate training plans for employees based on different roles and positions.New employees must pass information security and privacy protection trainingand exams before passing the probation. On-duty employees need to selectcourses to study and take exams based on their business roles. The trainingfrequency for general employees is at least once a year, and the training frequencyfor core employees is higher. Managements must attend information securitytraining and workshops. To address security awareness, HUAWEI CLOUD providestraining for all employees to help them understand the organization’s informationsecurity policies and regulations. In addition, employees must promise to complywith the company’s security policies and regulations.

HUAWEI CLOUD has established a formal and regular audit plan, includingcontinuous and independent internal and external assessments. Internalevaluation continuously tracks the effectiveness of security control measures, andthe external evaluation is audited as independent auditors for reviewing efficiencyand effectiveness of implemented security controls. In addition, HUWEI CLOUDregularly conducts management reviews every year, identifies problems in thesystem operation, and implements rectifications to promote continuousimprovement of the management system.

5.2 ISO 27001 Annex A (normative) Reference controlobjectives and controls

● A.5 Information security policiesThe objective of this control domain is to provide management direction andsupport for information security in accordance with business requirementsand relevant laws and regulations.

No. Control Domain Control HUAWEI CLOUD's response


Requirements


A.5.1.1

Policies forinformationsecurity

A set of policiesfor informationsecurity shall bedefined,approved bymanagement,published andcommunicatedto employeesand relevantexternal parties.

HUAWEI CLOUD hasimplemented documentedinformation security policiesand procedures to provideguidance for HUAWEICLOUD's operations andinformation securitymanagement. Informationsecurity policies andprocedures must beapproved by managersbefore released. Employeescan access the releasedinformation security policiesand procedures asauthorized.

A.5.1.2

Review of thepolicies forinformationsecurity

The policies forinformationsecurity shall bereviewed atplanned intervalsor if significantchanges occur toensure theircontinuingsuitability,adequacy andeffectiveness.

HUAWEI CLOUD reviews itsinformation securitymanagement policy andprocedures at least once ayear and update as neededto reflect changes in thebusiness objectives or riskenvironment. Changes inpolicies and procedures willbe reviewed and approvedby management.

● A.6 Organization of information security

The objectives of this control domain are to establish a managementframework to initiate and control the implementation and operation ofinformation security within the organization, and to ensure the security ofteleworking and use of mobile devices.

No. Control Domain Control HUAWEI CLOUD'sresponse


Requirements


A.6.1.1

Informationsecurity rolesandresponsibilities

All informationsecurityresponsibilitiesshall be definedand allocated.

For each products andservices' business units, theinformation securityresponsibilities of allemployees corresponding totheir roles are clearlydefined. HUAWEI CLOUDassigns roles dedicated tosecurity and privacyprotection to take certaininformation securitymanagementresponsibilities.Information security-relatedroles and responsibilities areidentified in writing andapproved by management.

A.6.1.2

Segregation ofduties

Conflictingduties and areasof responsibilityshall besegregated toreduceopportunities forunauthorized orunintentionalmodification ormisuse of theorganization’sassets.

HUAWEI CLOUD follows theprinciple of separation ofduties and checks andbalances of authority.Separates incompatibleduties and realizesreasonable division ofauthority. In addition,HUAWEI CLOUD hasdeveloped SOD separationof authority andresponsibility managementmatrix to help realize thismanagement principle.

A.6.1.3

Contact withauthorities

Appropriatecontacts withrelevantauthorities shallbe maintained.

HUAWEI CLOUD isdesignated with dedicatedpersonnel to maintaincontact and establishcontact points with industryinstitutions, risk andcompliance organizations,local authorities, andregulatory agencies.

A.6.1.4

Contact withspecial interestgroups

Appropriatecontacts withspecial interestgroups or otherspecialist securityforums andprofessionalassociations shallbe maintained.

Same as A.6.1.3


Requirements


A.6.1.5

Informationsecurity inprojectmanagement

Informationsecurity shall beaddressed inprojectmanagement,regardless of thetype of theproject.

HUAWEI CLOUD integratessecurity objectives intoproject objectives in projectmanagement, evaluatesinformation security risks atthe early stage of theproject, and periodicallyreviews information securityimpacts during the entireproject delivery process.

A.6.2.1

Mobile devicepolicy

A policy andsupportingsecuritymeasures shallbe adopted tomanage the risksintroduced byusing mobiledevices.

HUAWEI CLOUD hasformulated regulations onmobile device managementto implement unifiedmanagement of mobilecomputing devices. Therules for using mobiledevices, responsibilities,authority requirements, andsecurity requirements formobile devicesmanagement, networkaccess requirements andviolation penalties arestipulated andimplemented. For laptops,confidential positions arenot allowed to equiplaptops. When a laptopenters a controlled area, itneeds to be approved, andthe laptop needs to takemeasures to prevent dataleakage in case of loss.


Requirements


A.6.2.2

Teleworking A policy andsupportingsecuritymeasures shallbe implementedto protectinformationaccessed,processed orstored atteleworking sites.

HUAWEI CLOUD employeesuse unique identity in theworking network. If theexternal network needs tobe connected to HUAWEI’sworking network, it isnecessary to access throughVPN.For O&M scenarios,centralized O&Mmanagement and auditingis achieved through VPNsand bastion hosts that aredeployed in HUAWEICLOUD data centers.External and internalnetwork O&M personnelperform all local andremote O&M operations onnetworks and devices suchas servers in a centralizedmanner, which ensuresunified management ofO&M accountauthentication,authorization, access andauditing.For remote management ofHUAWEI CLOUD, whetherfrom the Internet orHuawei corporate network,one must first connect toHUAWEI CLOUD's bastionserver environment, andthen access target resourcesfrom a bastion server.

● A.7 Human resource security

The objectives of this control domain are to ensure prior to employment,employees and contractors understand their responsibilities and are suitablefor the roles for which they are considered, to ensure that employees andcontractors are aware of and fulfil their information security responsibilitiesduring employment, and to protect the organization’s interests as part of theprocess of changing or terminating employment.



Requirements


A.7.1.1

Screening Backgroundverificationchecks on allcandidates foremploymentshall be carriedout inaccordance withrelevant laws,regulations andethics and shallbe proportionalto the businessrequirements,the classificationof theinformation tobe accessed andthe perceivedrisks.

If permitted by applicablelaws, HUAWEI CLOUD willconduct background checkson employees and externalpersonnel before hiringthem based on theconfidentiality of the assetsthat can be accessed.Simultaneously, to ensureorderly internalmanagement and reducethe potential impact ofpersonnel managementrisks on business continuityand security, HUAWEICLOUD implements aspecialized personnelmanagement program forkey positions such as O&Mengineers, including on-boarding security review,on-the-job security trainingand enablement, on-boarding qualificationsmanagement, and off-boarding security review.

A.7.1.2

Terms andconditions ofemployment

The contractualagreements withemployees andcontractors shallstate their andtheorganization’sresponsibilitiesfor informationsecurity.

The employmentagreement signed by theemployee and the companycontains a confidentialityclause, which clearly statesthe employee's informationsecurity responsibilities.For external personnel,HUAWEI CLOUD signs anon-disclosure agreementwith them and conductsinformation securitytraining, includinginformation securityresponsibilities.


Requirements


A.7.2.1

Managementresponsibilities

Managementshall require allemployees andcontractors toapplyinformationsecurity inaccordance withthe establishedpolicies andprocedures ofthe organization.

HUAWEI CLOUD hasformulated informationsecurity managementrequirements for generalemployees, employees inconfidential positions, andexternal personnel.For employees, theemployment agreementsigned with HUAWEI shallinclude confidentialityclauses and specifyemployees' informationsecurity responsibilities.For external personnel, thecontact department ofHUAWEI CLOUD shallspecify information securitymanagement requirementsfor external personnel andthe company to which theybelong, as well aspunishment measures forinformation securityviolations in the contract oragreement signed withthem.

A.7.2.2

Informationsecurityawareness,education andtraining

All employees ofthe organizationand, whererelevant,contractors shallreceiveappropriateawarenesseducation andtraining andregular updatesin organizationalpolicies andprocedures, asrelevant for theirjob function.

HUAWEI CLOUD continuessecurity awareness trainingfor employees during theiremployment. There is aspecial information securityawareness training programfor employees. This trainingincludes but is not limitedto, on-the-spot speechesand online video courses.


Requirements


A.7.2.3

Disciplinaryprocess

There shall be aformal andcommunicateddisciplinaryprocess in placeto take actionagainstemployees whohave committedan informationsecurity breach.

HUAWEI has established astrict security responsibilitysystem and implementedan accountabilitymechanism for violations.HUAWEI CLOUD holdsemployees accountable onthe basis of behavior andresults. According to thenature of HUAWEI CLOUDemployees' securityviolations and theconsequences, theaccountability handlinglevels are determined andhandled in different ways.Those who violate laws andregulations shall betransferred to judicialorgans for handling. Directmanagers and indirectmanagers shall assumemanagementresponsibilities if they havepoor management orknowingly inaction. Thehandling of violations willbe aggravated or mitigatedaccording to the attitude ofthe individual who violatedthe regulations and thecooperation in theinvestigation.HUAWEI CLOUD's violationmanagement policies arepublished internally for allemployees to view andlearn. And HUAWEI CLOUDregularly organizes trainingto improve employees'understanding of violations,consequences of violations,and punitive measures.


Requirements


A.7.3.1

Termination orchange ofemploymentresponsibilities

Informationsecurityresponsibilitiesand duties thatremain validafter terminationor change ofemploymentshall be defined,communicatedto the employeeor contractorand enforced.

HUAWEI CLOUD employeesmust sign the resignationconfidentiality commitmentletter to confirm theirongoing informationsecurity responsibilities.For external personnel, thecontact departments signnon-disclosure agreementswith their company basedon service requirements.

● A.8 Asset management

The objectives of this control domain is are to identify organizational assetsand define appropriate protection responsibilities, to ensure that informationreceives an appropriate level of protection in accordance with its importanceto the organization, and to prevent unauthorized disclosure, modification,removal or destruction of information stored on media.


A.8.1.1

Inventory ofassets

Assets associatedwith informationand informationprocessingfacilities shall beidentified and aninventory ofthese assets shallbe drawn up andmaintained.

According to the ISO27001standard, HUAWEI CLOUD'sinformation assetclassification is monitoredand managed by specialtools to form an asset list,and each asset is assignedan owner.

A.8.1.2

Ownership ofassets

Assetsmaintained inthe inventoryshall be owned.

Same as A.8.1.1


Requirements


A.8.1.3

Acceptable useof assets

Rules for theacceptable useof informationand of assetsassociated withinformation andinformationprocessingfacilities shall beidentified,documented andimplemented.

HUAWEI CLOUD hasdeveloped andimplemented asset usageregulations, includingmanagement principles,responsibilities of relatedpersonnel, office computersecurity requirements, officenetwork securityrequirements, officeapplication system securityrequirements, storagemedia and port securityrequirements, officeperipheral securityrequirements, non-HUAWEIcomputer securityrequirements, and relatedpenalties.

A.8.1.4

Return of assets All employeesand externalparty users shallreturn all of theorganizationalassets in theirpossession upontermination oftheiremployment,contract oragreement.

HUAWEI CLOUD hasformulated personnelsecurity relevantmanagement regulations,requiring employees totransfer their HUAWEICLOUD assets to thecompany when theytransfer and resign. Whenthe contract/businessrelationship with thepartner is terminated, theinformation generated inthe cooperation project inthe self-contained deviceshould be deleted accordingto the cooperationagreement, and the assetsprovided by HUAWEICLOUD will be returned.HUAWEI CLOUD hasestablished an electronicflow of assets transfer whenpersonnel resign/termination of cooperation,and implement assetstransfer in accordance withthe electronic process.


Requirements


A.8.2.1

Classification ofinformation

Information shallbe classified interms of legalrequirements,value, criticalityand sensitivity tounauthorizeddisclosure ormodification.

HUAWEI CLOUD hasimplemented hierarchicaldata management andgraded data based onconfidentiality, integrity,availability, and compliance.Data is classified intomultiple security levels anddefined separately. It alsospecifies securityimplementationrequirements, auditrequirements, emergencyresponse, and drillrequirements for differentlevels of data. Each businessdomain marks the securitylevel of the data in itsdomain according to thedata grading standards.

A.8.2.2

Labelling ofinformation

An appropriateset of proceduresfor informationlabelling shall bedeveloped andimplemented inaccordance withthe informationclassificationscheme adoptedby theorganization.

Same as A.8.2.1

A.8.2.3

Handling ofassets

Procedures forhandling assetsshall bedeveloped andimplemented inaccordance withthe informationclassificationscheme adoptedby theorganization.

Same as A.8.2.1


Requirements


A.8.3.1

Management ofremovable media

Procedures shallbe implementedfor themanagement ofremovable mediain accordancewith theclassificationscheme adoptedby theorganization.

HUAWEI CLOUD hasformulated andimplemented regulations onmobile media management.All types of mobile mediaare managed by dedicatedpersonnel, approved forborrowing, and formattedafter being used. Differentsecurity requirements areset for the access and useof personally owned storagemedia and digital devices toareas with different securitylevels.

A.8.3.2

Disposal ofmedia

Media shall bedisposed ofsecurely when nolonger required,using formalprocedures.

HUAWEI CLOUD hasformulated andimplemented relevantmedia managementregulations, in which themedia are cleared andscrapped according to theclassification. HUAWEICLOUD achieves datacleaning, diskdemagnetization through avariety of ways, and recordsthe destruction operation.

A.8.3.3

Physical mediatransfer

Mediacontaininginformation shallbe protectedagainstunauthorizedaccess, misuse orcorruptionduringtransportation.

Same as A.8.3.1

● A.9 Access control

The objectives of this control domain are to limit access to information andinformation processing facilities, to ensure authorized user access and toprevent unauthorized access to systems and services. To make usersaccountable for safeguarding their authentication information, and to preventunauthorized access to systems and applications.



Requirements


A.9.1.1

Access controlpolicy

An access controlpolicy shall beestablished,documented andreviewed basedon business andinformationsecurityrequirements.

HUAWEI CLOUD employeeaccount managementcomplies with HUAWEI useraccount permissionmanagement regulations.For HUAWEI CLOUD cloudplatform accounts, HUAWEICLOUD has formulatedpublic cloud accountpermission managementrequirements and processes.Manage accounts bycategory and establishaccess control policies.Related documents havepassed the review processand been released.

A.9.1.2

Access tonetworks andnetwork services

Users shall onlybe provided withaccess to thenetwork andnetwork servicesthat they havebeen specificallyauthorized touse.

Based on different businessroles and responsibilities,access permissionsmanagement applies RBACand includes the followingbasic roles: core network,access network, securitydevices, service systems,database systems, hardwaremaintenance, andmonitoring maintenance.Any O&M personnel isrestricted to access onlydevices within theadministrative scope ofhis/her role and is notgranted permissions toaccess other devices.


Requirements


A.9.2.1

User registrationand de-registration

A formal userregistration andde-registrationprocess shall beimplemented toenableassignment ofaccess rights.

HUAWEI CLOUD employeesuse unique IDs on theinternal office network.Complete account lifecyclemanagement regulationsand processes have beenestablished.Identity and AccessManagement (IAM) isused to control and manageuser access to cloudservices.All O&M accounts, deviceaccounts, and applicationsare managed in a unifiedmanner to ensure the end-to-end management,including user creation,authorization,authentication, andpermission reclaiming. If theaccount user wants to usethe account, the accountadministrator can initiatethe authorization processand authorize the accountby using a password orincreasing the account'spermissions. The applicantand approver of theaccount cannot be the sameperson.

A.9.2.2

User accessprovisioning

A formal useraccessprovisioningprocess shall beimplemented toassign or revokeaccess rights forall user types toall systems andservices.

Same as A.9.2.1


Requirements


https://www.huaweicloud.com/intl/en-us/product/iam.html


A.9.2.3

Management ofprivileged accessrights

The allocationand use ofprivileged accessrights shall berestricted andcontrolled.

HUAWEI CLOUD hasdefined managementrequirements for privilegedaccounts. Privilegedaccounts are classified andcomply with managementrequirements during thecreation, recycling,authorization, use, andderegistration of privilegedaccounts.HUAWEI CLOUDemphasizes that securityrisks of employee cloudservice accounts arecontrollable. Strongpasswords are strictlyrequired. Accountpermissions are regularlyreviewed. Privilegedaccounts are strictlymanaged and reclaimed.Employees must use multi-factor authentication todetermine their identitieseach time they log in.

A.9.2.4

Management ofsecretauthenticationinformation ofusers

The allocation ofsecretauthenticationinformation shallbe controlledthrough a formalmanagementprocess.

HUAWEI CLOUD hasformulated passwordpolicies and accountsecurity managementregulations to manage theallocation of secretauthentication information.The default password of anaccount in the new systemis changed by the userbefore the first use. Whenthe user needs to reset thepassword, the user identityis authenticated.


Requirements


A.9.2.5

Review of useraccess rights

Asset ownersshall reviewusers’ accessrights at regularintervals.

HUAWEI CLOUD hasspecified the maximumreview period for accounts/rights at different levels.The account/right ownerperiodically reviews theaccounts/rights held by theaccount/right owner andsubmits a deregistrationapplication when the user istransferred or the rolechanged.For a dedicated account,the account/right ownerreviews the dedicatedaccount he/she isresponsible for, changes thepassword when thededicated account is nolonger needed, and notifiesthe new user.The management ownersubmits a deregistrationapplication when theoutsourced personnel leavesthe site or no longer needsthe account or permission.The supervisor will reviewwhether the subordinate'saccount/right is proper. Ifthe subordinate's position/role changes, the supervisorwill review whether thesubordinate's account/rightof the original position hasbeen cancelled.


Requirements


A.9.2.6

Removal oradjustment ofaccess rights

The access rightsof all employeesand externalparty users toinformation andinformationprocessingfacilities shall beremoved upontermination oftheiremployment,contract oragreement, oradjusted uponchange.

Same as A.9.2.5

A.9.3.1

Use of secretauthenticationinformation

Users shall berequired tofollow theorganization’spractices in theuse of secretauthenticationinformation.

Same as A.9.2.4

A.9.4.1

Informationaccess restriction

Access toinformation andapplicationsystem functionsshall berestricted inaccordance withthe accesscontrol policy.

HUAWEI CLOUDimplements role-basedaccess control andpermission management forinternal personnel.Employees with differentpositions andresponsibilities can onlyperform specific operationson authorized targets.Minimized permissionassignment and strictbehavior audit ensure thatunauthorized access is notperformed.


Requirements


A.9.4.2

Secure log-onprocedures

Where requiredby the accesscontrol policy,access tosystems andapplications shallbe controlled bya secure log-onprocedure.

HUAWEI CLOUDemphasizes that thesecurity risks of employeecloud service accounts arecontrollable, strong securitypasswords are strictlyrequired, accountpermissions are regularlyreviewed, and privilegedaccounts are strictlymanaged and recycled. IAMis used to manage accessand supports multi-factorauthentication for loginverification and operationprotection. Employees needto use multi-factorauthentication to determinetheir identity each timethey log in. IAM alsoprovides session timeoutpolicies, account loginpolicies, and accountlocking policies.

A.9.4.3

Passwordmanagementsystem

Passwordmanagementsystems shall beinteractive andshall ensurequalitypasswords.

HUAWEI CLOUD hasformulated andimplemented passwordpolicies, including specifyingthe password length,complexity, and changeperiod. Passwords cannotcontain user IDs. Commonpasswords that are easilycracked and the latest fivepasswords cannot be used.


Requirements




A.9.4.4

Use of privilegedutility programs

The use of utilityprograms thatmight becapable ofoverridingsystem andapplicationcontrols shall berestricted andtightlycontrolled.

HUAWEI CLOUD divides thedata center into multiplesecurity areas based onbusiness functions andnetwork security risks,realizing physical andlogical control. HUAWEICLOUD O&M personnelmust first log onto theVirtual Private Network(VPN) to connect to thissecurity zone and then logonto managed nodesthrough bastion hosts.HUAWEI CLOUDadministrator-levelpersonnel can access O&Minterfaces of all securityzones from this securityzone. This security zonedoes not expose itsinterfaces to any othersecurity zone.

A.9.4.5

Access control toprogram sourcecode

Access toprogram sourcecode shall berestricted.

The HUAWEI CLOUDinformation securityenvironment is managed bypartitions. It’s not allowedto download source code,access source code fromoutside the company, ortransfer source codethrough basic officeapplications. Transfer ofsource code from thecorporate informationsecurity environment to theoutside of the companymust be approved andcontrolled.

● A.10 Cryptography

The objective of this control domain is to ensure proper and effective use ofcryptography to protect the confidentiality, authenticity and/or integrity ofinformation.



Requirements


https://www.huaweicloud.com/intl/en-us/product/vpn.html


A.10.1.1

Policy on the useof cryptographiccontrols

A policy on theuse ofcryptographiccontrols forprotection ofinformation shallbe developedandimplemented.

HUAWEI CLOUD hasformulated andimplemented cryptographicalgorithm applicationspecifications, which specifythe selection andapplication rules ofcryptographic algorithms,and provides guidance oncommon applicationinstances.

A.10.1.2

Keymanagement

A policy on theuse, protectionand lifetime ofcryptographickeys shall bedeveloped andimplementedthrough theirwhole lifecycle.

HUAWEI CLOUD hasformulated andimplemented keymanagement securityspecifications to managesecurity in each phase ofthe key lifecycle.

● A.11 Physical and environmental security

The objectives of this control domain are to prevent unauthorized physicalaccess, damage and interference to the organization’s information andinformation processing facilities, and to prevent loss, damage, theft orcompromise of assets and interruption to the organization’s operations.



Requirements


A.11.1.1

Physical securityperimeter

Securityperimeters shallbe defined andused to protectareas thatcontain eithersensitive orcriticalinformation andinformationprocessingfacilities.

The HUAWEI CLOUDinformation securityenvironment is managed byzones, and physicalenvironment facilities aredefined for each zone(including access control,security post, videosurveillance, etc.) anddifferent requirements forequipment access control(including photographyequipment, storage media,etc.). At the same time, thedata transfer policies andaccess control policiesbetween zones have beenformulated andimplemented.HUAWEI CLOUD enforcesstringent data center accesscontrol for both personneland equipment.Security guards, stationed24/7 at every entrance toeach HUAWEI CLOUD datacenter site as well as at theentrance of each buildingon site, are responsible forregistering and monitoringvisitors and staff, managingtheir access scope on an as-needed basis. Differentsecurity strategies areapplied to the physicalaccess control systems atdifferent zones of the datacenter site for optimalphysical security.

A.11.1.2

Physical entrycontrols

Secure areasshall beprotected byappropriateentry controls toensure that onlyauthorizedpersonnel areallowed access.

Same as A.11.1.1


Requirements


A.11.1.3

Securing offices,rooms andfacilities

Physical securityfor offices, roomsand facilitiesshall be designedand applied.

Same as A.11.1.1

A.11.1.4

Protectingagainst externalandenvironmentalthreats

Physicalprotectionagainst naturaldisasters,malicious attackor accidents shallbe designed andapplied.

In terms of physicalprotection, HUAWEI CLOUDhas established zoneprotection. To reduce risks,a location selection strategyhas been formulated forpossible natural disasters.For risks such as intrusionand authorization amonitoring and responsemechanism has beenestablished as well.HUAWEI CLOUD datacenter will considerselecting locations withstable politics, low crimerate and friendlyenvironment, away fromareas with hidden dangersof natural disasters such asfloods, hurricanes,earthquakes, etc., avoidingstrong electromagnetic fieldinterference, and setting theminimum distance for thehidden dangers area aroundthe technical requirements.

A.11.1.5

Working insecure areas

Procedures forworking insecure areasshall be designedand applied.

Same as A.11.1.1


Requirements


A.11.1.6

Delivery andloading areas

Access pointssuch as deliveryand loadingareas and otherpoints whereunauthorizedpersons couldenter thepremises shall becontrolled and, ifpossible, isolatedfrom informationprocessingfacilities to avoidunauthorizedaccess.

HUAWEI CLOUD throughaccess control systems,strictly review and regularlyaudit user access rights.HUAWEI CLOUD requiresvisitors to be accompaniedby internal personnelthroughout the visit, andcan only move in generalrestricted areas.HUAWEI CLOUD usesphysical and logical controlto divide production andnon-productionenvironments.The data center reasonablydivides the physical area ofthe computer room(including highly sensitivearea) and reasonablyarranges the components ofthe information system inthe design, construction andoperation, so as to preventthe potential physical andenvironmental hazards.


Requirements


A.11.2.1

Equipment sitingand protection

Equipment shallbe sited andprotected toreduce the risksfromenvironmentalthreats andhazards, andopportunities forunauthorizedaccess.

HUAWEI CLOUD hasformulated regulations onconfidential devices andmedia management, whichspecify requirements fordevice placement,protection, and access andformulate operationprocesses.Important components ofthe data center are storedin a dedicated electronicencryption safe in thewarehousing system, andthe safe is switched on andoff by a dedicated person.Any spare components ofthe data center must beobtained by providing anauthorized service ticketand must be registered inthe warehousingmanagement system. Allphysical access equipmentand warehousing systemmaterials are regularlycounted and tracked bydedicated personnel. Theequipment roomadministrator not onlyconducts routine securitychecks, but also audits datacenter access recordsirregularly to ensure thatunauthorized personnelcannot access the datacenter.


Requirements


A.11.2.2

Supportingutilities

Equipment shallbe protectedfrom powerfailures andother disruptionscaused byfailures insupportingutilities.

HUAWEI CLOUD strictlycontrols the electrical andfire safety. HUAWEI CLOUDdata centers employ amulti-level safety assurancesolution to make 24/7service availability andcontinuity. Daily electricityconsumption at datacenters relies on dual powersupply from different powersubstations. Data centersare equipped with dieselgenerators, which are run inthe event of power outage,and also UninterruptiblePower Supply (UPS), whichprovides temporary poweras a backup. HUAWEICLOUD data centers complywith Level-1 design and useClass-A fireproof materialsfor their construction incompliance with country-specific fire controlregulations. Flameretardant and fire-resistantcables are used in pipelinesand troughs, alongsidepower leakage detectiondevices. Automatic firealarm and fire extinguishingsystem is deployed toquickly and accuratelydetect and report fires.Automatic alarm systemlinks with power supply,monitoring, and ventilationsystems such that the fireextinguishing system canactivate itself even whenunattended, autonomouslykeeping fires under control.


Requirements


A.11.2.3

Cabling security Power andtelecommunications cablingcarrying data orsupportinginformationservices shall beprotected frominterception,interference ordamage.

HUAWEI CLOUD datacenters avoid strongelectromagneticinterference during siteselection. During theconstruction of HUAWEICLOUD data centers, secureconduits and anti-tamperhardware must be used fornetwork cabling andexternal devices. Whencommunication equipment,such as fiber optic cables,passes through open accessareas, pipes and bridges aremade of metal, coveredwith protective cables, laidin pipes or trunkings, andequipped with leakagedetection devices.

A.11.2.4

Equipmentmaintenance

Equipment shallbe correctlymaintained toensure itscontinuedavailability andintegrity.

For data centermaintenance, HUAWEICLOUD has establishedregulations and processesrelated to data center O&Mmanagement, includingspecific device controlmeasures and routinemaintenance plans.

A.11.2.5

Removal ofassets

Equipment,information orsoftware shallnot be taken off-site without priorauthorization.

HUAWEI CLOUD hasformulated regulations onmanaging storage mediaand devices in and out ofdata center, requiring thatstorage media and devicesbe registered andauthorized before enteringor leaving data center.Data leakage preventionmanagement isimplemented when physicalstorage media enters andexits data center, and dataerasure and scrappingprocesses are specified toreduce possible dataleakage losses.


Requirements


A.11.2.6

Security ofequipment andassets off-premises

Security shall beapplied to off-site assets takinginto account thedifferent risks ofworking outsidetheorganization’spremises.

HUAWEI CLOUD hasformulated andimplemented officecomputer securitymanagement regulations,specifying that office assetusers are obligated toensure the security of theassets they use and areresponsible for the usagestatus. Employees shouldtake working laptops withthem or properly storethem to ensure the securityof HUAWEI informationstored on the laptops.Employees will promptlyreport lost or stolen officecomputers.

A.11.2.7

Secure disposalor reuse ofequipment

All items ofequipmentcontainingstorage mediashall be verifiedto ensure thatany sensitivedata andlicensed softwarehas beenremoved orsecurelyoverwritten priorto disposal or re-use.

Dedicated personnelmanage devices thatcontain storage media onHUAWEI CLOUD. After thedevices are used, dedicatedpersonnel format thedevices. When a storagemedia that stores HUAWEI'sconfidential information isscrapped, dedicatedpersonnel must ensure thatthe information stored onthe media is erased andcannot be recovered. Thedisposal methods includedegaussing, physicaldestruction, or low-levelformatting.

A.11.2.8

Unattended userequipment

Users shallensure thatunattendedequipment hasappropriateprotection.

HUAWEI CLOUD hasformulated andimplemented workplacesecurity managementregulations, setsrequirements on employees'security responsibilities andbehaviors, formulatespolicies and procedures, andimplements access controlto ensure proper protectionof unattended user devices.


Requirements


A.11.2.9

Clear desk andclear screenpolicy

A clear deskpolicy for papersand removablestorage mediaand a clearscreen policy forinformationprocessingfacilities shall beadopted.

HUAWEI CLOUD hasformulated andimplemented workplacesecurity managementregulations, setsrequirements on employees'security responsibilities andbehavior, formulatespolicies and procedures toensure that unattendedworkspaces are free ofpublicly visible sensitivedocuments. At the sametime, security awarenesseducation is carried outthrough awarenesseducation, publicityactivities, and BCG andcommitment letter signing.

● A.12 Operations security

The objectives of this control domain are to ensure correct and secureoperations of information processing facilities, to ensure that information andinformation processing facilities are protected against malware, to protectagainst loss of data, to record events and generate evidence, to ensure theintegrity of operational systems, to prevent exploitation of technicalvulnerabilities, and to minimize the impact of audit activities on operationalsystems.


A.12.1.1

Documentedoperatingprocedures

Operatingprocedures shallbe documentedand madeavailable toall users whoneed them.

HUAWEI CLOUDimplements documentedinformation securitypolicies and procedures toprovide guidance forHUAWEI CLOUD'soperations related toinformation processing andcommunications facilities.Employees can view thereleased informationsecurity policies andprocedures underauthorization.


Requirements


A.12.1.2

Changemanagement

Changes to theorganization,businessprocesses,informationprocessingfacilities andsystems thataffectinformationsecurity shall becontrolled.

HUAWEI CLOUD hasestablished the systemchange management andservice launch process, andcommunicated itsrequirements to allrelevant developers(including internalemployees and externalpartners). The newlylaunched or changedservices shall follow theregulations of HUAWEICLOUD release and changemanagement process.After the status changes,such as resignation orposition change,employees and other thirdparties shall conduct asecurity review accordingto the transfer andresignation security reviewchecklist, which includesthe clearance ormodification of theresignation accountpermissions.

A.12.1.3

Capacitymanagement

The use ofresources shallbe monitored,tuned andprojections madeof futurecapacityrequirements toensure therequired systemperformance.

HUAWEI CLOUD hasestablished a completeresource managementmechanism to plan thecapacity of the resources inHUAWEI's unifiedvirtualization platform toavoid excessive use ofresources and meetcapacity requirements. Inaddition, HUAWEI CLOUDcollects componentcapacity information ofcloud services to monitorthe stable operation of theplatform.


Requirements


A.12.1.4

Separation ofdevelopment,testing andoperationalenvironments

Development,testing, andoperationalenvironmentsshall beseparated toreduce the risksof unauthorizedaccess orchanges to theoperationalenvironment.

HUAWEI CLOUD uses acombination of physicaland logical controlisolation methods forproduction and non-production environments,and controls the combinedisolation methods toimprove the network'spartition self-protectionand fault-tolerant recoverycapabilities in the face ofintrusions and internalghosts, reducing risks ofunauthorized access orchanges to the runningenvironment.


Requirements


A.12.2.1

Controls againstmalware

Detection,prevention andrecovery controlsto protectagainst malwareshall beimplemented,combined withappropriate userawareness.

HUAWEI CLOUD uses IPSintrusion preventionsystem, Web ApplicationFirewall (WAF), anti-virussoftware, and HIDS host-based intrusion detectionsystem for vulnerabilitymanagement of systemcomponents and networks.The IPS intrusionprevention system candetect and preventpotential network intrusionactivities; Web applicationfirewalls are deployed atthe network boundary toprotect the security ofapplication software andprotect it from externalSQL injection, CSS, CSRFand other application-oriented attacks; Anti-virussoftware provides virusprotection and firewall inWindows system; HIDShost-based intrusiondetection system protectsthe security of cloudservers, reduces the risk ofaccount theft, providesfunctions such as weakpassword detection,malicious programdetection, two-factorauthentication,vulnerability management,and web tamperprotection.HUAWEI CLOUDcontinuously educatesemployees on securityawareness during theiremployment. A dedicatedinformation securityawareness trainingprogram is provided,including malwareprevention.


Requirements


https://www.huaweicloud.com/intl/en-us/product/waf.html


A.12.3.1

Informationbackup

Backup copies ofinformation,software andsystem imagesshall be takenand testedregularly inaccordance withan agreedbackup policy.

User data can be replicatedand stored on multiplenodes in a data center. If asingle node fails, user datawill not be lost. The systemsupports automatic failuredetection and datarecovery.Different AZs within asingle region haveimplemented Data CenterInterconnection (DCI),connecting them throughhigh-speed fiber andsupporting the essentialrequirement of cross-AZdata replication. Users canalso leverage our DRreplication service andsolution based on theirbusiness needs.In addition to the highavailability infrastructure,data redundancy andbackup, and DR amongAZs, HUAWEI CLOUD alsohas a formal businesscontinuity plan (BCP) andconducts BCP drillsperiodically.


Requirements


A.12.4.1

Event logging Event logsrecording useractivities,exceptions, faultsand informationsecurity eventsshall beproduced, keptand regularlyreviewed.

HUAWEI CLOUD uses acentralized andcomprehensive log systembased on big dataanalytics. The systemcollects managementbehavior logs of allphysical devices, networks,platforms, applications,databases, and securitysystems as well as threatdetection logs of securityproducts and components.The logs support forcybersecurity eventbacktracking andcompliance. This loganalysis system supportsmassive data storage andpowerful search and queryfeatures, which can storeall logs for over 180 daysand support real timequeries within 90 days.HUAWEI CLOUD also has adedicated internal auditdepartment that performsperiodic audits on O&Mactivities.

A.12.4.2

Protection of loginformation

Logging facilitiesand loginformation shallbe protectedagainsttampering andunauthorizedaccess.

Same as A.12.4.1

A.12.4.3

Administratorand operatorlogs

Systemadministratorand systemoperatoractivities shall belogged and thelogs protectedand regularlyreviewed.

Same as A.12.4.1


Requirements


A.12.4.4

Clocksynchronization

The clocks of allrelevantinformationprocessingsystems withinan organizationor securitydomain shall besynchronized toa singlereference timesource.

HUAWEI CLOUD uses astandard protocol tosynchronize time in thesystem.

A.12.5.1

Installation ofsoftware onoperationalsystems

Procedures shallbe implementedto control theinstallation ofsoftware onoperationalsystems.

HUAWEI CLOUD ensuresthe secure introduction anduse of open source andthird-party software basedon the principle of strictentry and wide use.HUAWEI CLOUD hasformulated clear securityrequirements and completeprocess control solutionsfor introduced open sourceand third-party software,and strictly controls theselection analysis, securitytest, code security, riskscanning, legal review,software application,software installation, andsoftware exit.


Requirements


A.12.6.1

Management oftechnicalvulnerabilities

Informationabout technicalvulnerabilities ofinformationsystems beingused shall beobtained in atimely fashion,theorganization’sexposure to suchvulnerabilitiesevaluated andappropriatemeasures takento address theassociated risk.

HUAWEI CLOUD hasestablished a dedicatedvulnerability response teamto timely evaluate andanalyze the causes andthreats of vulnerabilitiesand to formulate remedialmeasures, to evaluate thefeasibility and effectivenessof remedial measures.HUAWEI CLOUDannounces thevulnerabilities of productsor services that have beendiscovered on its officialwebsite and fore warnscustomers. Customers cancheck the Security Noticeto be aware of the scope ofthe vulnerabilities, how todeal with them, and thethreat level.

A.12.6.2

Restrictions onsoftwareinstallation

Rules governingthe installationof software byusers shall beestablished andimplemented.

HUAWEI CLOUD hasdeveloped andimplemented desktopterminal service softwarestandard. Office computersuse only the standardoperating systems andsoftware defined in thestandard.


Requirements


https://www.huaweicloud.com/intl/en-us/notice.securecenter.html

A.12.7.1

Informationsystems auditcontrols

Auditrequirementsand activitiesinvolvingverification ofoperationalsystems shall becarefully plannedand agreed tominimizedisruptions tobusinessprocesses.

HUAWEI CLOUD hasdeveloped andimplemented regulationson penetration testing andvulnerability scanning,which define riskmitigation policies. Interms of time selection, thepenetration test andscanning activities thathave great impact on thesystem must avoid peakhours, major activity dates,and emergency assuranceperiods. At the same time,a hierarchical strategy isformulated, which includesnot performing large-scaleconcurrent scanning ontargets, performing batchand time-based scanningand controlling thegenerated data traffic.During the scanning,servers with relativelyunimportant services areselected first, and othersystems are scanned ifthere is no risk.

● A.13 Communications security

The objectives of this control domain are to ensure the protection ofinformation in networks and its supporting information processing facilities,and to maintain the security of information transferred within an organizationand with any external entity.



Requirements


A.13.1.1

Network controls Networks shallbe managed andcontrolled toprotectinformation insystems andapplications.

Every HUAWEI CLOUDdata center has numerousnodes and complexfunctional zones. Tosimplify its networksecurity design, prevent thepropagation of networkattacks in HUAWEI CLOUD,and minimize the potentialimpact of attacks, HUAWEICLOUD defines bothsecurity zones and serviceplanes, and implements anetwork segregationstrategy in HUAWEICLOUD by referencing andadopting the securityzoning principle of ITU E.408 and industry bestpractices on networksecurity. Nodes in the samesecurity zone are at thesame security level.HUAWEI CLOUD alwaystakes into fullconsideration a widevariety of network securityaspects ranging fromnetwork architecturedesign to device selectionand configuration, as wellas O&M. As a result,HUAWEI CLOUD hasadopted a set of networksecurity mechanisms toenforce stringent controlsand ensure cloud security.Some key examples ofthese network securitymechanisms are multi-layered security isolation,access control, andperimeter protection forphysical and virtualnetworks.


Requirements


A.13.1.2

Security ofnetwork services

Securitymechanisms,service levels andmanagementrequirements ofall networkservices shall beidentified andincluded innetwork servicesagreements,whether theseservices areprovided in-house oroutsourced.

HUAWEI CLOUD definesthe security mechanism,service level agreement(SLA), and managementrequirements for networkservices in the agreementssigned with networkservice providers.


Requirements


A.13.1.3

Segregation innetworks

Groups ofinformationservices, usersand informationsystems shall besegregated onnetworks.

Based on businessfunctions and networksecurity risks, the HUAWEICLOUD data centernetwork is mapped intodifferent security zones toachieve network isolationusing both physical andlogical controls, whichboosts the networkimmunity and faulttolerance1 in HUAWEICLOUD in response toattacks from externalthreat actors and internalthreats. The following listdescribes the five keysecurity zones: DMZ zone,Public services zone, Pointof Delivery (POD), Object -Based Storage (OBS), andOperations Management(OM).In addition to the above-mentioned security zoningfor every HUAWEI CLOUDdata center's network,distinct security levelswithin different securityzones are also defined forHUAWEI CLOUD. Attacksurfaces and security risksare determined based ondifferent businessfunctions. For example,security zones that aredirectly exposed to theInternet have the highestsecurity risks, whereas theO&M zone that exposes nointerface to the Internettherefore has a muchsmaller attack surface,lower security risks, andless challenging tomanage.For further informationabout security zones,please refer to theHUAWEI CLOUD SecurityWhite Paper.


Requirements




A.13.2.1

Informationtransfer policiesand procedures

Formal transferpolicies,procedures andcontrols shall bein place toprotect thetransfer ofinformationthrough the useof all types ofcommunicationfacilities.

HUAWEI CLOUD hasformulated securitymanagement regulations,defined informationtransmission policies andprocesses, and detailedcontrol requirements.


Requirements


A.13.2.2

Agreements oninformationtransfer

Agreements shalladdress thesecure transferof businessinformationbetween theorganization andexternal parties.

In the scenario where datais transmitted betweenclients and servers andbetween servers of theHUAWEI CLOUD viacommon informationchannels, data in transit isprotected as follows:Virtual Private Network(VPN): VPN is used toestablish a secureencrypted communicationchannel that complies withindustry standardsbetween a remote networkand a tenant VPC such thata tenant's existing localdata center seamlesslyextends to HUAWEICLOUD while ensuringend-to-end dataconfidentiality. With aVPN-based communicationchannel establishedbetween the traditionaldata center and the VPC, atenant can utilize HUAWEICLOUD resources such ascloud servers and blockstorage at one'sconvenience. Applicationscan be migrated to thecloud, additional webservers can be launched,and the compute capacitywithin a tenant space canbe expanded so as toestablish enterprise hybridcloud architecture and alsolower risks of unauthorizeddissemination of a tenant'score business data.Currently, HUAWEI CLOUDuses IPsec VPN togetherwith Internet Key Exchange(IKE) to encrypt the datatransport channel andensure transport security.Application Layer TLS andCertificate Management:HUAWEIcomplianc CLOUD


Requirements




supports data transmissionin REST and Highwaymodes. In REST mode, aservice is published to thepublic as a RESTful serviceand the initiating partydirectly uses an HTTP clientto initiate the RESTful APIfor data transmission. InHighway mode, acommunication channel isestablished using a high-performing Huawei-proprietary protocol, whichis best suited for scenariosrequiring especially highperformance. Both RESTand Highway modessupport TLS 1.2 for data intransit encryption and X.509 certificate-basedidentity authentication ofdestination websites.SSL Certificate Manager(SCM) is a one-stop-shoptype of X.509 certificatefull lifecycle managementservice provided to ourtenants by HUAWEICLOUD together withworld-renowned publiccertificate authorities (CA).It ensures the identityauthentication ofdestination websites andsecure data transmission.

A.13.2.3

Electronicmessaging

Informationinvolved inelectronicmessaging shallbe appropriatelyprotected.

HUAWEI CLOUD protectsinformation sent inelectronic messages byusing office computersecurity software, networkaccess control, permissionmanagement, accesscontrol, transmissionencryption, and contentencryption.


Requirements


https://www.huaweicloud.com/intl/en-us/product/scm.html


A.13.2.4

Confidentiality ornon-disclosureagreements

Requirements forconfidentiality ornon-disclosureagreementsreflecting theorganization’sneeds for theprotection ofinformation shallbe identified,regularlyreviewed anddocumented.

HUAWEI CLOUD regulatesinformation confidentialityand non-disclosureagreement signing andarchiving, and regularlyupdates the non-disclosureagreement templates thatemployees and externalparties must sign.

● A.14 System acquisition, development and maintenance

The objective of this control domain is to ensure that information security isan integral part of information systems across the entire lifecycle. This alsoincludes the requirements for information systems which provide services overpublic networks. The objective of development and support processes is toensure that information security is designed and implemented within thedevelopment lifecycle of information systems, and to ensure the protection ofdata used for testing.



Requirements


A.14.1.1

Informationsecurityrequirementsanalysis andspecification

The informationsecurity relatedrequirementsshall be includedin therequirements fornew informationsystems orenhancements toexistinginformationsystems.

HUAWEI CLOUD managesthe end-to-end softwareand hardware lifecyclethrough complete systemsand processes, as well asautomated platforms andtools. The lifecycle includessecurity requirementsanalysis, security design,security coding and testing,security acceptance andrelease, and vulnerabilitymanagement.HUAWEI CLOUD andrelated cloud servicescomply with the securityand privacy designprinciples and norms, lawsand regulations. Threatsare analyzed according tobusiness scenarios, dataflow diagrams andnetworking models in thesecurity requirementsanalysis and design phase.When a threat is identified,the design engineer willformulate mitigationmeasures according to thereduction library and thesecurity design library andcomplete thecorresponding securitydesign. All threatmitigation measures willeventually be convertedinto security requirementsand security functions, andaccording to the company'stest case library, will beused to complete thedesign of security testcases, to ensure successfulimplementation, andultimately ensure thesecurity of products andservices.


Requirements


A.14.1.2

Securingapplicationservices onpublic networks

Informationinvolved inapplicationservices passingover publicnetworks shallbe protectedfrom fraudulentactivity, contractdispute andunauthorizeddisclosure andmodification.

HUAWEI CLOUD usesmultiple security measuresto protect data involved inapplication servicesprovided on publicnetworks. IAMis used foraccess control and useridentity authentication.Secure encryption channels(such as HTTPS) are usedduring informationtransmission, and storedstatic data is encryptedusing secure encryptionalgorithms to ensure dataconfidentiality in differentstates. Control mechanismssuch as digital signaturesand timestamps are usedto prevent tamperingduring data transmission,ensure informationintegrity, and preventreplay attacks. Logs arerecorded for operations inapplication services tosupport audit. Identityauthentication,transmission protection,and border protection forinterfaces are performed toensure API applicationsecurity.


Requirements



A.14.1.3

Protectingapplicationservicestransactions

Informationinvolved inapplicationservicetransactions shallbe protected topreventincompletetransmission,misrouting,unauthorizedmessagealteration,unauthorizeddisclosure,unauthorizedmessageduplication orreplay.

Same as A.14.1.2

A.14.2.1

Securedevelopmentpolicy

Rules for thedevelopment ofsoftware andsystems shall beestablished andapplied todevelopmentswithin theorganization.

By leveraging HUAWEI’swealth of experience andfar-reaching capabilities inthe field of security,HUAWEI CLOUD has notonly proactively pursuedthe new DevOps process,which features rapid andcontinuous iterationcapabilities, but alsoseamlessly integrated theHUAWEI securitydevelopment lifecycle(SDL). As a result, DevOpsis gradually taking shapeas a highly automated newsecurity lifecyclemanagement methodologyand process, calledDevSecOps, alongsidecloud security engineeringcapabilities and tool chainthat together ensure thesmooth and flexibleimplementation ofDevSecOps.


Requirements


A.14.2.2

System changecontrolprocedures

Changes tosystems withinthe developmentlifecycle shall becontrolled by theuse of formalchange controlprocedures.

HUAWEI CLOUD hasestablished the systemchange management andservice launch process, andcommunicated itsrequirements to allrelevant developers(including internalemployees and externalpartners). The newlylaunched or changedservices shall follow theregulations of HUAWEICLOUD release and changemanagement process.

A.14.2.3

Technical reviewof applicationsafter operatingplatformchanges

When operatingplatforms arechanged,business criticalapplications shallbe reviewed andtested to ensurethere is noadverse impactonorganizationaloperations orsecurity.

HUAWEI CLOUD hasformulated managementregulations and changeprocedures for changemanagement, beforesubmitting a changerequest, the change mustundergo a testing processthat includes production-like environment testing,pilot release, and/or blue/green deployment. Thisensures that the changecommittee clearlyunderstands the changeactivities involved,duration, failure rollbackprocedure, and allpotential impacts. Changescan be released only afterachieving the approval ofHUAWEI CLOUD ChangeCommittee.

A.14.2.4

Restrictions onchanges tosoftwarepackages

Modifications tosoftwarepackages shallbe discouraged,limited tonecessarychanges and allchanges shall bestrictlycontrolled.

Same as A.14.2.3


Requirements


A.14.2.5

Secure systemengineeringprinciples

Principles forengineeringsecure systemsshall beestablished,documented,maintained andapplied to anyinformationsystemimplementationefforts.

HUAWEI CLOUD hasformulated the publiccloud service qualityrequirements, including thesecurity designspecification set, whichdefines system securityengineering principles andapplies them to servicedesign.

A.14.2.6

Securedevelopmentenvironment

Organizationsshall establishandappropriatelyprotect securedevelopmentenvironments forsystemdevelopmentand integrationefforts that coverthe entire systemdevelopmentlifecycle.

HUAWEI CLOUD haspursued the new DevOpsprocess, which featuresrapid and continuousiteration capabilities, andintegrated the HUAWEIsecurity developmentlifecycle (SDL). In addition,gradually taking shape as ahighly automated newsecurity lifecyclemanagement methodologyand process, calledDevSecOps, alongsidecloud security engineeringcapabilities and tool chainthat together ensure thesmooth and flexibleimplementation ofDevSecOps.HUAWEI CLOUDhierarchically manages thedevelopment environmentand implements protectionmeasures such as physicalisolation, logical isolation,access control, and datatransmission channelapproval and audit.


Requirements


A.14.2.7

Outsourceddevelopment

The organizationshall superviseand monitor theactivity ofoutsourcedsystemdevelopment.

HUAWEI CLOUD hasspecified requirements onR&D outsourcingmanagement, andincorporates thesupervision of outsourcedpersonnel and outsourcedprojects into the dailyresponsibilities ofemployees and projects.

A.14.2.8

System securitytesting

Testing ofsecurityfunctionalityshall be carriedout duringdevelopment.

All cloud services passmultiple security testsbefore release. The testcases cover the securityrequirements identified inthe security design phaseand include test cases froman attacker's perspective.For further information,please refer to theHUAWEI CLOUD SecurityWhite Paper. In addition,HUAWEI CLOUD leveragesits in-depth understandingof customers' securityrequirements and industrystandards and developsmatching security testtools. One such tool isSecureCAT, which can beused to check securityconfigurations ofmainstream OS anddatabase.

A.14.2.9

Systemacceptancetesting

Acceptancetesting programsand relatedcriteria shall beestablished fornew informationsystems,upgrades andnew versions.

Same as A.14.2.8

A.14.3.1

Protection of testdata

Test data shallbe selectedcarefully,protected andcontrolled.

HUAWEI CLOUD hasformulated specificationsfor selecting and protectingtest data, which are strictlyfollowed during test work.


Requirements




● A.15 Supplier relationshipsThe objectives of this control domain are to ensure protection of theorganization’s assets that is accessible by suppliers, and to maintain anagreed level of information security and service delivery in line with supplieragreements.


A.15.1.1

Informationsecurity policyfor supplierrelationships

Informationsecurityrequirements formitigating therisks associatedwith supplier’saccess to theorganization’sassets shall beagreed with thesupplier anddocumented.

HUAWEI CLOUD hasestablished a supplierselection and supervisionsystem, through duediligence before signingthe contract and regularevaluation to manage thesupplier's compliance withthe specific requirementsand contract obligations ofHUAWEI CLOUD.

A.15.1.2

Addressingsecurity withinsupplieragreements

All relevantinformationsecurityrequirementsshall beestablished andagreed with eachsupplier thatmay access,process, store,communicate, orprovide ITinfrastructurecomponents for,theorganization’sinformation.

Supplier security andprivacy requirements areincluded in signedcontractual agreements.Business associates withthird parties areresponsible for managingtheir third-partyrelationships, includingasset protectionrequirements andsuppliers’ access torelevant applications. TheHUAWEI CLOUD legalteam also regularly reviewscontract clauses.


Requirements


A.15.1.3

Information andcommunicationtechnologysupply chain

Agreements withsuppliers shallincluderequirements toaddress theinformationsecurity risksassociated withinformation andcommunicationstechnologyservices andproduct supplychain.

When introducingsuppliers, HUAWEI CLOUDsigns confidentiality andservice level agreementswith them. The agreementscontain requirements forsecurity and privacy dataprocessing of suppliers.

A.15.2.1

Monitoring andreview ofsupplier services

Organizationsshall regularlymonitor, reviewand auditsupplier servicedelivery.

Same as A.15.1.1

A.15.2.2

Managingchanges tosupplier services

Changes to theprovision ofservices bysuppliers,includingmaintaining andimprovingexistinginformationsecurity policies,procedures andcontrols, shall bemanaged, takingaccount of thecriticality ofbusinessinformation,systems andprocessesinvolved and re-assessment ofrisks.

HUAWEI CLOUD hasformulated generalprocurement changemanagement regulationsand processes to strictlymanage supplier servicechanges according to themanagement regulations.In the disaster recoverystrategy of HUAWEICLOUD, it is stipulated thatmultiple suppliers shouldbe used for the sameservice to cope withemergencies, so as toretain certain redundancyto maintain servicecontinuity.

● A.16 Information security incident management

The objective of this control domain is to ensure a consistent and effectiveapproach to the management of information security incidents, includingcommunication on security events and weaknesses.



Requirements


A.16.1.1

Responsibilitiesand procedures

Managementresponsibilitiesand proceduresshall beestablished toensure a quick,effective andorderly responseto informationsecurityincidents.

HUAWEI CLOUD hasdeveloped a mechanism forinternal security incidentmanagement, includescommonly used securityincident response plans andprocesses, and continues tooptimize it. The roles andresponsibilities are clearlydefined for each activityduring the incidentresponse process. HUAWEICLOUD log system basedon big data analytics canquickly collect, process, andanalyze mass logs in realtime and can connect tothird-party SecurityInformation and EventManagement (SIEM)systems such as SIEMsystems provided byArcSight and Splunk. Thesystem collectsmanagement behavior logsof all physical devices,networks, platforms,applications, databases, andsecurity systems as well asthreat detection logs ofsecurity products andcomponents, continuousmonitoring and real-timeanalysis ensure the timelydetection of securityincidents. In addition, giventhe professionalism andurgency to handle securityincidents, HUAWEI CLOUDhas a professional securityincident response teamavailable 24/7 and acorresponding pool ofsecurity expert resources forresponse. HUAWEI CLOUDannually tests informationsecurity incidentmanagement procedures.All of information securityincident response personnel,including reserve personnel,need to participate.


Requirements


A.16.1.2

Reportinginformationsecurity events

Informationsecurity eventsshall be reportedthroughappropriatemanagementchannels asquickly aspossible.

HUAWEI CLOUD hasformulated theclassification and escalationprinciple of informationsecurity incidents, rankingthem according to theirdegree of impact on thecustomer's business, andinitiates a process to notifycustomers of the incident.When serious events occuron the underlyinginfrastructure platform andhave or may have a seriousimpact on multiplecustomers, HUAWEI CLOUDcan promptly notifycustomers of events with anannouncement. Thecontents of the notificationinclude but are not limitedto a description of theevent, the cause, impact,measures taken by HUAWEICLOUD and the measuresrecommended forcustomers. After theincident is resolved, theincident report will beprovided to the customeraccording to the specificsituation.


Requirements


A.16.1.3

Reportinginformationsecurityweaknesses

Employees andcontractors usingtheorganization’sinformationsystems andservices shall berequired to noteand report anyobserved orsuspectedinformationsecurityweaknesses insystems orservices.

HUAWEI CLOUD conveysthe company's requirementsfor all employees in thefield of cybersecuritythrough the company'sunified annual routinelearning, examination andsigning activities, andimproves employeecybersecurity awareness.The requirements includethat employees shouldreport information securityweaknesses they find. Forother external partners,HUAWEI CLOUD signedconfidentiality agreementswith them and conductedinformation securitytraining, which includedinformation securityincident reportingresponsibilities.HUAWEI CLOUD providesemployees with channelsand precautions to reportinformation security events.

A.16.1.4

Assessment ofand decision oninformationsecurity events

Informationsecurity eventsshall be assessedand it shall bedecided if theyare to beclassified asinformationsecurityincidents.

HUAWEI CLOUD hasestablished a securityincident response team tomonitor and analyze alarmsand assess whether they areinformation securityincidents.

A.16.1.5

Response toinformationsecurity incidents

Informationsecurity incidentsshall beresponded to inaccordance withthe documentedprocedures.

Same as A.16.1.1


Requirements


A.16.1.6

Learning frominformationsecurity incidents

Knowledgegained fromanalyzing andresolvinginformationsecurity incidentsshall be used toreduce thelikelihood orimpact of futureincidents.

HUAWEI CLOUD uses aprofessional securityincident managementsystem to record and trackthe progress, handlingmeasures, andimplementation of allinformation securityincidents, analyze theimpact of incident handling,and track and close securityincidents in an end-to-endmanner to ensure that theentire handling process canbe traced.

A.16.1.7

证据的收集 The organizationshall define andapply proceduresfor theidentification,collection,acquisition andpreservation ofinformation,which can serveas evidence.

HUAWEI CLOUD hasdeveloped security incidentemergency handling processand response process. Whena server or application issuspected to be intruded,security responders collectevidence for analysis.

● A.17 Information security aspects of business continuity management

The objectives of this control domain are that information security continuityshall be embedded in the organization’s business continuity managementsystems, and the availability of information processing facilities should beensured.



Requirements


A.17.1.1

Planninginformationsecuritycontinuity

The organizationshall determineits requirementsfor informationsecurity and thecontinuity ofinformationsecuritymanagement inadversesituations, e.g.during a crisis ordisaster.

HUAWEI CLOUD hasobtained the certification ofthe ISO22301 businesscontinuity managementsystem standard,established a businesscontinuity managementsystem internally, andformulated a businesscontinuity plan, whichcontains the strategies andprocesses of naturaldisasters, accident disasters,information technologyrisks and otheremergencies.

A.17.1.2

Implementinginformationsecuritycontinuity

The organizationshall establish,document,implement andmaintainprocesses,procedures andcontrols toensure therequired level ofcontinuity forinformationsecurity duringan adversesituation.

Same as A.17.1.1

A.17.1.3

Verify, reviewand evaluateinformationsecuritycontinuity

The organizationshall verify theestablished andimplementedinformationsecuritycontinuitycontrols atregular intervalsin order toensure that theyare valid andeffective duringadversesituations.

The HUAWEI CLOUDsecurity exercise teamregularly develops exercisesfor different product types(including basic services,operation centers, datacenters, and overallorganization, etc.) anddifferent scenarios tomaintain the effectivenessof the continuous plan.When significant changestake place in theorganization andenvironment of HUAWEICLOUD, the effectiveness ofbusiness continuity levelwould also be tested.


Requirements


A.17.2.1

Availability ofinformationprocessingfacilities

Informationprocessingfacilities shall beimplementedwith redundancysufficient tomeet availabilityrequirements.

HUAWEI CLOUD deploysthe multi-region and multi-AZ architecture adopted bythe data center cluster toimplement redundantconnection of multiple AZs,eliminating the risk ofsingle points of failure andensuring service continuity.In addition, HUAWEICLOUD also deploys aglobal load balancingscheduling center toimplement N+1 deploymentin data centers. If a datacenter is faulty, traffic canbe balanced to other datacenters.

● A.18 Compliance

The objectives of this control domain are to avoid breaches of legal, statutory,regulatory or contractual obligations related to information security and ofany security requirements, and to ensure that information security isimplemented and operated in accordance with the organizational policies andprocedures through information security reviews.


A.18.1.1

Identification ofapplicablelegislation andcontractualrequirements

All relevantlegislativestatutory,regulatory,contractualrequirementsand theorganization’sapproach tomeet theserequirementsshall be explicitlyidentified,documented andkept up to datefor eachinformationsystem and theorganization.

HUAWEI CLOUD hasestablished a dedicatedposition to maintain activecontact with externalparties, and to track thechange of laws andregulations. Whenidentifying laws andregulations related toHUAWEI CLOUD services,HUAWEI CLOUD will adjustinternal securityrequirements and securitycontrol levels in a timelymanner to ensurecompliance with laws andregulations.


Requirements


A.18.1.2

Intellectualproperty rights

Appropriateprocedures shallbe implementedto ensurecompliance withlegislative,regulatory andcontractualrequirementsrelated tointellectualproperty rightsand use ofproprietarysoftwareproducts.

HUAWEI CLOUD hasdeveloped andimplemented desktopterminal service softwarestandard. Office computersuse only the standardoperating systems andsoftware defined in thestandard.At the contract level,HUAWEI CLOUD fulfills thecontract strictly accordingto the agreement with thesupplier.

A.18.1.3

Protection ofrecords

Records shall beprotected fromloss, destruction,falsification,unauthorizedaccess andunauthorizedrelease, inaccordance withlegislator,regulatory,contractual andbusinessrequirements.

HUAWEI CLOUD hasformulated data securitypolicies and data securityprotection managementregulations. Appropriateprotection measures aretaken and strictlyimplemented to ensuredata security.

A.18.1.4

Privacy andprotection ofpersonallyidentifiableinformation

Privacy andprotection ofpersonallyidentifiableinformation shallbe ensured asrequired inrelevantlegislation andregulation whereapplicable.

HUAWEI CLOUD has builta privacy protection systembased on global privacyprotection laws andregulations and bestpractices widely recognizedin the industry to protectprivacy and personallyidentifiable information.

A.18.1.5

Regulation ofcryptographiccontrols

Cryptographiccontrols shall beused incompliance withall relevantagreements,legislation andregulations.

HUAWEI CLOUD usesstrong encryptionalgorithms widely acceptedin the industry to encryptdata on the platform anduses encryption protocolsto ensure data securityduring transmission.


Requirements


A.18.2.1

Independentreview ofinformationsecurity

Theorganization’sapproach tomanaginginformationsecurity and itsimplementation(i.e. controlobjectives,controls, policies,processes andprocedures forinformationsecurity) shall bereviewedindependently atplanned intervalsor whensignificantchanges occur.

HUAWEI CLOUD has adedicated audit team thatregularly evaluates thecompliance andeffectiveness of strategies,procedures, supportingmeasures and indicators. Inaddition, independentthird-party assessmentagencies also provideindependent assurance.These auditors assess thesecurity, integrity, andconfidentiality ofinformation and resourcesby performing regularsecurity assessments andcompliance audits orinspections (such as SOC,ISO standards, PCIDSSaudits), so as to conductindependent assessment ofrisk management content/process.

A.18.2.2

Compliance withsecurity policiesand standards

Managers shallregularly reviewthe complianceof informationprocessing andprocedureswithin their areaof responsibilitywith theappropriatesecurity policies,standards andany othersecurityrequirements.

Same as A.18.2.1


Requirements


A.18.2.3

Technicalcompliancereview

Informationsystems shall beregularlyreviewed forcompliance withtheorganization’sinformationsecurity policiesand standards.

HUAWEI CLOUD willorganize internal andexternal qualified thirdparties to scan all HUAWEICLOUD systems,applications and networksfor vulnerabilities everyquarter. For all securityvulnerability informationknown, HUAWEI CLOUDwill evaluate and analyzeeach vulnerability,formulate and implementvulnerability fix plans orcircumvention measures,and verify the fix situationafter fixed, and continuetracking to confirm thatthe risk is eliminated ormitigated. HUAWEI CLOUDorganizes internally orexternal third parties withcertain qualifications toconduct penetration testson all HUAWEI CLOUDsystems and applicationsevery six months, andfollow up and rectify theresults of penetration tests.The penetration test reportand follow-up would beverified by internal auditsand external certificationagencies.


Requirements


6 HUWAEI CLOUD Helping CustomersRespond to ISO 27001 Requirements

HUAWEI CLOUD has passed ISO 27001 certification and provides secure andreliable cloud services for customers. However, this does not mean that customerswho use HUAWEI CLOUD services meet the control requirements of ISO 27001 bydefault. If the customer wishes to be ISO 27001 certified, it should establish,implement, maintain and continuously improve its own information securitymanagement system in accordance with ISO 27001 guidelines and best practices,and contact a third-party independent certify unit for evaluation.

The establishment of ISMS needs to start from two aspects: management andtechnology. At the management level, customers should develop informationsecurity policies and procedures that meet their own needs and meet therequirements of ISO 27001. At the technical level, products and services providedby HUAWEI CLOUD can help customers in some control domains and help themsolve problems encountered when building their own information securitymanagement system.

For details about the products that can help achieve the objectives of controldomains in ISO 27001, please find the following table. For details about theproducts, please refer to the Product Page on the HUAWEI CLOUD officialwebsite. The following sections describe how some of HUAWEI CLOUD's mainproducts help customers achieve the control objectives in the ISO 27001 controldomain.

ISO 27001 ControlDomain

Products that Help in Achieving the Objectives

A.8 Asset management Data Security Center (DSC), Host Security Service(HSS), Object Storage Service (OBS)

A.9 Access control Identity and Access Management (IAM)

A.10 Cryptography Data Encryption Workshop (DEW)

HUAWEI CLOUD Compliance with ISO/IEC 270016 HUWAEI CLOUD Helping Customers Respond to

ISO 27001 Requirements


https://www.huaweicloud.com/intl/zh-cn/product/

https://www.huaweicloud.com/intl/en-us/product/dsc.html

https://www.huaweicloud.com/intl/en-us/product/hss.html


https://www.huaweicloud.com/intl/en-us/product/obs.html


https://www.huaweicloud.com/intl/en-us/product/dew.html

A.12 Operationssecurity

Vulnerability Scan Service (VSS), Web ApplicationFirewall (WAF), Host Security Service (HSS), CloudEye Service (CES), Log Tank Service (LTS),Database Security Service (DBSS), Cloud TraceService (CTS), Cloud Backup and Recovery (CBR),Elastic Volume Service (EVS), Image ManagementService (IMS), Object Storage Service (OBS),Dedicated Distributed Storage Service (DSS),Scalable File Service (SFS), Simple MessageNotification (SMN)

A.13 Communicationssecurity

Virtual Private Cloud (VPC), Virtual PrivateNetwork (VPN), Anti-DDoS, Advanced Anti-DDoS(AAD), SSL Certificate Manager (SCM), ElasticLoad Balance (ELB), Direct Connect (DC), CloudConnect (CC)

A.14 System acquisition,development andmaintenance

API Gateway (APIG), Cloud Performance TestService (CPTS),

A.15 Supplierrelationships

Cloud Eye Service (CES), Application OperationsManagement (AOM)

A.17 Informationsecurity aspects ofbusiness continuitymanagement

Cloud Backup and Recovery (CBR), Cloud ServerBackup Service (CSBS), Storage Disaster RecoveryService (SDRS)

A.18 Compliance Content Moderation

6.1 A.8 Asset ManagementWhen establishing an information security management system (ISMS), customersshould identify the information assets they need to protect and define appropriateprotection responsibilities to ensure that information is protected at anappropriate level according to its importance, and to prevent unauthorizeddisclosure, modification, removal or destruction of information stored in themedia.

HUAWEI CLOUD Data Security Center (DSC) is a new-generation cloud-nativedata security platform that provides customers with basic data securitycapabilities, such as data classification, data security risk identification, datawatermark source tracing, and data anonymization. In addition, the data securityoverview integrates the status of each phase of the data security lifecycle topresent the overall data security situation on the cloud.

Customers can also use Host Security Service (HSS) to comprehensively identifyand manage information assets on hosts, monitor risks on hosts in real time,prevent unauthorized intrusions, and build a server security system to reducemajor security risks faced by servers. Customers can view and manage theprotection status and security risks of all hosts in the same region on the GUIprovided by .




https://www.huaweicloud.com/intl/en-us/product/vss.html



https://www.huaweicloud.com/intl/en-us/product/hss.htmlhttps:/www.huaweicloud.com/intl/en-us/product/hss.html

https://www.huaweicloud.com/intl/en-us/product/ces.html


https://www.huaweicloud.com/intl/en-us/product/lts.html

https://www.huaweicloud.com/intl/en-us/product/dbss.html

https://www.huaweicloud.com/intl/en-us/product/cts.html


https://www.huaweicloud.com/intl/en-us/product/cbr.html

https://www.huaweicloud.com/intl/en-us/product/evs.html

https://www.huaweicloud.com/intl/en-us/product/ims.html



https://www.huaweicloud.com/intl/en-us/product/dss.html

https://www.huaweicloud.com/intl/en-us/product/sfs.html

https://www.huaweicloud.com/intl/en-us/product/smn.html

https://www.huaweicloud.com/intl/en-us/product/smn.html

https://www.huaweicloud.com/intl/en-us/product/vpc.html



https://www.huaweicloud.com/intl/en-us/product/antiddos.html

https://www.huaweicloud.com/intl/en-us/product/aad.html



https://www.huaweicloud.com/intl/en-us/product/elb.html

https://www.huaweicloud.com/intl/en-us/product/elb.html

https://www.huaweicloud.com/intl/en-us/product/dc.html

https://www.huaweicloud.com/intl/en-us/product/cc.html

https://www.huaweicloud.com/intl/en-us/product/cc.html

https://www.huaweicloud.com/intl/en-us/product/apig.html

https://www.huaweicloud.com/intl/en-us/product/cpts.html

https://www.huaweicloud.com/intl/en-us/product/cpts.html


https://www.huaweicloud.com/intl/en-us/product/aom.html



https://www.huaweicloud.com/intl/en-us/product/csbs.html


https://www.huaweicloud.com/intl/en-us/product/sdrs.html


https://www.huaweicloud.com/intl/en-us/product/moderation.html

https://www.huaweicloud.com/intl/en-us/product/dsc.html


Object Storage Service (OBS) stores unstructured data in customers' informationassets. OBS supports lifecycle management of storage objects and helps customersmanage their information assets. In addition, multiple security protections in OBS,such as SSL transmission encryption, server-side encryption, and identityauthentication, can protect stored information.

6.2 A.9 Access ControlRestricting access to information and information processing facilities, ensuringthat authorized users have access to the systems and services they need, whilepreventing unauthorized access, are important objectives for customers toimplement access control.

Identity and Access Management (IAM) provided by HUAWEI CLOUD. Providesuser account management services suitable for enterprise-level organizations andassigns different resources and operation rights to users. After using the access keyto obtain IAM-based authentication, users can call APIs to access HUAWEI CLOUDresources. IAM enables hierarchical and fine-grained authorization to ensure thatdifferent users of the same customer can use cloud resources effectively,preventing the entire cloud service from being unavailable due to misoperation ofa single user, and ensuring service continuity.

IAM supports user group-based permission management, allows users to setpassword policies, password change periods, login policies, account lockingpolicies, account disabling policies, and session timeout policies that meetcustomers’ status, and provides IP-based ACLs. IAM also provides and enablesmulti-factor authentication by default to enhance account security. If a customerhas a secure and reliable external identity authentication service (such as LDAP orKerberos) to authenticate users and the external service supports SAML 2.0, userscan use SAML to log in to the HUAWEI CLOUD service console or access cloudresources through APIs.

6.3 A.10 CryptographyCustomers shall ensure that cryptographic technology is used appropriately andeffectively to protect the confidentiality, authenticity and integrity of information.

Customers can use the Data Encryption Workshop (DEW) provided by HUAWEICLOUD to implement dedicated encryption, key management, and key pairmanagement. DEW supports key creation, authorization, automatic rotation, andkey hardware protection. Customers can select the required key managementmechanism as required.

HUAWEI CLOUD provides cloud Hardware Security Module (HSM) of differentvendors, specifications (such as standard encryption algorithms and Chinesenational cryptographic algorithm), and strengths to meet customers' requirements.HSMs are deployed in a two-node cluster to ensure high reliability and availability.

Customers can use Key Management Service (KMS) to bind keys to identifiableowners. All keys in KMS are generated by the hardware true random numbergenerator of the HSM to ensure the randomness of keys. The root key of KMS isstored in the HSM to ensure that the root key is not disclosed. KMS hosts use thestandard encrypted transmission mode to establish secure communication links






https://www.huaweicloud.com/intl/en-us/product/dew.html

with KMS nodes to ensure secure transmission of KMS-related data betweennodes. KMS implements RBAC access control based on roles in IAM. A user canoperate the master key stored in KMS only after being authenticated by and KMSand having the key operation permission. Users with only the read-only permissioncan query only the master key information but cannot perform operations on themaster key. KMS isolates CMKs from customers. Each tenant can access andmanage only its own CMKs, but cannot operate the CMKs of other tenants. Inaddition, the system administrator has only device management rights and doesnot have any access to the master key.

6.4 A.12 Operations SecurityCustomers’ objectives of operation security include ensuring secure operation ofinformation processing facilities, preventing malicious software, using backups toprevent data loss, using logging and monitoring to record situations and generateevidence, implementing software control to ensure the integrity of the operatingsystem, preventing the use of technical vulnerabilities and consider minimizing theimpact of operating system audit activities. HUAWEI CLOUD provides customerswith a variety of cloud services to assist in achieving these operation securityobjectives.

Customers can use HUAWEI CLOUD to provide Vulnerability Scan Service (VSS),scan web applications, operating systems, and configuration baselines, and checkasset content compliance and weak passwords to identify security risks of websitesor servers exposed to the network. HUAWEI CLOUD will immediately analyze andupdate rules for common CVE vulnerabilities and provide quick and professionalCVE vulnerability scanning. Customers can deploy Web Application Firewall(WAF) to detect and protect website service traffic from multiple dimensions.With deep machine learning, can intelligently identify malicious requestcharacteristics and defend against unknown threats, and detect HTTP(S) requests.Identifies and blocks SQL injection, cross-site scripting attacks, web pageuploading, command/code injection, file inclusion, sensitive file access, third-partyapplication vulnerability attacks, CC attacks, malicious crawler scanning, and cross-site request forgery, preventing websites from being maliciously attacked andinvaded by hackers, secure and stable web services. For host security protection,Host Security Service (HSS) of HUAWEI CLOUD implements comprehensivesecurity assessment on the host system. After the assessment, HSS displays therisks of accounts, ports, software vulnerabilities, and weak passwords in theexisting system, prompting customers to perform security hardening. This featureeliminates security risks and improves the overall security of the host. HSS alsoprovides the intrusion detection function. When an event such as brute forcecracking of accounts, process exceptions, and abnormal logins is detected, analarm is generated quickly. Customers can learn about alarm events through eventmanagement, helping them detect security threats in assets in a timely mannerand learn the security status of assets, use intrusion detection to detect andprevent intrusions into the network.

Cloud Eye Service (CES) provided by HUAWEI CLOUD helps customers monitorserver running status and cloud resource usage in real time. When a hardwarefault occurs, CES notifies customers by email, SMS, or HTTP/S. Log Tank Service(LTS) on HUAWEI CLOUD collects, queries, and stores logs in real time. It recordsactivities in the cloud environment, including VM configurations and log changes,facilitating query and tracing. With CES, customers can monitor user login logs in




https://www.huaweicloud.com/intl/en-us/product/vss.html



https://www.huaweicloud.com/intl/en-us/product/hss.htmlhttps:/www.huaweicloud.com/intl/en-us/product/hss.html




real time. If malicious logins occur, an alarm is generated and requests from the IPaddress are rejected. In addition, LTS and Database Security Service (DBSS) canrecord and save system component logs for customers to audit logs. Cloud TraceService (CTS) of HUAWEI CLOUD records operations performed by users usingcloud accounts to log in to the management console in real time. Customers canpurchase Object Storage Service (OBS) of different specifications to back up logsbased on the log retention period.

If customers need to back up service data, software, and system images, HUAWEICLOUD provides multiple products and services with different priorities. Forexample, customers can use Cloud Backup and Recovery (CBR) to back up cloudservers, disks, file services, off-cloud files, and VMware virtual environments. Datacan be restored to any backup point when data is unavailable due to virusintrusion, accidental deletion, or software/hardware fault. Customers can use thesnapshot function of Elastic Volume Service (EVS) to restore data to thesnapshot point in time when data is lost. HUAWEI CLOUD also provides ImageManagement Service (IMS). Customers can use to back up cloud server instancesand use the backup images to restore cloud server instances when the softwareenvironment of the instances is faulty. Cloud Server Backup Service (CSBS) cancreate consistent online backups for multiple EVS disks under a cloud server,ensuring data security and reliability and reducing the risk of unauthorized datatampering. Object Storage Service (OBS) supports multiple data storagescenarios, customers can also use it for enterprise data backup and archiving.

6.5 A.13 Communications SecurityCustomers’ communications security objectives include protecting information andinformation processing facilities in the network. Maintaining the security ofinformation transmitted within the organization and between the organizationand external entities.

Virtual Private Cloud (VPC) provided by HUAWEI CLOUD enables tenants tobuild an isolated and private virtual network environment, isolate tenants duringsmooth access, and flexibly configure interconnection and interworking betweenVPCs. Customers can fully control the construction and configuration of theirvirtual networks, including subservices such as IP address ranges, subnets, andsecurity groups in the VPC. By configuring network ACLs and security group rules,they can strictly control network traffic to and from subnets and VMs. Meetcustomers' fine-grained network isolation requirements. Customers can use VPC todivide network areas and establish isolated production and test environments onthe cloud.

In scenarios where existing data centers need to be expanded to HUAWEI CLOUD,customers can use Virtual Private Network (VPN). This service can be used toestablish secure and encrypted communication tunnels between local data centersand VPC provided by HUAWEI CLOUD. Customers can use resources such as cloudservers and block storage on the cloud platform to transfer applications to thecloud, start additional web servers, and increase network computing capacity.Implement a hybrid cloud architecture for enterprises.

To ensure a secure network protection system, customers can use networktechnologies and network devices to divide security domains and use a series ofsecurity services provided by HUAWEI CLOUD to improve network borderprotection capabilities. For example, Anti-DDoS provides refined protection




https://www.huaweicloud.com/intl/en-us/product/dbss.html










https://www.huaweicloud.com/intl/en-us/product/vpc.html


https://www.huaweicloud.com/intl/en-us/product/antiddos.html

against network-layer and application-layer DDoS attacks. Customers can settraffic threshold parameters based on service application types and view theattack and defense status using the real-time alarm function. Customers can usethe Advanced Anti-DDoS (AAD) service of HUAWEI CLOUD to detect and cleanlarge-traffic attacks.

SSL Certificate Manager (SCM) of HUAWEI CLOUD provides customers withone-stop certificate lifecycle management, implementing trusted identityauthentication and secure data transmission for websites. The platform cooperateswith world-renowned digital certificate authority to provide users with the SSLcertificate purchase function. Customers can also upload local external SSLcertificates to the IoT platform to centrally manage internal and external SSLcertificates. After deploying the service, customers can replace the HTTP protocolused by the service with the HTTPS protocol to eliminate security risks of theHTTP protocol. This service can be used for website authentication, applicationauthentication, and data transmission protection.

6.6 A.14 System Acquisition, Development andMaintenance

Customers should integrate information security into the information systemlifecycle to ensure that information security is designed and implemented in theinformation system development life cycle.

API Gateway (APIG) is a high-performance, high-availability, and high-securityAPI hosting service provided by HUAWEI CLOUD. It helps customers in twoaspects. As an API provider, customers can use mature service capabilities (such asservices and data) as backend services. Open APIs on APIG and provide them forAPI callers offline or release them to the API market to monetize servicecapabilities. As an API caller, customers can obtain and invoke APIs provided onAPIG, reducing development time and costs. APIG supports API lifecyclemanagement, version management, environment variable creation, traffic controland monitoring. It also provides security protection components, such as accesscontrol and signature keys, to help customers control IP addresses and accountsfor accessing APIs and ensure the security of backend services requested by APIG.Prevents unauthorized disclosure and modification of information in the service.

6.7 A.15 Supplier RelationshipsIn the control domain of supplier relationships, the main information securityobjective of customers is to ensure the information security level and servicedelivery quality of suppliers.

Customers can use Cloud Eye Service (CES) provided by HUAWEI CLOUD tomonitor utilization of ECS resources and network bandwidth in a multi-dimensional manner. CES reports tenant-defined alarm rules using open APIs,SDKs, and Agents, and send notifications through emails and SMS messages toensure that customers know service running status in a real time.

Application Operations Management (AOM) is a one-stop, multi-dimensionalO&M management platform that enables customers to monitor their applicationsand track performance and resource changes in real time. It provides a unified






https://www.huaweicloud.com/intl/en-us/product/apig.html



data view of events, logs, and metrics, so that customers can optimize resourcesand fine tune application performance.

6.8 A.17 Information Security Aspects of BusinessContinuity Management

Customers shall integrate information security continuity into the organization'sbusiness continuity management and shall ensure the availability of informationprocessing facilities.

Customers can use Cloud Backup and Recovery (CBR) to back up ElasticVolume Service (EVS), Elastic Cloud Server (ECS) and Bare Metal Server(BMS). CBR supports backup based on the consistency snapshot technology torestore data for cloud server and EVS using backups. In addition, CBR supports thesynchronization of backups in the offline backup software BCManager and theintegrity verification of backups.

If customers want to create online backups, they can use Cloud Server BackupService (CSBS), it creates consistent online backups for EVS disks on ECSs. If thereis a virus intrusion, accidental deletion, or software/hardware fault, data can berestored to any backup point. CSBS works based on the consistency snapshottechnology to provide backup service for ECS and BMS, it supports to restore datausing data backups, ensuring the security and correctness of user data to themaximum extent and ensuring business security.

To meet organizations’ requirements for information security and informationsecurity management continuity in the event of disasters, Storage DisasterRecovery Service (SDRS) provides disaster recovery (DR) protections for ECS, EVSand Dedicated Distributed Storage Service (DSS). SDRS uses multipletechnologies, such as storage replication, data redundancy, and cache acceleration,to provide high data reliability and service continuity for users. SDRS protectsservice applications by replicating the server data and configurations to a DR site.It allows service applications to start at the DR site in the event that servers at theproduction site stop. This improves service availability and continuity.







https://www.huaweicloud.com/intl/en-us/product/ecs.html

https://www.huaweicloud.com/intl/en-us/product/bms.html

https://www.huaweicloud.com/intl/en-us/product/bms.html





https://www.huaweicloud.com/intl/en-us/product/dss.html

7 Conclusion

HUAWEI CLOUD always adheres to HUAWEI's “customer-centric” core values andcommit to protect customers data security resulting in the establishment of aninformation security management system and the deployment of the mostcommon data security protection technologies in the industry to ensure customersdata security.

Simultaneously, in order to help customers cope with the increasingly opennessand complexity of network environments and the development of newinformation security technologies, HUAWEI CLOUD continuously develops variousproducts, services and solutions in the field of data protection to supportcustomers in improving their data protection ability and reducing their risks.

This white paper is for reference only and does not have any legal effect orconstitutes legal advice, nor does it serve as a basis for certain compliance ofcustomers' cardholder data environment when using HUAWEI CLOUD. Customersshould evaluate their own operation and certification requirements, selectingappropriate cloud products and services, and properly configuring them.

HUAWEI CLOUD Compliance with ISO/IEC 27001 7 Conclusion


8 References

GB/T 22080-2016/ISO/IEC 27001:2013 Information technology – Securitytechniques – Information security management systems – Requirements

HUAWEI CLOUD Compliance with ISO/IEC 27001 8 References


9 Version History

Date Version Description

2021-7 1.0 First Publication

HUAWEI CLOUD Compliance with ISO/IEC 27001 9 Version History


huawei cloud compliance with iso/iec 27001

Documents