zte corporation product security white · pdf filezte corporation product security white paper...
TRANSCRIPT
ZTE Corporation Product Security White Paper
——Build an All-Round Product Security Assurance System
Zhao Xianming Executive Vice President
December 2014
Preface
CEO Statement
History
Policies and Goals
Product Security Policies
Product Security Goals
Product Security Framework
Product Security Organization Structure
Product Security Management Process
Product Security Standard System
Security Baselines
Management Assurance
Security Standards and Regulations
Product Security Documents
Product Security Trainings
R&D Security
Concept Phase
Plan Phase
Development Phase
Verification Phase
Release Phase
Table of Contents
Supply Chain Security
Material and Supplier Security Control
Supplier Relationship Security Control
Manufacturing
Secure Terminals
Compliance
Verification and Audit
Internal Control Security
Legal Compliance
Delivery
Security Hardening
Operation & Maintenance
Security Incident Response
Security Incident Handling
Management Specification
Communication and Cooperation
Security Column
Vision
03
05
07
08
09
16
18
21
24
25
26
29
32
35
ZTE Product Security White Paper
�
This is ZTE’s first official product security white paper. It contains ZTE’s achievements in product
security and ongoing security activities. We hope this white paper will help you with a positive
understanding of ZTE’s product security.
With the development of network technologies, our lifestyle is undergoing great changes. The
network is involved in social activities all over the world. With the growing importance of the
network, its vulnerability stands out. The "PRISM" scandal makes customers pay attention to
not only the quality of a product, but also the security and reliability of the product. Now, the
reliability of a product has become a threshold for a product to enter the market.
As a globally leading provider of telecommunications equipment and network solutions, ZTE has
offered innovative technologies and product solutions for telecommunications operators and
enterprise customers in more than 160 countries all over the world. With ZTE’s technologies and
solutions, users all over the word enjoy voice, data, multimedia, and wireless communications
with one another.
ZTE’s product security policies are described as follows:
Customer focus: ZTE strictly checks its product security from the customer’s point of view.
This policy is also in compliance with the "customer first" principle that ZTE always adheres to.
Comprehensive security assurance: ZTE has built a unified product security assurance
system that covers the whole lifecycle of products.
Timely response: ZTE quickly responds to a crisis, and solves the crisis in a timely manner.
Preface
ZTE Product Security White Paper
�
As the first attempt, this white paper embodies the hard work of many colleagues. We would
like to acknowledge Cai Xincheng, Cheng Mingjiang, Gu Nanshan, Jin Bin, Li Li, Li Weichun,
Li Weimin, Lin Guoyong, Liu Qing, Lv Jian, Ma Zhiyuan, Pan Wanpeng, Ping Li, Sui Xuan, Tao
Hong, Wang Huagang, Wang Tengfei, Wang Xuan, Wang Zhihui, Wei Yinxing, Wu Qiang, Xie
Anlin, Xu Guorong, Yao Cuifeng, Yin Linlin, Yu Ting, Yuan Ye, Zhong Hong, and others for their
great ideas to this white paper and contributions to ZTE’s product security. The progress that
ZTE’s product security made in the past year belongs to all of them. Their efforts make us
strongly believe that ZTE’s product security is full of hope in the future.
Security and reliability: To provide secure and reliable products and services is the objective of
ZTE’s product security.
In ZTE's new Mobile - Information Communication Technology (M-ICT) strategy, the security is
an essential part of the organization and products. The purpose of this white paper is to show
that ZTE is willing to face product security challenges together with the international community.
ZTE will build a reliable network environment, and improve customers’ recognition of its product
security with end-to-end product security assurance systems, reliable products, and a global
security standard formulated by stakeholders.
Science and technology changes our life, while laws and regulations maintain order. ZTE is
absolutely against network attacks of any type, and will actively protect network security,
personal data security and privacy security.
ZTE has established a product security assurance system that ensures the security of a product
before its delivery. As to security vulnerabilities existing in released products, ZTE provides timely
patches and solutions. ZTE is committed to promoting security technology innovation and
evolution.
Acknowledgements
ZTE Product Security White Paper
�
2013 was an unusual year in terms of cyber security. Many international security
incidents aroused great attention from countries, organizations and individuals.
The information and communication technologies are no doubt an efficient driver
of the global digital economy. However, while bringing convenience to our work
and life, they also pose challenges to cyber security. For example, when the whole
world is expecting the convenience brought by the smart city and big data age,
the dark clouds of information security, cyber crimes and cyber terrorism are
approaching. The worries about the security of network information are rapidly
spreading among customers, industries and the public, and a crisis of confidence
is brewing between different interest groups. There are so many challenges that
it is too late for us to form new rational habits. It is likely that we, driven by our old
habits, act in a selfish preservation manner to avoid the challenges.
As a major participant in the ICT industry, ZTE Corporation has a profound
understanding of its responsibilities in the industry ecology and public security, and
is willing to undertake these responsibilities. We believe that as long as the whole
industry and society actively cope with the challenges together, the digital ecology
will develop in a healthy and sustainable manner and society will not be trapped in
the fear of cyber security issues or ceases the pace of civilization.
The ZTE Cyber Security Committee established a perfect product security system
that covers the entire lifecycle of each product and strictly complies with ISO
27001, ISO 15408 and ITU-T X.805.
To ensure the security of products and solutions provided for customers in all
CEO Statement
ZTE Product Security White Paper
�
industries, we continuously optimize the product security management structure,
focus on customer needs, and improve the product security system that covers
areas in the entire product lifecycle, including Research & Development, supply
chain, manufacturing, verification, delivery and incident management.
As an independent internal security evaluation organization, the ZTE Cyber
Security Laboratory is equipped with the world's leading tools for identifying
known and unknown vulnerabilities, and helps to verify that our products meet the
security standards, baselines and criteria from the customers' point of view.
We have set up a strict authentication mechanism and a personnel management
flow for important parts in daily operations, ensuring that the customer information
is traceable and properly used. We are actively building up a service continuity
management and incident mechanism together with our customers.
We stick to universal business ethics and commit that our products and operation
capabilities do not serve any specific political purposes, ensuring public security.
We are open-minded and willing to participate in the formulation of international
standards and communicate with international counterparts.
We will continuously develop the security awareness and responsibility of our
employees because highly qualified citizens are the most essential factor in
securing cyber security and social stability.
In the future, we will expand cyber security construction into more domains by
deepening cooperation with governments, carriers, suppliers, organizations and
communities, repay our customers with more benefits, and contribute to the
construction and maintenance of a better cyber security order.
CEO Shi Lirong
ZTE Product Security White Paper
�
In 2005, ZTE became the first Chinese enterprise to establish the ISO 27001
(Information security management) successfully. ZTE’s product security activities
include standard establishment, security assurance, security evaluation and
incident response. ZTE cooperates with international security service and
assessment organizations, and has established the Cyber Security Committee
with technical support by the product lines to improve product quality and
enhance customer confidence continuously.
ZTE has built a thorough security guarantee system that covers the whole lifecycle
of products and strictly complies with ISO 27001, ISO 15408 (Common criteria
for evaluating the security of information technologies) and ITU-T X.805 (Security
architecture for systems providing end-to-end communications). Guided by the
Cyber Security Committee and organized by the Cyber Security Committee
Office, ZTE continuously optimizes the product security management structure,
and improves the security guarantee mechanism of the whole product lifecycle
covering R&D, supply chains, manufacture, verification, service delivery, and
incident management, to provide safe products and solutions for customers in all
industries.
In 2010, a leading information security provider, atsec, evaluated ZTE's
cryptographic algorithms. In the same year, ZTE's Unified Platform Cryptographic
Library (UPCL) and UEP Cryptographic Module (UEPCM) cryptographic modules
were validated by the National Institute of Standards and Technology (NIST), and
reached the FIPS (Federal Information Processing Standard)140-2 (security
requirements for cryptographic modules) standard. ZTE became the first Chinese
communications equipment manufacturer to obtain the FIPS certificate. ZTE's
CDMA/WiMAX, bearer network, core network, fixed network, GSM/UMTS and
TD products are awarded the Common Criteria (CC) certificates. In addition,
in 2011, the CDMA/WiMAX NetNumen U31 is granted a CC certificate by the
CC Scheme in Netherland, which is the first CC certificate obtained by Chinese
communications manufacturers.
As an independent security verification department in the company, ZTE's
2005
2010
History
ZTE Product Security White Paper
�
ZTE’s product security policies are customer focus, comprehensive security
assurance, timely response and security and reliability.
Referring to the strategic plan for development, international standards, laws,
and regulations, ZTE continuously optimizes the product security management
structure, and improves the security assurance mechanism of the whole product
lifecycle covering R&D, supply chains, manufacturing, verification, delivery and
incident management. By using the structure and mechanism, ZTE provides
reliable products and solutions for customers, and ensures that all products
operate in a secure manner and meet the security baseline requirements and
Confidentiality, Integrity and Availability requirements.
Cyber Security Laboratory is an integrated platform for evaluation, capability
development, incident response, knowledge base management and technical
communication.
In 2014, ZTE further improves the product security guarantee system, product
security baselines, R&D standards, and supply chain security management, and
builds a supplier product security management system and a supplier-oriented
purchase security baseline complying with ISO 28000 (Specification for security
management systems for the supply chain). We have integrated the key product
security requirements into all purchase, manufacture and delivery activities, and
have established effective information release and incident response mechanisms
to ensure timely response within 24 hours.
As a global leading communications product and solution provider, ZTE considers
customer focus, comprehensive guarantee, timely response, security, and trust
as the product security policies, and makes all efforts to bring more benefits to
customers, industries and the society.
2014
Product Security Policies
Product Security Goals
Policies and Goals
ZTE Product Security White Paper
�
● R&D: Complying with ISO15408, ITU-T X.805 and ISO27001, ZTE establishes
"product security baselines" and security design standards for important
products, to implement the product security as a basic attribute during the
R&D process based on the high performance product development process,
and ensure that the R&D outputs are secure products and solutions.
● Supply chain: Complying with ISO27001 and ISO28000, ZTE optimizes the
supplier product security management mechanism, in which suppliers include
service suppliers, and hardware and software suppliers, to ensure accurate
product security traceability, effective operation and continuous improvement.
● Manufacturing: Complying with ISO27001 and ISO15408, ZTE establishes the
security management mechanism covering incoming materials, manufacturing,
packaging, and delivery, to ensure consistency and traceability of product
information during manufacturing and delivery processes.
ZTE achieves its product security goals by referring to the following model:
Figure 1 Customer-Focused Product Security Assurance Model
Supply Chain
Manufacturing
R&D
Incident Management
VerificationAudit
ServiceDelivery
●ISO27001●ISO28000●Purchase Security Baseline
●ISO27001●ISO15408●Manufacturing Security
Baseline
●ISO27001●ISO15408●Design Security Baseline●Special Topic Audit Baseline
●ISO27001●Customer Communication
Mechanism●Service Delivery Security
Baseline
●ZTE-PSIRT●Incident Management
Platform●Website Security Column
●HPPD●Design Security Baseline●ITU-T X. 805●ISO15408●ISO27001
Product Security Framework
Customer
ZTE Product Security White Paper
10
Figure 2 Product Security Organization Structure
● Verification: Complying with ISO15408 and ISO27001, ZTE establishes
the comprehensive flow for product security evaluation and mechanism for
reviewing the implementation of product security standards, to ensure that
delivered products have reliable information security assurance ability, and that
product security regulations function effectively.
● Service delivery: Complying with ISO27001, ZTE enhances security of delivery
flows, integrates key product security requirements into all delivery activities,
and starts service deliveries with important markets and projects.
● Incident management: ZTE establishes effective information release and
incident response mechanisms, to quickly identify risks and ensure timely
response within 24 hours.
ZTE’s product security organization structure consists of the strategy committee,
the Cyber Security committee, the executive teams formed by ZTE Cyber Security
Laboratory and product security teams from sales, products, platform and other
divisions, and the support teams.
Legal affairs
Product security team
of m
anufacturing and supply chains
Support teams
Product Security Organization Structure
Strategy committee
Cyber Security Committee
Product Security Incident Response Team
Cyber Security Laboratory and Cyber Security Committee Office
IT center
Government
Brand
Finance
Auditing
HR
Administration
Executive teams
Product security team
of the term
inal division
Product security team
of international sales d
ivisions
Product security team
of the dom
estic sales division
Product security team
of thegovernm
ent and enterprise division
Product security team
of the product operation team
Product security team
of R&
Dm
anagement
ZTE Product Security White Paper
11
Cyber Security Committee
The Cyber Security Committee is responsible for making product security
strategies, plans, policies, and signs, and investment, and promoting the
implementation of strategic concerns and audits. This committee, together with
the company’s structure and process platform, continuously optimizes product
security in accordance with the development of the security field. The Cyber
Security Laboratory, a standing organization under the Committee makes product
security strategies, policies, flows, and standards, and accordingly deploys
resources.
Cyber Security Laboratory
The Cyber Security Laboratory (also the Cyber Security Committee Office)
is a standing organization under the Committee. It is responsible for security
incident management, information disclosure, product security certification and
cooperation, research on industrial product security standards, and product
security development promotion. In addition, this Laboratory establishes product
security baselines, implements product security evaluation, and provides
suggestions for the company’s decision makers during important product security
evaluations.
Product Security Team of R&D Management
Complying with the company’s product security strategies and the industry
requirements, this team establishes R&D regulations, embeds security elements
into R&D processes, pushes product lines to implement these elements, analyzes
and transfers product security information related with R&D management, and
discusses with customers on special security topics.
Product Security Team of the Product Operation Team
This team cooperates with the Product Security Laboratory to establish product
security baselines and related product technical standards, and is responsible for
the implementation of security requirements during product planning, R&D, and
test processes.
ZTE Product Security White Paper
12
Figure 3 Product Security Management Process
Product Security Team of Sales Divisions
his team collects security information from different regions, leads or participates in the interactions with customers, government, partners, and local security organizations, and timely responds to security incidents, including incident collection, handling, and escalation.
Product Security Team of Manufacturing and Supply Chains
This team cooperates with the Cyber Security Laboratory to establish supply
chain management security baselines and related technical standards, and is
responsible for the implementation of security requirements during supply chain
processes.
Support Teams
These trams provide supports related with product security, including internal
control, legal affairs, brand promotion, security column, IT platform, HR, finance,
auditing and government relations.
ZTE’s product security management process follows the Plan-Do-Check-Act
(PDCA) model.
Product Security Management Process
Establish the product security plan (Plan)
Maintain and improve product security (Act)
Implement product security (Do)
Check product security (Check)
ZTE Product Security White Paper
1�
Figure 4 Product Security Standard System Structure
Establish the product security plan (Plan)
Analyze the requirements of customers on product security, laws and regulations
and security best practices, identify and evaluate product security risks, determine
product security goals and middle-and-long term needs, formulate product
security strategies, organization structure and flows, analyze the scope and
contents of product security, and formulate security baselines in different fields.
Implement product security (Do)
Integrate product security into core processes, such as R&D, supply chains,
problem solving, engineering, and service, and set multiple control points for the
implementation of security activities and baselines.
Check product security (Check)
Evaluate product security milestones, verify security baselines by using the
independent Cyber Security Laboratory, and check the compliance of product
security.
Maintain and improve product security (Act)
Analyze the implementation results of product security tasks based on the product
security policies, goals, strategies, and practices, evaluate security incidents and
take preventive measures.
ZTE’s product security standard system includes four layers.
Product Security Standard System
Layer 1
Layer 2
Layer 3
Layer 4
Product security general principles
Product security procedural documents
Product security work instructions
Product security records
ZTE Product Security White Paper
1�
Layer 1: Product Security General Principles
The product security general principles are an outline for the company’s product
security, including product security policies, goals, organization structure,
management, processes and activities. Documents of all the other layers must
use the general principles as basis.
Layer 2: Product Security Procedural Documents
Product security is integrated into core processes of the company. The security
management processes are formulated as required, such as product security
incident response process, product security evaluation rules, and red line
requirements.
Under the guidance of product security general principles, technical requirements
and templates for product security baselines are formulated. Product security
baselines, supply chain security baselines, and service security baselines
are formulated for product series. The best practice of security baselines is
established. Product security test requirements and templates are developed.
Layer 3: Product Security Work Instructions
Standards of this layer include the developed product security requirements,
security design solutions, security implementation solutions, security test
solutions, security test examples, security hardening manuals, security operation
and maintenance manuals and security tool software operation guides.
Layer 4: Product Security Records
Execution results are recorded, such as evaluation records, evaluation reports,
vulnerabilities reports and vulnerabilities records.
ZTE Product Security White Paper
1�
ZTE’s products include self-developed products and third-party products. Different
products and systems have different security levels. To ensure the security level
of its products, ZTE develops the Plan-Do-Check-Act (PDCA) cycle for end-
to-end product delivery, to ensure that the products meet the security baseline
requirements and avoid potential security risks. Security baselines are criteria for
product R&D, third-party product purchasing, system operation and maintenance
configuration, security hardening, security evaluation and security management.
Security baselines cover the entire product delivery process from end to end.
The security baselines include the product security function baseline, security
assurance baseline, penetration test baseline, supply chain and purchasing
security baseline and service security baseline. The product security baseline
is one of the sources for security function requirements. As an input of the
security function requirements, the security assurance baseline must reach the
EAL3 or above of the Common Criteria (CC) for Information Technology Security
Evaluation, Version 3.1 Release 4.
The security baselines must be verifiable. An independent third-party organization
checks the security baselines, verifies that the delivered product meets the
security baseline requirements, and writes a security baseline report.
Before series production of a new product, the new product must meet the
security baseline requirements. As to the products that are already put into
market, the products must meet the service security baseline requirements.
Security Baselines
ZTE Product Security White Paper
1�
Figure 5 Security Processes in R&D Processes
The R&D processes provide management assurance for product security. ZTE
identifies major processes related to product security by checking the current
processes, adds security activities at the product security check points, and
considers security factors for defined processes.
User document development
Management Assurance
ZTE develops and revises regulations and templates related with product security,
to cover major R&D processes, and monitor these processes.
As a basic standard for internal use, the Product Security General Requirements
was officially released in February, 2014. It is used as a reference standard
by ZTE to establish the product security management structure, improve the
product security assurance mechanism, provide secure and reliable products for
customers, and ensure that its products can operate in secure manner.
Security Standards and Regulations
Planning process Define
market needs
Product version
planning
Understand the market
Make service policies and
plans
Initialization Management
Initialize the project
Performance appraisal
Development process
Concept Plan Development Verification Release Operation and
maintenanceDefine product requirements
System design Coding
Software concept design
System test
Security certification
Configuration management (including change, defect, and version management)
Define/update security baselines
Define/update security programming specification
Security incident
management
Daily operation
Security director Security specialists
R&D SE
New process, for which the security director/security specialists are responsibleLegendsDefined process changing a lot
Defined process, for which only security factors need to be consideredOptional, which should be defined based on market requirements
Technology audit
Specification/template Revision points
ZTE Product Security White Paper
1�
In 2014, ZTE released multiple enterprise standards related with project
development, product planning, product development and product delivery
processes.
The general product security baselines and the regulations concerning security
baselines, security coding, security testing, and security incident management for
main products of the R&D institutes are continuously developed and released.
A product security document describes the typical networking modes of the
product, the security threats facing the product, the security goals that may be
affected by the threats, and the security architecture and measures, vulnerability
patches and hardening policies, and security incident management policies used
to achieve the security goals.
Product Security Documents
This year, ZTE has conducted multiple trainings on product security standards
regulations and carriers’ security requirements within the company. The
security trainings cover all key employees from system, R&D, testing and process
management of system products and mobile phones. The security tool trainings
offered by the original manufacturers cover all product-line employees who are
directly responsible for system product R&D and testing.
Product Security Trainings
,
ZTE Product Security White Paper
1�
Figure 6 Product Security-Related Flows in Product Development Process
R&D Security
To provide secure and reliable products for customers, ZTE integrates "security"
as a basic product attribute into the product R&D lifecycle. In addition, ZTE
integrates security activities such as security requirement, security design, security
development and security test into the high-performance product development
process, to ensure the effective implementation of security. Therefore, the product
robustness and privacy protection are guaranteed, and ZTE can provide secure
products and solutions for customers.
The product planning team analyzes market access requirements (laws,
regulations, and industry standards), customer security requirements, third-party
analysis, industry activities, peer experience, and internal security requirements,
and includes middle-and-long-term security requirements into product roadmap
planning, and short-term security requirements into product version planning. The
Concept Phase
Plan OperationMaintenance
Offering Requirements
System Architecture
Preliminary Design Detailed Design
Development & Test Integrated Test
System Test
System Verification
Test
Volume Production
Maintenance Support
Concept Development Verification Release
Legal, Regulatory Standard
SpecificationCustomer Security
Requirements
Security Baseline
Security Common Building Block
Implement Guide of Security Baseline
Open Source Software Security
Security Development Standard
Supplier Product Security
Cooperate Product Security Policy and Standard
Beta Test
Security Document
Penetration Test Report
Vulnera bility
Analysis
Security Test Report
Field Certification
Test
User Security Manual
Production Security
Patch Management
Operation Monitoring
Incident Management
ZTE Product Security White Paper
1�
product security requirements mainly include the following two parts:
● Product security baselines, which are the most basic security requirements and
must be executed
● Risks of the products when being applied to carrier networks or government
and enterprise networks, and the corresponding solutions
In this phase, the product security structure and features are designed after
detailed analysis of security requirements identified in the concept phase. ZTE
develops the product security design specification by referring to the industry best
practices of ITU-T X.805 and ISO15408.
When determining product architecture and a system solution, the company
analyzes the security requirements and potential security threats of the system,
and accordingly describes the product security architecture and system solution
and key interfaces. In addition, the company checks whether the system solution
meets the market and customer security requirements, and verifies the security
of key materials from suppliers and security of third-party software based on the
security access standard.
Plan Phase
In the development phase, the company implements the design of security
function modules and planning of source code files based on the description of
the security architecture, security system solution, security module requirements,
and related interfaces. Based on the detailed description of the security function
modules, the company implements the modules through codes by adhering to the
security coding specification and develops the security documents. In accordance
with the general project testing plan, the company develops the security testing
flow and the security testing solution, designs and executes the test example to
verify the security function modules, and performs the penetration test on the
product and system and analyzes its vulnerability. Then, the company determines
the security hardening solution for the product, and provides evidence for product
security certification.
Development Phase
ZTE Product Security White Paper
20
The testers test the product according to the security testing cases. The Cyber
Security Laboratory is independent of the product system, and is responsible for
verifying whether the product complies with the requirements of product security
baselines.
Verification Phase
The company protects security of software and hardware, and ensures the
traceability and auditability of the product, and the security of the manufacturing
process.
Release Phase
ZTE Product Security White Paper
21
The supply chain security risks in the communications manufacturing industry are
reflected by the product software features and the information security involving
the product. The supply chain security requires that the self-developed product
together with purchased materials be securely manufactured, stored, transported,
and delivered to customers. The value of ensuring supply chain security is to
keep advantages over competitors in supply chains. ZTE's supply chain security
is recognized by customers with its globally recognized supply chain security
qualification.
By referring to the ISO28000 supply chain security management system, ZTE
identifies and evaluates security risks in the process from production to sales, and
reduces security threats posed to the product through the security management
flow.
Supply Chain Security
ZTE Product Security White Paper
22
The supply chain security process monitors the entire logistics process covering
the raw materials and half-finished products warehouse, production line, finished
products warehouse, and transportation carriers involved in the production
process. The network technology security is embedded into material management
and supplier management systems by using technology criteria, material management and supplier management.
● Formulate security baselines for high-risk raw materials based on ISO15408,
and classify network technology security risks of raw materials into different
levels based on product security criteria. As to raw materials of low or middle
risk, only agreements need to be signed with the suppliers. As to raw materials
of high risk, tests are required.
● Develop the mechanism for identifying high-risk materials on which the main
products rely and the supplier rating mechanism. As to high-risk raw materials,
tests include the integration test for main product and raw material test.
Revise the raw materials and suppliers having security problems in the main
product test in accordance with the product security response mechanism.
Formulate material management rules based on the security requirements from
customers, apply the ISO15408 standard to each material type, and identify
and test the specific security risks.
● Embed the network technology security into material management and supplier
management systems.
● Make supplier management rules, include these rules into the current
control flow, and enhance the management of overseas and local suppliers.
Standardize the supplier performance appraisal results, material value
types, and supplier rating, promoting the continuous optimization of supplier
management, and improving data accuracy and overall supplier performance.
● Establish the supplier management baseline, and sign the security agreement
on differentiated products.
● Develop response mechanisms for risky materials in different scenarios.
Material and Supplier Security Control
ZTE Product Security White Paper
2�
The purpose of supplier relationship information security is to protect the security
of assets that the suppliers access. The control measures of the security policy
are described as follows:
● Negotiate with the suppliers on and file the information security requirements to
reduce the risks of their access to the assets.
● Establish related information security requirements, and negotiate with suppliers
that may access, deal with, store, and discuss information, or provide IT
infrastructure facilities.
● Include the information security risks related with the information and
communication technology services and product supply chains into the
agreement with a supplier.
The security control objective of supplier service delivery management is to
maintain the level of information security and service delivery based on the
agreement with the supplier.
● The measure for monitoring and reviewing the supplier service is to regularly
organize the monitoring, review, and audit of supplier service delivery.
● The control measure of supplier service change management is to manage
changes provided by the supplier service, including maintaining and improving
current information security policies, specifications, and control measures.
Re-evaluation of risks of service systems and processes must be taken into
account.
Supplier Relationship Security Control
ZTE Product Security White Paper
2�
The manufacturing security requirements include the security function requirement
and non-technical security assurance requirement. The correctness and
validity of security functions are ensured by checking whether the six aspects,
including development, instructive documentation, lifecycle support, security
target evaluation, testing, and vulnerability evaluation meet the security function
requirement and security assurance requirement.
Following the security assurance requirements of the ISO15408 EAL 3 and above,
the manufacturing security team audits the physical security, logical security
and personnel safety in the R&D and production environments, and in the physical
security of logistics transition, shipments, receiving and after sales.
The objects of the on-site audit include the production environment, logistics
transition, shipments and after sales security.
In the on-site audit of the production environment, the Subversion (SVN) control,
Engineering Change (EC), and Product Data Management (PDM) systems are
used to manage and control the R&D location, security assurance measures
and information transmission, and audit the adding and release of R&D project
personnel, and the physical security of IT networks, R&D and testing equipment
and office facilities.
In the on-site audit of logistics transition, shipments, and after sales security, the
manufacturing security team strictly follows the security control program to
audit the transition of half-finished products, the dispatch and acceptance of
equipment, the engineering installation and upgrade, the response to equipment
faults, and the internal fault handling process.
Manufacturing
ZTE Product Security White Paper
2�
As smartphone users are facing the increase of serious security problems, ZTE
provides the most complete end-to-end product lines and integrated solutions
in the communications industry. ZTE flexibly satisfies diverse requirements and
innovative pursuits from different operators and enterprise customers all over the
world by providing a full range of wireless, wired, service, and terminal products
and professional communication services. ZTE has attached great importance to
user privacy over the years by making full use of security mechanisms to provide
secure terminals and improve security performance of cell phones. ZTE believes
that only the terminal manufacturers are not enough for the security of cell phone.
To build perfect secure terminal products, it needs cooperation between the
terminal manufacturers and the micro-processor, platform, operating system
and application providers. A secure cell phone needs security mechanisms from
bottom layer to application layer, for example, the TrustZone technology from
the micro-processor manufacturer ARM, the Secure Boot, Secure File System
and Secure Execution Environment technologies from the platform manufacturer
Qualcomm, and the process isolation, application permission, and application
signature technologies for the Android system, and the Secure Download from
terminal vendors. The security protection cannot be reached quickly. Multiple
layers of protection are required to resist network attacks. ZTE fully uses its own
advantages to cooperate with upstream and downstream manufacturers in
building security product chains of mobile intelligent terminals.
In August, 2013, smart phones U988S and N5S provided by ZTE Corporation
both passed the highest level (Level 5) of security test in China. Up to November,
2014, ZTE is the only manufacturer that passes the level-5 security test.
Secure Terminals
ZTE Product Security White Paper
2�
Compliance
The security verification checks whether the product meets security baselines before trial production, whether the product has security vulnerabilities and risks, whether the evidence required for security assurance is complete, and whether the delivered documents meet the security assurance baseline.
The security audit checks whether security policies, security baselines, and processes are effectively implemented. The audit identifies and evaluates security risks by checking the implementation of security activities, and corrects non-conformities if any.
Customers usually request the communications equipment manufacturer to independently perform security verification and audit on products. The security verification and audit are independently finished by the Cyber Security Laboratory within ZTE. Sometimes, as required by the customer, ZTE entrusts an external independent third-party evaluation organization with the security evaluation.
The Cyber Security Laboratory is responsible for testing and evaluating security of ZTE's products. It has the following basic features:
● Perfect laboratory facilities: The laboratory has real integrated communication network test software and hardware environments.
● Systematic security evaluation tools: The laboratory is equipped with industry-leading tools inclulding code scanning, vulnerability analysis and discovery and penetration test tools.
Verification and Audit
ZTE Product Security White Paper
2�
● Professional technicians: All personnel in the laboratory have ICT product R&D background, and more than 30% of them are engineers with Certified Information Systems Security Professional (CISSP) qualification.
● Standardized management system: ZTE formulates the product security test management specification. A product must pass the evaluation of the Cyber Security Laboratory before being released. The laboratory strictly complies with the ISO17025 (General requirements for the competence of testing and calibration laboratories) to ensure the objectivity, fairness and reliability of tests.
ZTE's internal control security management meets the risk management requirements of the ISO27000 series standards.
● ZTE establishes, implements, operates, monitors, reviews, maintains and improves the information security management system under the organization's service activities and risks based on the ISO27000 (an information security management standard system).
● ZTE exports regularly a validity measurement report of the information security standard, and exports an information security dashboard report through the Security Operation Center (SOC) every month to show the security status of the company and different departments.
● ZTE conducts regularly a security conference.
● ZTE records and corrects behaviors that do not comply with the information security policies, and analyzes potential risks and corresponding preventative measures through the SOC system.
● Management staff responsible for information security system management should have ISO27001 lead auditor or internal auditor qualification. Staff related with the information security management system has received ISO27001 standard trainings.
● The IT system development, daily maintenance, and other management services within the company must comply with the information security management specification. The specification covers the services and applications systems, data recovery and disaster recovery systems, and internal networks (WANs and LANs) in the company's IT infrastructure, and also the personnel, physical areas, and facilities related with these systems.
Internal Control Security
ZTE Product Security White Paper
2�
● Information in ZTE is classified into four levels: "internal use only", "proprietary confidential", "highly confidential" and "top secret". ZTE has strict authorization management, and strictly follows work-related principles and the least privilege principle to effectively protect the information security for customers and users. For example, the confidential level of a product design document must not be lower than "proprietary confidential", and that for a strategic core project document must not be lower than "highly confidential". The security configuration of customer information must be higher than the security baseline of the highly confidential level, to prevent core customer data breaches.
Legal compliance is the bottom line of ZTE's product security. The information security policies including security standards, processes, and information system framework must comply with the local laws. The company-level security controls must be consistent. To ensure its legal compliance, ZTE performs the following operations:
● Identifying laws and regulations involved within the information security policies and processes, and defining and documenting the responsibilities
● Requesting all employees to adhere to the code of conduct of the intellectual property law, to reduce risks of copyright infringement and protect rights of copyrights, design patents, and trademarks
● Ensuring that the collection, dissemination, and use of personal information comply with the local privacy laws, and that the security organization informs all employees, users, and service suppliers of the company about their responsibilities and the processes that they must follow, and regularly audits the adherence to privacy laws, to reduce risk of privacy invasion
● Ensuring that information devices are used for only operating activities, adhering to the secure use of information devices, drafting an instruction guide to monitor the use, and ensuring that all information devices are used for authorized operations
● Technically adhering to security policies by maintaining the Standard Operation Environment or Baseline Security Standard
● Regularly auditing the adherence to security policies every year, and conducting audits approved by the security organization, to reduce the impact on normal operating activities
Legal Compliance
ZTE Product Security White Paper
2�
Delivery
The security requirements in the delivery phase are reflected by the "Product Configuration Guide" and "Product Security Hardening Manual". The criteria for drafting the configuration guide and hardening manual are from the R&D phase.
First, the system security design is considered in the solution design phase and reflected by the "Product Security Design Solution". Then, the "Product Security Hardening Manual" is completed based on the actual product. In the test phase, the test is performed on the related security test example based on the "Product Security Hardening Manual".
In the engineering operation and maintenance phase, the after-sales personnel completes the "Product Security Engineering Operation Guide", "Product Security Daily Maintenance Guide" and "Product Engineering Acceptance Security Checklist" based on the "Product Security Hardening Manual". By reading the operation guides and checklist, operators can obtain the related product configuration, debugging, maintenance, and security hardening requirements and suggestions.
The security hardening manual is applied after completion of the project implementation, and covers the security specification and security hardening check. The security specification refers to the security hardening specification that
Security Hardening
ZTE Product Security White Paper
�0
must be executed. The security hardening check refers to the security scanning of the product to check whether any security vulnerability exists. In addition, the security hardening manual includes common attacks faced by the corresponding product and handling methods.
The security hardening checklist varies with the actual product. For example, for an operating system-type product, you can generate a list of vulnerabilities to be checked based on the found vulnerabilities from three aspects: operation security, data security and security management. In addition, the risk levels of vulnerabilities should be included in the check items, to provide clearer guidance for hardening operations.
ZTE continuously pays attention to and deals with security problems in the last phase of the product lifecycle. ZTE's main tasks in the operation and maintenance phase are described as follows:
● Collecting security incidents submitted by customers and released by industry associations
● Paying attention to vulnerabilities and patches released by system software providers and professional security providers
● Analyzing vulnerabilities that may exist in the product, and managing security incidents based on the product security incident response mechanism
● Ensuring that the suppliers support the vulnerability report and incident response mechanisms and regularly auditing the security of suppliers
● Ensuring security of reverse logistics
Operation & Maintenance
ZTE Product Security White Paper
�1
Figure 7 AOS O&M Architecture
Different operation and maintenance system accesses increase the operation difficulty. Based on the concept of "being easy to use, compatible and secure", the NetNumen™ Advanced Operations Suite (AOS) helps customers solve security problems of the operation and maintenance system, including no unified access point, no single login, scattered information and remote system deployment. The AOS provides the unified portal with aggregated services and optimized operations. It has multiple advantages, such as being cost saving, certified and authorized, secure and compatible.
● Single login: The AOS provides a unified portal. After login, you can access all systems of mutual trust.
● Centralized display: The scattered information is aggregated and displayed with a unified dashboard.
● Virtual application: The virtual application of patent technology, and low bandwidth and high security prevent sensitive information from be transmitted over network.
● Customization: The AOS provides system and information customization for customers.
● Security control: The AOS provides the unified 3A security control mechanism and the operation video auditing.
WAN LAN
AOS-Coolbit
AOS-Portal
AOS-Dashboard
NetworkAOS Servers
Servers
OSS NMS EMS
WEB
WEB
WEB
AOS O&M Architecture
ZTE Product Security White Paper
�2
Figure 8 Security Incident Response Mechanism
Security Incident Handling
Risk-avoiding Scheme
Security Incident Report
&Vulnerability
Report
Custom
er ZTE
PSIRT
Security Incident Response
ZTE's Product Security Incident Response Team (PSIRT) is an incident response organization responsible for collecting, eliminating, and disclosing security vulnerabilities in ZTE's products and solutions. It is the only organization that ZTE uses to disclose vulnerability information. Its responsibilities are described as follows:
● Responding to and handling security incidents submitted by customers
● Responding to and handling security incidents released by industry associations
● Formulating the information security incident management policy and security incident handling methods
● Analyzing vulnerabilities and patches released by system software providers and professional security providers
The public email address for security incident management is [email protected]. It is the window through which ZTE responds to security incidents. The external security vulnerability report provides helpful thoughts for product R&D from the perspective of operation and maintenance.
Third
Party
After
Sales
Vend
or
Information Disclosure
Patch Development
Patch Release
Version Upgrade
Response within 24
hours
Security Advisory
Based
on the secure network for
ZTE
Prod
ucts
ZTE Product Security White Paper
��
The Product Security Incident Management Specification specifies the product security incident management flow and responsibilities of departments, and ensures quality and efficiency of product security incident management. This specification covers all pre-sales, in-sale, and after-sales processes related with product security, including special security communications with customers, cooperation with security organization, incident response management, security information release, information security compliance and legal compliance flow.
The management specification is clearly defined to ensure the efficiency of security incident management. For example, security incidents must be acknowledged within 24 hours, and high-risk security vulnerabilities must be eliminated within 30 days.
Management Specification
In 2014, as a platform for security technology interaction, the ZTE Cyber Security Laboratory has communicated with customers on product security, incident response mechanism and security requirements. It fulfills customer needs by timely pushing ongoing security activities and progress to customers.
The ZTE Cyber Security Laboratory gradually deepens its cooperation with external security organizations on security tools, evaluation methods, vulnerability information sharing and elimination and security incident response.
The "Information Security Award Program for White Hats" launched by ZTE is intended to awarding those excellent security technology research personnel who continuously help improve ZTE's product security, that is, white hats. The pilot product security award program for white hats already starts.
To achieve its security goals in future, ZTE communicates and cooperates with industry peers, for feedbacks from stakeholders, and advanced technology and management experience in the security field.
Communication and Cooperation
ZTE Product Security White Paper
��
The Security Column is a public information release platform for ZTE to publish security statements, disclose security vulnerabilities, and report security incidents. This platform is used to demonstrate the company's brand image and attitude towards product security problems, which improves customers' confidence in the company's brand and products.
The CEO statement on cyber security and product security, PSIRT, and vulnerability report and elimination flows published in the Security column effectively show ZTE's concern about product security. The operational statuses of the public email address [email protected] and the award program for white hats meet the expectations for the current phase.
The Vulnerability Advisory is used to publish vulnerabilities in ZTE's products. ZTE encourages vulnerability research personnel, industry organizations, and suppliers to report security vulnerabilities in its products to ZTE PSIRT.
Address of the Security Column: http://www.zte.com.cn/cn/about/corporate_citizenship/security/.
Address of the Vulnerability Advisory: http://support.zte.com.cn/support/news/NewsMain.aspx.
The published security information is pushed to customers as required. The vulnerability information directly related to a customer product is pushed to the customer through a special customer channel, to ensure that the customer receives the vulnerability information immediately and respond to the vulnerability quickly.
Security Column
ZTE Product Security White Paper
��
To bui ld peaceful, secure, open, and cooperative cyber space is a common expectation of the international community. As a globally leading telecommunications solution provider, ZTE will continue to improve its product security and bring more values to customers, the industry, and society.
Vision