zte corporation product security white paper · zte corporation product security white paper...

ZTE Corporation Product Security White Paper

——Build an All-Round Product Security Assurance System

Zhao Xianming Executive Vice President

December 2014

Preface

CEO Statement

History

Policies and Goals

Product Security Policies

Product Security Goals

Product Security Framework

Product Security Organization Structure

Product Security Management Process

Product Security Standard System

Security Baselines

Management Assurance

Security Standards and Regulations

Product Security Documents

Product Security Trainings

R&D Security

Concept Phase

Plan Phase

Development Phase

Verification Phase

Release Phase

Table of Contents

Supply Chain Security

Material and Supplier Security Control

Supplier Relationship Security Control

Manufacturing

Secure Terminals

Compliance

Verification and Audit

Internal Control Security

Legal Compliance

Delivery

Security Hardening

Operation & Maintenance

Security Incident Response

Security Incident Handling

Management Specification

Communication and Cooperation

Security Column

Vision

03

05

07

08

09

16

18

21

24

25

26

29

32

35

ZTE Product Security White Paper

�

This is ZTE’s first official product security white paper. It contains ZTE’s achievements in product

security, and ongoing security activities. We hope this white paper will help you with a positive

understanding of ZTE’s product security.

With the development of network technologies, our lifestyle is undergoing great changes. The

network is involved in social activities all over the world. With the growing importance of the

network, its vulnerability stands out. The "PRISM" scandal makes customers pay attention to

not only the quality of a product, but also the security and reliability of the product. Now, the

reliability of a product has become a threshold for a product to enter the market.

As a globally leading provider of telecommunications equipment and network solutions, ZTE has

offered innovative technologies and product solutions for telecommunications operators and

enterprise customers in more than 160 countries all over the world. With ZTE’s technologies and

solutions, users all over the word enjoy voice, data, multimedia, and wireless communications

with one another.

ZTE’s product security policies are described as follows:

Customer focus: ZTE strictly checks its product security from the customer’s point of view.

This policy is also in compliance with the "customer first" principle that ZTE always adheres to.

Comprehensive security assurance: ZTE has built a unified product security assurance

system that covers the whole lifecycle of products.

Timely response: ZTE quickly responds to a crisis, and solves the crisis in a timely manner.

Preface


�

As the first attempt, this white paper embodies the hard work of many colleagues. We would

like to acknowledge Cai Xincheng, Cheng Mingjiang, Gu Nanshan, Jin Bin, Li Li, Li Weichun,

Li Weimin, Lin Guoyong, Liu Qing, Lv Jian, Ma Zhiyuan, Pan Wanpeng, Ping Li, Sui Xuan, Tao

Hong, Wang Huagang, Wang Tengfei, Wang Xuan, Wang Zhihui, Wei Yinxing, Wu Qiang, Xie

Anlin, Xu Guorong, Yao Cuifeng, Yin Linlin, Yu Ting, Yuan Ye, Zhong Hong, and others for their

great ideas to this white paper and contributions to ZTE’s product security. The progress that

ZTE’s product security made in the past year belongs to all of them. Their efforts make us

strongly believe that ZTE’s product security is full of hope in the future.

Security and reliability: To provide secure and reliable products and services is the objective of

ZTE’s product security.

In ZTE's new Mobile - Information Communication Technology (M-ICT) strategy, the security is

an essential part of the organization and products. The purpose of this white paper is to show

that ZTE is willing to face product security challenges together with the international community.

ZTE will build a reliable network environment, and improve customers’ recognition of its product

security with end-to-end product security assurance systems, reliable products, and a global

security standard formulated by stakeholders.

Science and technology changes our life, while laws and regulations maintain order. ZTE is

absolutely against network attacks of any type, and will actively protect network security,

personal data security, and privacy security.

ZTE has established a product security assurance system that ensures the security of a product

before its delivery. As to security vulnerabilities existing in released products, ZTE provides timely

patches and solutions. ZTE is committed to promoting security technology innovation and

evolution.

Acknowledgements


�

2013 was an unusual year in terms of cyber security. Many international security

incidents aroused great attention from countries, organizations and individuals.

The information and communication technologies are no doubt an efficient driver

of the global digital economy. However, while bringing convenience to our work

and life, they also pose challenges to cyber security. For example, when the whole

world is expecting the convenience brought by the smart city and big data age,

the dark clouds of information security, cyber crimes and cyber terrorism are

approaching. The worries about the security of network information are rapidly

spreading among customers, industries and the public, and a crisis of confidence

is brewing between different interest groups. There are so many challenges that

it is too late for us to form new rational habits. It is likely that we, driven by our old

habits, act in a selfish preservation manner to avoid the challenges.

As a major participant in the ICT industry, ZTE Corporation has a profound

understanding of its responsibilities in the industry ecology and public security, and

is willing to undertake these responsibilities. We believe that as long as the whole

industry and society actively cope with the challenges together, the digital ecology

will develop in a healthy and sustainable manner and society will not be trapped in

the fear of cyber security issues or cease the pace of civilization.

The ZTE Cyber Security Committee established a perfect product security system

that covers the entire lifecycle of each product and strictly complies with ISO

27001, ISO 15408, and ITU-T X.805.

To ensure the security of products and solutions provided for customers in all

CEO Statement


�

industries, we continuously optimize the product security management structure,

focus on customer needs, and improve the product security system that covers

areas in the entire product lifecycle, including Research & Development, supply

chain, manufacturing, verification, delivery, and incident management.

As an independent internal security evaluation organization, the ZTE Cyber

Security Laboratory is equipped with the world's leading tools for identifying

known and unknown vulnerabilities, and helps to verify that our products meet the

security standards, baselines and criteria from the customers' point of view.

We have set up a strict authentication mechanism and a personnel management

flow for important parts in daily operations, ensuring that the customer information

is traceable and properly used. We are actively building up a service continuity

management and incident mechanism together with our customers.

We stick to universal business ethics and commit that our products and operation

capabilities do not serve any specific political purposes, ensuring public security.

We are open-minded and willing to participate in the formulation of international

standards and communicate with international counterparts.

We will continuously develop the security awareness and responsibility of our

employees because highly qualified citizens are the most essential factor in

securing cyber security and social stability.

In the future, we will expand cyber security construction into more domains by

deepening cooperation with governments, carriers, suppliers, organizations and

communities, repay our customers with more benefits, and contribute to the

construction and maintenance of a better cyber security order.

CEO Shi Lirong


�

In 2005, ZTE became the first Chinese enterprise to establish the ISO 27001

(Information security management) successfully. ZTE’s product security activities

include standard establishment, security assurance, security evaluation, and

incident response. ZTE cooperates with international security service and

assessment organizations, and has established the Cyber Security Committee

with technical support by the product lines to improve product quality and

enhance customer confidence continuously.

ZTE has built a thorough security guarantee system that covers the whole lifecycle

of products and strictly complies with ISO 27001, ISO 15408 (Common criteria

for evaluating the security of information technologies) and ITU-T X.805 (Security

architecture for systems providing end-to-end communications). Guided by the

Cyber Security Committee and organized by the Cyber Security Committee

Office, ZTE continuously optimizes the product security management structure,

and improves the security guarantee mechanism of the whole product lifecycle

covering R&D, supply chains, manufacture, verification, service delivery, and

incident management, to provide safe products and solutions for customers in all

industries.

In 2010, a leading information security provider, atsec, evaluated ZTE's

cryptographic algorithms. In the same year, ZTE's Unified Platform Cryptographic

Library (UPCL) and UEP Cryptographic Module (UEPCM) cryptographic modules

were validated by the National Institute of Standards and Technology (NIST), and

reached the FIPS (Federal Information Processing Standard）140-2 (security

requirements for cryptographic modules) standard. ZTE became the first Chinese

communications equipment manufacturer to obtain the FIPS certificate. ZTE's

CDMA/WiMAX, bearer network, core network, fixed network, GSM/UMTS and

TD products are awarded the Common Criteria (CC) certificates. In addition,

in 2011, the CDMA/WiMAX NetNumen U31 is granted a CC certificate by the

CC Scheme in Netherland, which is the first CC certificate obtained by Chinese

communications manufacturers.

As an independent security verification department in the company, ZTE's

2005

2010

History


�

ZTE’s product security policies are customer focus, comprehensive security

assurance, timely response, and security and reliability.

Referring to the strategic plan for development, international standards, laws,

and regulations, ZTE continuously optimizes the product security management

structure, and improves the security assurance mechanism of the whole product

lifecycle covering R&D, supply chains, manufacturing, verification, delivery, and

incident management. By using the structure and mechanism, ZTE provides

reliable products and solutions for customers, and ensures that all products

operate in a secure manner and meet the security baseline requirements and

Confidentiality, Integrity, and Availability requirements.

Cyber Security Laboratory is an integrated platform for evaluation, capability

development, incident response, knowledge base management, and technical

communication.

In 2014, ZTE further improves the product security guarantee system, product

security baselines, R&D standards, and supply chain security management, and

builds a supplier product security management system and a supplier-oriented

purchase security baseline complying with ISO 28000 (Specification for security

management systems for the supply chain). We have integrated the key product

security requirements into all purchase, manufacture and delivery activities, and

have established effective information release and incident response mechanisms

to ensure timely response within 24 hours.

As a global leading communications product and solution provider, ZTE considers

customer focus, comprehensive guarantee, timely response, security, and trust

as the product security policies, and makes all efforts to bring more benefits to

customers, industries and the society.

2014

Product Security Policies

Product Security Goals

Policies and Goals


�

● R&D: Complying with ISO15408, ITU-T.X.805 and ISO27001, ZTE establishes

"product security baselines" and security design standards for important

products, to implement the product security as a basic attribute during the

R&D process based on the high performance product development process,

and ensure that the R&D outputs are secure products and solutions.

● Supply chain: Complying with ISO27001 and ISO28000, ZTE optimizes the

supplier product security management mechanism, in which suppliers include

service suppliers, and hardware and software suppliers, to ensure accurate

product security traceability, effective operation, and continuous improvement.

● Manufacturing: Complying with ISO27001 and ISO15408, ZTE establishes the

security management mechanism covering incoming materials, manufacturing,

packaging, and delivery, to ensure consistency and traceability of product

information during manufacturing and delivery processes.

ZTE achieves its product security goals by referring to the following model:

Figure 1 Customer-Focused Product Security Assurance Model

Supply Chain

Manufacturing

R&D

Incident Management

VerificationAudit

ServiceDelivery

●ISO27001●ISO28000●Purchase Security Baseline

●ISO27001●ISO15408●Manufacturing Security

Baseline

●SO27001●ISO15408●Design Security Baseline●Special Topic Audit Baseline

●ISO27001●Customer Communication

Mechanism●Service Delivery Security

Baseline

●ZTE-PSIRT●Event Management

Platform●Website Security Column

●HPPD●Design Security Baseline●ITU-TX. 805●ISO15408●ISO27001

Product Security Framework

Customer


10

Figure 2 Product Security Organization Structure

● Verification: Complying with ISO15408 and ISO27001, ZTE establishes

the comprehensive flow for product security evaluation and mechanism for

reviewing the implementation of product security standards, to ensure that

delivered products have reliable information security assurance ability, and that

product security regulations function effectively.

● Service delivery: Complying with ISO27001, ZTE enhances security of delivery

flows, integrates key product security requirements into all delivery activities,

and starts service deliveries with important markets and projects.

● Incident management: ZTE establishes effective information release and

incident response mechanisms, to quickly identify risks and ensure timely

response within 24 hours.

ZTE’s product security organization structure consists of the strategy committee,

the Cyber Security committee, the executive teams formed by ZTE Cyber Security

Laboratory and product security teams from sales, products, platform and other

divisions, and the support teams.

Legal affairs

Product security team

of m

anufacturing and supply chains

Support teams

Product Security Organization Structure

Strategy committee

Cyber Security Committee

Product Security Incident Response Team

Cyber Security Laboratory and Cyber Security Committee Office

IT center

Government

Brand

Finance

Auditing

HR

Administration

Executive teams


of the term

ina division


of internationa sales d

ivisions


of the d

omestic sales division


of thegovernm

ent and enterprise division


of the prod

uct operation team


of R&

Dm

anaaement


11

Cyber Security Committee

The Cyber Security Committee is responsible for making product security

strategies, plans, policies, and signs, and investment, and promoting the

implementation of strategic concerns and audits. This committee, together with

the company’s structure and process platform, continuously optimizes product

security in accordance with the development of the security field. The Cyber

Security Laboratory, a standing organization under the Committee makes product

security strategies, policies, flows, and standards, and accordingly deploys

resources.

Cyber Security Laboratory

The Cyber Security Laboratory (also the Cyber Security Committee Office)

is a standing organization under the Committee. It is responsible for security

incident management, information disclosure, product security certification and

cooperation, research on industrial product security standards, and product

security development promotion. In addition, this Laboratory establishes product

security baselines, implements product security evaluation, and provides

suggestions for the company’s decision makers during important product security

evaluations.

Product Security Team of R&D Management

Complying with the company’s product security strategies and the industry

requirements, this team establishes R&D regulations, embeds security elements

into R&D processes, pushes product lines to implement these elements, analyzes

and transfers product security information related with R&D management, and

discusses with customers on special security topics.

Product Security Team of the Product Operation Team

This team cooperates with the Product Security Laboratary to establish product

security baselines and related product technical standards, and is responsible for

the implementation of security requirements during product planning, R&D, and

test processes.


12

Figure 3 Product Security Management Process

Product Security Team of Sales Divisions

his team collects security information from different regions, leads or participates in the interactions with customers, government, partners, and local security organizations, and timely responds to security incidents, including incident collection, handling, and escalation.

Product Security Team of Manufacturing and Supply Chains

This team cooperates with the Cyber Security Laboratory to establish supply

chain management security baselines and related technical standards, and is

responsible for the implementation of security requirements during supply chain

processes.

Support Teams

These trams provide supports related with product security, including internal

control, legal affairs, brand promotion, security column, IT platform, HR, finance,

auditing, and government relations.

ZTE’s product security management process follows the Plan-Do-Check-Act

(PDCA) model.

Product Security Management Process

Establish the product security plan (Plan)

Maintain and improve product security (Act)

Implement product security (Do)

Check product security (Check)


1�

Figure 4 Product Security Standard System Structure

Establish the product security plan (Plan)

Analyze the requirements of customers on product security, laws and regulations,

and security best practices, identify and evaluate product security risks, determine

product security goals and middle-and-long term needs, formulate product

security strategies, organization structure, and flows, analyze the scope and

contents of product security, and formulate security baselines in different fields.

Implement product security (Do)

Integrate product security into core processes, such as R&D, supply chains,

problem solving, engineering, and service, and set multiple control points for the

implementation of security activities and baselines.

Check product security (Check)

Evaluate product security milestones, verify security baselines by using the

independent Cyber Security Laboratory, and check the compliance of product

security.

Maintain and improve product security (Act)

Analyze the implementation results of product security tasks based on the product

security policies, goals, strategies, and practices, evaluate security incidents and

take preventive measures.

ZTE’s product security standard system includes four layers.

Product Security Standard System

Layer 1

Layer 2

Layer 3

Layer 4

Product security genera principles

Product security procedural documents

Product security work instructions

Product security records


1�

Layer 1: Product Security General Principles

The product security general principles are an outline for the company’s product

security, including product security policies, goals, organization structure,

management, processes, and activities. Documents of all the other layers must

use the general principles as basis.

Layer 2: Product Security Procedural Documents

Product security is integrated into core processes of the company. The security

management processes are formulated as required, such as product security

incident response process, product security evaluation rules, and red line

requirements.

Under the guidance of product security general principles, technical requirements

and templates for product security baselines are formulated. Product security

baselines, supply chain security baselines, and service security baselines

are formulated for product series. The best practice of security baselines is

established. Product security test requirements and templates are developed.

Layer 3: Product Security Work Instructions

Standards of this layer include the developed product security requirements,

security design solutions, security implementation solutions, security test

solutions, security test examples, security hardening manuals, security operation

and maintenance manuals, and security tool software operation guides.

Layer 4: Product Security Records

Execution results are recorded, such as evaluation records, evaluation reports,

vulnerabilities reports, and vulnerabilities records.


1�

ZTE’s products include self-developed products and third-party products. Different

products and systems have different security levels. To ensure the security level

of its products, ZTE develops the Plan-Do-Check-Act (PDCA) cycle for end-

to-end product delivery, to ensure that the products meet the security baseline

requirements and avoid potential security risks. Security baselines are criteria for

product R&D, third-party product purchasing, system operation and maintenance

configuration, security hardening, security evaluation, and security management.

Security baselines cover the entire product delivery process from end to end.

The security baselines include the product security function baseline, security

assurance baseline, penetration test baseline, supply chain and purchasing

security baseline, and service security baseline. The product security baseline

is one of the sources for security function requirements. As an input of the

security function requirements, the security assurance baseline must reach the

EAL3 or above of the Common Criteria (CC) for Information Technology Security

Evaluation, Version 3.1 Release 4.

The security baselines must be verifiable. An independent third-party organization

checks the security baselines, verifies that the delivered product meets the

security baseline requirements, and writes a security baseline report.

Before series production of a new product, the new product must meet the

security baseline requirements. As to the products that are already put into

market, the products must meet the service security baseline requirements.

Security Baselines


1�

Figure 5 Security Processes in R&D Processes

The R&D processes provide management assurance for product security. ZTE

identifies major processes related to product security by checking the current

processes, adds security activities at the product security check points, and

considers security factors for defined processes.

User document development

Management Assurance

ZTE develops and revises regulations and templates related with product security,

to cover major R&D processes, and monitor these processes.

As a basic standard for internal use, the Product Security General Requirements

was officially released in February, 2014. It is used as a reference standard

by ZTE to establish the product security management structure, improve the

product security assurance mechanism, provide secure and reliable products for

customers, and ensure that its products can operate in secure manner.

Security Standards and Regulations

Planning process Define

market needs

Product version

planning

Understand the market

Make service pobcies and

plans

Initialization Management

Intialize the project

Performance appraisal

Development process

Concept Plan Development Venfication Release Operation and

maintenanceDefine product requirements

System design Coding

Software concept design

System tast

Secunty certification

Configuration management (including change, defect, and version management)

Define/update security baselines

Define/update security programming specification

Security incident

management

Daily operation

Security director Security specialists

R&D SE

New process, for which the security director/security specialists are responsibleLegendsDefined process changing a lot

Defined process, for which only security factors need to be consideredOptional, which should be defined based on market requirements

Technology audit

Specification/template Revision points


1�

In 2014, ZTE released multiple enterprise standards related with project

development, product planning, product development, and product delivery

processes.

The general product security baselines, and the regulations concerning security

baselines, security coding, security testing, and security incident management for

main products of the R&D institutes are continuously developed and released.

A product security document describes the typical networking modes of the

product, the security threats facing the product, the security goals that may be

affected by the threats, and the security architecture and measures, vulnerability

patches and hardening policies, and security incident management policies used

to achieve the security goals.

Product Security Documents

This year, ZTE has conducted multiple trainings on product security standards

and regulations, and carriers’ security requirements within the company. The

security trainings cover all key employees from system, R&D, testing, and process

management of system products and mobile phones. The security tool trainings

offered by the original manufacturers cover all product-line employees who are

directly responsible for system product R&D and testing.

Product Security Trainings


1�

Figure 6 Product Security-Related Flows in Product Development Process

R&D Security

To provide secure and reliable products for customers, ZTE integrates "security"

as a basic product attribute into the product R&D lifecycle. In addition, ZTE

integrates security activities such as security requirement, security design, security

development, and security test into the high-performance product development

process, to ensure the effective implementation of security. Therefore, the product

robustness and privacy protection are guaranteed, and ZTE can provide secure

products and solutions for customers.

The product planning team analyzes market access requirements (laws,

regulations, and industry standards), customer security requirements, third-party

analysis, industry activities, peer experience, and internal security requirements,

and includes middle-and-long-term security requirements into product roadmap

planning, and short-term security requirements into product version planning. The

Concept Phase

Plan OperationMaintenance

Offering Requirements

System Architecture

Preliminary Design Detailed Design

Development & Test Integrated Test

System Test

System Verification

Test

Volume Production

Maintenance Support

Concept Development Verification Release

Legal, Regulatory Standard

SpecificationCustomer Security

Requirements

Security Baseline

Security Common Building Block

Implement Guide of Security Baseline

Open Source Software Security

Security Development Standard

Supplier Product Security

Cooperate Product Security Policy and Standard

Beta Test

Security Document

Penetration Test Report

Vulnera biiity

Analysis

Security Test Report

Field Certification

Test

User Security Manual

Production Security

Patch Management

Operation Monitoring

Incident Management


1�

product security requirements mainly include the following two parts:

● Product security baselines, which are the most basic security requirements and

must be executed

● Risks of the products when being applied to carrier networks or government

and enterprise networks, and the corresponding solutions

In this phase, the product security structure and features are designed after

detailed analysis of security requirements identified in the concept phase. ZTE

develops the product security design specification by referring to the industry best

practices of ITU-T X.805 and ISO15408.

When determining product architecture and a system solution, the company

analyzes the security requirements and potential security threats of the system,

and accordingly describes the product security architecture and system solution

and key interfaces. In addition, the company checks whether the system solution

meets the market and customer security requirements, and verifies the security

of key materials from suppliers and security of third-party software based on the

security access standard.

Plan Phase

In the development phase, the company implements the design of security

function modules and planning of source code files based on the description of

the security architecture, security system solution, security module requirements,

and related interfaces. Based on the detailed description of the security function

modules, the company implements the modules through codes by adhering to the

security coding specification and develops the security documents. In accordance

with the general project testing plan, the company develops the security testing

flow and the security testing solution, designs and executes the test example to

verify the security function modules, and performs the penetration test on the

product and system and analyzes its vulnerability. Then, the company determines

the security hardening solution for the product, and provides evidence for product

security certification.

Development Phase


20

The testers test the product according to the security testing cases. The Cyber

Security Laboratory is independent of the product system, and is responsible for

verifying whether the product complies with the requirements of product security

baselines.

Verification Phase

The company protects security of software and hardware, and ensures the

traceability and auditability of the product, and the security of the manufacturing

process.

Release Phase


21

The supply chain security risks in the communications manufacturing industry are

reflected by the product software features and the information security involving

the product. The supply chain security requires that the self-developed product

together with purchased materials be securely manufactured, stored, transported,

and delivered to customers. The value of ensuring supply chain security is to

keep advantages over competitors in supply chains. ZTE's supply chain security

is recognized by customers with its globally recognized supply chain security

qualification.

By referring to the ISO28000 supply chain security management system, ZTE

identifies and evaluates security risks in the process from production to sales, and

reduces security threats posed to the product through the security management

flow.

Supply Chain Security


22

The supply chain security process monitors the entire logistics process covering

the raw materials and half-finished products warehouse, production line, finished

products warehouse, and transportation carriers involved in the production

process. The network technology security is embedded into material management

and supplier management systems by using technology criteria, material

management, and supplier management.

● Formulate security baselines for high-risk raw materials based on ISO15408,

and classify network technology security risks of raw materials into different

levels based on product security criteria. As to raw materials of low or middle

risk, only agreements need to be signed with the suppliers. As to raw materials

of high risk, tests are required.

● Develop the mechanism for identifying high-risk materials on which the main

products rely and the supplier rating mechanism. As to high-risk raw materials,

tests include the integration test for main product and raw material test.

Revise the raw materials and suppliers having security problems in the main

product test in accordance with the product security response mechanism.

Formulate material management rules based on the security requirements from

customers, apply the ISO15408 standard to each material type, and identify

and test the specific security risks.

● Embed the network technology security into material management and supplier

management systems.

● Make supplier management rules, include these rules into the current

control flow, and enhance the management of overseas and local suppliers.

Standardize the supplier performance appraisal results, material value

types, and supplier rating, promoting the continuous optimization of supplier

management, and improving data accuracy and overall supplier performance.

● Establish the supplier management baseline, and sign the security agreement

on differentiated products.

● Develop response mechanisms for risky materials in different scenarios.

Material and Supplier Security Control


2�

The purpose of supplier relationship information security is to protect the security

of assets that the suppliers access. The control measures of the security policy

are described as follows:

● Negotiate with the suppliers on and file the information security requirements to

reduce the risks of their access to the assets.

● Establish related information security requirements, and negotiate with suppliers

that may access, deal with, store, and discuss information, or provide IT

infrastructure facilities.

● Include the information security risks related with the information and

communication technology services and product supply chains into the

agreement with a supplier.

The security control objective of supplier service delivery management is to

maintain the level of information security and service delivery based on the

agreement with the supplier.

● The measure for monitoring and reviewing the supplier service is to regularly

organize the monitoring, review, and audit of supplier service delivery.

● The control measure of supplier service change management is to manage

changes provided by the supplier service, including maintaining and improving

current information security policies, specifications, and control measures.

Re-evaluation of risks of service systems and processes must be taken into

account.

Supplier Relationship Security Control


2�

The manufacturing security requirements include the security function requirement

and non-technical security assurance requirement. The correctness and

validity of security functions are ensured by checking whether the six aspects,

including development, instructive documentation, lifecycle support, security

target evaluation, testing, and vulnerability evaluation meet the security function

requirement and security assurance requirement.

Following the security assurance requirements of the ISO15408 EAL 3 and above,

the manufacturing security team audits the physical security, logical security,

and personnel safety in the R&D and production environments, and the physical

security of logistics transition, dispatch and receiving, and after sales.

The objects of the on-site audit include the production environment, logistics

transition, dispatch, and after sales security.

In the on-site audit of the production environment, the Subversion (SVN) control,

Engineering Change (EC), and Product Data Management (PDM) systems are

used to manage and control the R&D location, security assurance measures

and information transmission, and audit the adding and release of R&D project

personnel, and the physical security of IT networks, R&D and testing equipment

and office facilities.

In the on-site audit of logistics transition, dispatch, and after sales security, the

manufacturing security team strictly follows the security control program to

audit the transition of half-finished products, the dispatch and acceptance of

equipment, the engineering installation and upgrade, the response to equipment

faults, and the internal fault handling process.

Manufacturing


2�

As smartphone users are facing the increase of serious security problems, ZTE

provides the most complete end-to-end product lines and integrated solutions

in the communications industry. ZTE flexibly satisfies diverse requirements and

innovative pursuits from different operators and enterprise customers all over the

world by providing a full range of wireless, wired, service, and terminal products,

and professional communication services. ZTE has attached great importance to

user privacy over the years by making full use of security mechanisms to provide

secure terminals and improve security performance of cell phones. ZTE believes

that only the terminal manufacturers are not enough for the security of cell phone.

To build perfect secure terminal products, it needs cooperation between the

terminal manufacturers and the micro-processor, platform, operating system,

and application providers. A secure cell phone needs security mechanisms from

bottom layer to application layer, for example, the TrustZone technology from

the micro-processor manufacturer ARM, the Secure Boot, Secure File System

and Secure Execution Environment technologies from the platform manufacturer

Qualcomm, and the process isolation, application permission, and application

signature technologies for the Android system, and the Secure Download from

terminal vendors. The security protection cannot be reached quickly. Multiple

layers of protection are required to resist network attacks. ZTE fully uses its own

advantages to cooperate with upstream and downstream manufacturers in

building security product chains of mobile intelligent terminals.

In August, 2013, smart phones U988S and N5S provided by ZTE Corporation

both passed the highest level (Level 5) of security test in China.. Up to November,

2014, ZTE is the only manufacturer that passes the level-5 security test.

Secure Terminals


2�

Compliance

The security verification checks whether the product meets security baselines before trial production, whether the product has security vulnerabilities and risks, whether the evidence required for security assurance is complete, and whether the delivered documents meet the security assurance baseline.

The security audit checks whether security policies, security baselines, and processes are effectively implemented. The audit identifies and evaluates security risks by checking the implementation of security activities, and corrects non-conformities if any.

Customers usually request the communications equipment manufacturer to independently perform security verification and audit on products. The security verification and audit are independently finished by the Cyber Security Laboratory within ZTE. Sometimes, as required by the customer, ZTE entrusts an external independent third-party evaluation organization with the security evaluation.

The Cyber Security Laboratory is responsible for testing and evaluating security of ZTE's products. It has the following basic features:

● Perfect laboratory facilities: The laboratory has real integrated communication network test software and hardware environments.

● Systematic security evaluation tools: The laboratory is equipped with industry-leading tools inclulding code scanning, vulnerability analysis and discovery, and penetration test tools.

Verification and Audit


2�

● Professional technicians: All personnel in the laboratory have ICT product R&D background, and more than 30% of them are engineers with Certified Information Systems Security Professional (CISSP) qualification.

● Standardized management system: ZTE formulates the product security test management specification. A product must pass the evaluation of the Cyber Security Laboratory before being released. The laboratory strictly complies with the ISO17205 (General requirements for the competence of testing and calibration laboratories) to ensure the objectivity, fairness, and reliability of tests.

ZTE's internal control security management meets the risk management requirements of the ISO27000 series standards.

● ZTE establishes, implements, operates, monitors, reviews, maintains and improves the information security management system under the organization's service activities and risks based on the ISO27000 (an information security management standard system).

● ZTE exports regularly a validity measurement report of the information security standard, and exports an information security dashboard report through the Security Operation Center (SOC) every month to show the security status of the company and different departments.

● ZTE conducts regularly a security conference.

● ZTE records and corrects behaviors that do not comply with the information security policies, and analyzes potential risks and corresponding preventative measures through the SOC system.

● Management staff responsible for information security system management should have ISO27001 lead auditor or internal auditor qualification. Staff related with the information security management system has received ISO27001 standard trainings.

● The IT system development, daily maintenance, and other management services within the company must comply with the information security management specification. The specification covers the services and applications systems, data recovery and disaster recovery systems, and internal networks (WANs and LANs) in the company's IT infrastructure, and also the personnel, physical areas, and facilities related with these systems.

Internal Control Security


2�

● Information in ZTE is classified into four levels: "internal used only", "proprietary confidential", "highly confidential", and "top secret". ZTE has strict authorization management, and strictly follows work-related principles and the least privilege principle to effectively protect the information security for customers and users. For example, the confidential level of a product design document must not be lower than "proprietary confidential", and that for a strategic core project document must not be lower than "highly confidential". The security configuration of customer information must be higher than the security baseline of the highly confidential level, to prevent core customer data breaches.

Legal compliance is the bottom line of ZTE's product security. The information security policies including security standards, processes, and information system framework must comply with the local laws. The company-level security controls must be consistent. To ensure its legal compliance, ZTE performs the following operations:

● Identifying laws and regulations involved within the information security policies and processes, and defining and documenting the responsibilities

● Requesting all employees to adhere to the code of conduct of the intellectual property law, to reduce risks of copyright infringement and protect rights of copyrights, design patents, and trademarks

● Ensuring that the collection, dissemination, and use of personal information comply with the local privacy laws, and that the security organization informs all employees, users, and service suppliers of the company about their responsibilities and the processes that they must follow, and regularly audits the adherence to privacy laws, to reduce risk of privacy invasion

● Ensuring that information devices are used for only operating activities, adhering to the secure use of information devices, drafting an instruction guide to monitor the use, and ensuring that all information devices are used for authorized operations

● Technically adhering to security policies by maintaining the Standard Operation Environment or Baseline Security Standard

● Regularly auditing the adherence to security policies every year, and conducting audits approved by the security organization, to reduce the impact on normal operating activities

Legal Compliance


2�

Delivery

The security requirements in the delivery phase are reflected by the "Product Configuration Guide" and "Product Security Hardening Manual". The criteria for drafting the configuration guide and hardening manual are from the R&D phase.

First, the system security design is considered in the solution design phase and reflected by the "Product Security Design Solution". Then, the "Product Security Hardening Manual" is completed based on the actual product. In the test phase, the test is performed on the related security test example based on the "Product Security Hardening Manual".

In the engineering operation and maintenance phase, the after-sales personnel completes the "Product Security Engineering Operation Guide", "Product Security Daily Maintenance Guide", and "Product Engineering Acceptance Security Checklist" based on the "Product Security Hardening Manual". By reading the operation guides and checklist, operators can obtain the related product configuration, debugging, maintenance, and security hardening requirements and suggestions.

The security hardening manual is applied after completion of the project implementation, and covers the security specification and security hardening check. The security specification refers to the security hardening specification that

Security Hardening


�0

must be executed. The security hardening check refers to the security scanning of the product to check whether any security vulnerability exists. In addition, the security hardening manual includes common attacks faced by the corresponding product and handling methods.

The security hardening checklist varies with the actual product. For example, for an operating system-type product, you can generate a list of vulnerabilities to be checked based on the found vulnerabilities from three aspects: operation security, data security, and security management. In addition, the risk levels of vulnerabilities should be included in the check items, to provide clearer guidance for hardening operations.

ZTE continuously pays attention to and deals with security problems in the last phase of the product lifecycle. ZTE's main tasks in the operation and maintenance phase are described as follows:

● Collecting security incidents submitted by customers and released by industry associations

● Paying attention to vulnerabilities and patches released by system software providers and professional security providers

● Analyzing vulnerabilities that may exist in the product, and managing security incidents based on the product security incident response mechanism

● Ensuring that the suppliers support the vulnerability report and incident response mechanisms, and regularly auditing the security of suppliers

● Ensuring security of reverse logistics

Operation & Maintenance


�1

Figure 7 AOS O&M Architecture

Different operation and maintenance system accesses increase the operation difficulty. Based on the concept of "being easy to use, compatible and secure", the NetNumen™ Advanced Operations Suite (AOS) helps customers solve security problems of the operation and maintenance system, including no unified access point, no single login, scattered information, and remote system deployment. The AOS provides the unified portal with aggregated services and optimized operations. It has multiple advantages, such as being cost saving, certified and authorized, and secure and compatible.

● Single login: The AOS provides a unified portal. After login, you can access all systems of mutual trust.

● Centralized display: The scattered information is aggregated and displayed with a unified dashboard.

● Virtual application: The virtual application of patent technology, and low bandwidth and high security prevent sensitive information from be transmitted over network.

● Customization: The AOS provides system and information customization for customers.

● Security control: The AOS provides the unified 3A security control mechanism and the operation video auditing.

WAN LAN

AOS-Coolbit

AOS-Portal

AOS-Dashboard

NetworkAOS Servers

Servers

OSS NMS EMS

WEB

WEB

WEB

AOS O&M Architecture


�2

Figure 8 Security Incident Response Mechanism

Security Incident Handling

Risk-avoiding Scheme

Security Incident Report

&Vulnerability

Report

Custom

er ZTE

PSIRT

Security Incident Response

ZTE's Product Security Incident Response Team (PSIRT) is an incident response organization responsible for collecting, eliminating, and disclosing security vulnerabilities in ZTE's products and solutions. It is the only organization that ZTE uses to disclose vulnerability information. Its responsibilities are described as follows:

● Responding to and handling security incidents submitted by customers

● Responding to and handling security incidents released by industry associations

● Formulating the information security incident management policy and security incident handling methods

● Analyzing vulnerabilities and patches released by system software providers and professional security providers

The public email address for security incident management is [email protected]. It is the window through which ZTE responds to security incidents. The external security vulnerability report provides helpful thoughts for product R&D from the perspective of operation and maintenance.

Third

Party

After

Sales

Vend

or

Information Disclosure

Patch Development

Patch Release

Version Upgrade

Response within 24

hours

Security Advisory

Based

on the secure network for

ZTE

Prod

ucts


��

The Product Security Incident Management Specification specifies the product security incident management flow and responsibilities of departments, and ensures quality and efficiency of product security incident management. This specification covers all pre-sales, in-sale, and after-sales processes related with product security, including special security communications with customers, cooperation with security organization, incident response management, security information release, information security compliance, and legal compliance flows.

The management specification is clearly defined to ensure the efficiency of security incident management. For example, security incidents must be acknowledged within 24 hours, and high-risk security vulnerabilities must be eliminated within 30 days.

Management Specification

In 2014, as a platform for security technology interaction, the ZTE Cyber Security Laboratory has communicated with customers on product security, incident response mechanism, and security requirements. It fulfills customer needs by timely pushing ongoing security activities and progress to customers.

The ZTE Cyber Security Laboratory gradually deepens its cooperation with external security organizations on security tools, evaluation methods, vulnerability information sharing and elimination, and security incident response.

The "Information Security Award Program for White Hats" launched by ZTE is intended to awarding those excellent security technology research personnel who continuously help improve ZTE's product security, that is, white hats. The pilot product security award program for white hats already starts.

To achieve its security goals in future, ZTE communicates and cooperates with industry peers, for feedbacks from stakeholders, and advanced technology and management experience in the security field.

Communication and Cooperation


��

The Security Column is a public information release platform for ZTE to publish security statements, disclose security vulnerabilities, and report security incidents. This platform is used to demonstrate the company's brand image and attitude towards product security problems, which improves customers' confidence in the company's brand and products.

The CEO statements on cyber security and product security, PSIRT, and vulnerability report and elimination flows published in the Security column effectively show ZTE's concern about product security. The operational statuses of the public email address [email protected] and the award program for white hats meet the expectations for the current phase.

The Vulnerability Advisory is used to publish vulnerabilities in ZTE's products. ZTE encourages vulnerability research personnel, industry organizations, and suppliers to report security vulnerabilities in its products to ZTE PSIRT.

Address of the Security Column: http://www.zte.com.cn/cn/about/corporate_citizenship/security/.

Address of the Vulnerability Advisory: http://support.zte.com.cn/support/news/NewsMain.aspx.

The published security information is pushed to customers as required. The vulnerability information directly related to a customer product is pushed to the customer through a special customer channel, to ensure that the customer receives the vulnerability information immediately and respond to the vulnerability quickly.

Security Column


��

To bui ld peaceful, secure, open, and cooperative cyber space is a common expectation of the international community. As a globally leading telecommunications solution provider, ZTE will continue to improve its product security and bring more values to customers, the industry, and society.

Vision