SlideShare a Scribd company logo

Cyber Security Education Materials.pptx

Download as PPTX, PDF
B
bentidiane21

Bases de la sécurité informatique

Technology
1 of 35
HUAWEI TECHNOLOGIES CO., LTD. www.huawei.com Huawei Confidential Security Level: 内部公开 December 27, 2023 April, 2014 Cyber Security Awareness and Code of Conduct INTERNAL Cyber Security Office, GTS
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 2 Chapter 1 What Is Cyber Security About? Chapter 2 Cyber Security Case Studies Chapter 3 Requirements and Regulations on Cyber Security
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 3 Cyber Security Issues May Lead International Political Crisis Caution:  Telecommunications networks are key national infrastructure, any risk on it might bring crisis to even a country.  Cyber security issue is not only technical issues; It may lead to international political crisis. 8th October, 2012: the US Congress released an investigative report on the US national security issues posed by Huawei and ZTE; 6th June 2013: Snowdon Disclosure National Security Agency and the United States Federal Bureau of Investigation is carrying out a code for "prism" secret project, direct access to the nine U.S. Internet company central server, data mining to collect intelligence. 24th March 2014: For recent media reports the U.S. National Security Agency (NSA) invade Huawei server events, Shenzhen Huawei responded by saying: Huawei oppose all acts that endanger network security
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 4 Cyber Security Is Critical to Company’s Survival  As the British media revealed on July 5, 2011, employees of News of the World had illegally eavesdropped on voice-mails and deleted voice messages on the mobile phone of slain schoolgirl Millie Doyle while police were searching for the missing 13-year-old in 2002, interfering with a police investigation into the missing person-turned-murder case.  On July 6, 2011, more reports exposed the phone-hacking scandal. On the same day, Prime Minister Cameron requested to initiate an investigation into the matter.  The 168-year-old newspaper was one of the best-selling newspapers in the UK. As a result of the scandal, the publication was shut down on July 10, 2011.  On July 4, 2014, British Prime Minister David Cameron's former media director Andy Coulson (2003-2007 “NEWS World" editor) involved in wiretapping plan convicted, was sentenced to 18 months jail The News of the World closed down because of illegal interception and monitoring :
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 5 Cyber security is to ensure the availability, integrity, confidentiality, traceability, and robustness & resilience of products, solutions, and services based on a legal framework. Additionally, it protects the customers' or users' communication content, personal data and privacy carried therein, and the flow of unbiased information. Cyber security assurance aims to prevent the economic benefits and reputation of Huawei and its customers from harm. Cyber security protects Huawei‘s employees or the company itself from bearing civil, administrative liability, or even criminal liability, avoids cyber security to be used as an excuse for trade protection, and a fuse that sets off an international political crisis which may lead to the collapse of the company. Carried & protected data/privacy Business continuity & robust network Integrity Availability Confidentiality Traceability Robustness & Resilience 1: Cyber security=Information security 2: Cyber security= anti-attack & anti-virus 3: Cyber security= physical & personal safety 4: Cyber= Network What is Cyber Security? Huawei definition of Cyber Security Cyber Security Cyber Security is to protect customer’s networks. And in the same time, protect Huawei and Huawei’s employee.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6 Government supervision Technical impact  Many countries such as US and countries in EU regard cyber security as an integral part of their national security strategy.  Governments of UK, France & India etc. proposed security compliance requirements on operators & vendors in government supervision & laws and regulations, based on trust issue & security concerns. Legal regulations Market access  The legislation of cyber security and privacy protection globally tends become more stringent  In European & American countries, compared with general corporate legal breach (tax, IPR, breach of contract), a breach of cyber security legislation will be seen in the light of violation of human rights and national security threats. Therefore, government and the public will condemn it more aggressively and it is more likely to damage the trustworthiness of the company.  As ICT technology becomes increasingly open, telecom networks develop towards all-IP, devices become smarter, and with the convergence of multiple businesses, the telecom network is facing increasingly serious security threats and challenges. Vendors should attach great importance to robustness & resilience;  Improper solutions or implementation (e.g. undocumented interface) may trigger external attacks and cause trust crisis;  Cyber security incidents cause material risks & loss to customers’ normal business. Security protection must be enhanced to further reduce the cost of security Mgmt & O&M.  Major security issues in the industry and cyber security concerns make vendors lose orders or prevent them from entering key markets;  Operators transfer the legal obligations to vendors. More & more mainstream operators require vendors to sign security agreements, and require vendors to comply with local laws & regulations and propose the requirements of product security, security education & vetting, etc. e.g.: all Indian operators prescribe that a vendor will face a large penalty and withdrawal from the network if any security problems are found. Cyber security concern is the trend of the times
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 7 “It(Cyber Security)is for our survival. “ “Recession is tolerable but collapse is not(允许 衰退但不允许崩溃) . Be more aware of cyber security. Do not cause any cyber security issues that may lead to international political crisis." --- Huawei EMT Meeting Minutes No. [2012] 003 Summary of Cyber Security Meeting (Excerpts) Cyber security is one of the important strategy for Huawei
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Cyber Security Content in BCG Outline 4.1 Support the secure operation of customers’ networks and business Huawei will never tolerate any of the following conduct: • Accessing, without customers’ authorization, customers’ systems and equipment to collect, possess, process or modify data and information in customers’ networks and equipment, or disclose and disseminate customers’ data and information. • Embedding malicious code, malware or backdoors in products and services, developing and/ or distributing viruses, or conducting other illegal behavior. • Attacking, destroying or damaging customers’ networks or taking advantage of customers’ networks to steal or destroy information or commit any activity that endangers national security, the public interest, or the legal rights and/or interests of other parties. • Soliciting or helping any third party to do any of the above. 2.0 Basic Guidelines The responsibility to protect the security of customers’ network and business will never be outweighed by the Company’s own commercial interests. 4.2 Protect End Users’ Privacy and Communication Freedom • The Universal Declaration of Human Rights states that no one shall be subjected to arbitrary interference with their privacy and correspondence. Many countries have implemented, or are planning to implement, privacy or personal data protection laws. Huawei will never tolerate any of the following conduct: • Illegal collection, disclosure, distortion, impairment, sale or provision of end users’ personal data and information. • Misuse of information and telecommunication technology to conduct surveillance on end users’ communications and / or movements, or to block or disrupt communications, or to restrict the free flow of unbiased information. As a leading global ICT solutions provider, we provide information network products and services. The global network needs to be stable at all times. It is our primary social responsibility to support stable and secure networks for customers, including in times of natural disasters, such as earthquake and tsunami, and other emergencies like war. Cyber Security Requirements have been Included in BCG as one Commercial Conduct Regulation
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Carrier Network BG Cyber Security Office Consumer BG Cyber Security Office Enterprise BG Cyber Security Office GCSC: Strategic direction. Responsible for agreeing the strategy, planning, policies, road map, investment, driving the implementation resolving conflicting strategic priorities and auditing. GCSO: Leading the team to develop the security strategy, establishing the cyber security assurance system internally, supporting GR/PR and supporting global accounts customers externally. GCSO Office: coordinating related departments to formulate detailed operational rules and actions to support the strategy and its implementation, promoting the application, auditing and tracking of the implementation. The company focal point to identify and resolve cyber security issues Regional/ Department Security Officers: Accountable for working with GCSO to identify changes to departmental/ business unit processes so that the cyber security strategy and its requirements are fully imbedded in their areas.. They are also experts in their own right and contribute to the development and enhancement of the strategy Director of GCSO Office Jupiter Wang CEO Ren Zhengfei GCSO John Suffolk Chairman of GCSC Ken Hu PAC LA MKT JCR CHR BP&IT Audit Security Competence Centre Supply Chain Cyber Security Office 2012 Lab Cyber Security Office CCSO of USA CCSO of France CCSO of India Procurement Cyber Security Office External Cyber Security Lab/ CSEC CCSO of UK Internal Cyber Security Lab Huawei Cyber Security Management Organization
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Implement Cyber Security Policy Requirements, Proactively Identify Risk Points Domain Policy recommendations Laws Huawei comply with all applicable laws and regulations in each administrative region, tracking cyber security- related legislation, particularly for critical infrastructure-related legislative requirements R&D Local R&D institutions shall comply with the cyber security requirements, and local laws and regulations baseline. Verification Guide the customer's certification requirements are: internal cyber security validation lab, sharing the reports, Security Certification Center, third-party testing agency. Certification involves the use of safety and the need for government intervention endorsement, third-party testing to avoid source-level testing. Sales Proactively identify customer cyber security requirements, effective management and delivery; timely update sales management and control strategies to ensure the implementation of landing. GTS Enhanced cyber security personnel awareness, customer authorization awareness, customer data protection. Emergency Response According to the frontline country and key account, make the CERT connection through PSIRT Supply chain On the reverse logistics deal with the GTS comply with the provisions of the storage medium, for customer data clean-up and even scrap material handling Procurement Strengthen local procurement, project management outsourcer, back to back signed a security agreement, the transfer of network security requirements. HR Locally, in conjunction with national or regional legal requirements for localization of human resources policy
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential GTS Cyber Security Management Organization • Implementing cyber security management and internal control requirements to ensure the healthy development of the business Managers at all levels is the first responsibility of cyber security and internal controls. To keep the risks to cyber security and internal control, the initiative to prevent and reduce the incidence of the problem, to put an end to cyber security, internal control and to guard against corruption. From HQ and frontline, managers at all levels have to really pay attention to cyber security management, business executives are the first responsible person --Liang Hua at GTS Annual Conference in 2012 GTS Region 1 PS DS Q&O CSO Region Q&O NIS AMS LS PMO RMD Appoint the responsibility Securit y TDT
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential GTS Cyber Security Management Organization Policy Bidding、FAQ Business Improvement Rules、Process Consciousn ess Check 安全TDT CSO Stand ard Technic al Problem Mgmt Process Merge Business Improvement Redline Rectify Forec ast Training & Campaign Technical Implement Self- check BU Cyber Security Office(CSO) Policy Analysis: Analyze company policies and issued GTS guidance documents; Support the bidding of safety part; FAQs Business Improvement:Develop GTS Business Improvement rules to promote processes integration Consciousness Atmosphere : Create a safe cyber security atmosphere in GTS, enhance employee safety awareness Check:Develop operational security check standards and inspection system, periodic inspection business security risks and promote business improvement Cyber security TDT Security Technology Standards: Develop GTS business security technology standards to provide input for BU Business Security Technology Solutions: Promote security technology solutions, to let BU business technically meet the operational and compliance requirements Security Problem Management: Build security management mechanism, discover cyber security issues in the process and technical to improve the business BU Business Improvement Implementation: Join the business improvement program organized by CSO, execute the plans and security processes into the red rectification (services & physical products) Consciousness Atmosphere : Create a positive BU internal cyber security environment, enhance employee safety awareness Check:Doing business security self check to find the risks and timely corrective Technical implementation : Complete the implementation of cyber security solutions in BU Pre-warning management: cyber security early warning into early warning management product category Monito r
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Through continuous business improvement and building systems / platforms / tools, pay close attention to the regional implementation and compliance, eliminate cyber security incidents caused by human errors GTS cyber security management architecture Strategy II . Improve robustness of systems and platforms, and capability of security services. Measure 5 : Complete security redline tests on 100% tool software and clear non-compliance tools. Measure 6 : Apply the "three locks" and achieve manageable and traceable remote access. Measure 7 : Develop security serviceability to support security delivery in the frontline. Strategy I. Persist service improvement and reduce cyber security risks. Measure 1 : Further refine the cyber security business standards , form a clear Executable guidance and implement improvements Measure 2 : Perform penetration tests on Romania GSC networks to improve the cyber security capability. Measure 3 : Improve E2E customer data management and eliminate related risks in data sensitive areas. Measure 4 : Prevent any controlled spare parts from backing to China by implementing customer authorization and return repair processes. Meet customer demands and gain trust in cyber security. Customer security demands Portfoli o Security serviceability (physical products) SOP (Instruction guides, contract templates) Security platform hardening Tool software security authentication Network deployment Build cyber security on product elements. Make a sales control system and salable list. Review bids/contracts. Build cyber security on service sales. System integration service Network deployme nt service Customer support service Customer experienc e service Traini ng servic e Managem ent service Consultan t service Global delivery organizations consistently comply to cyber security requirements. Behavior standardizat ion Privacy protection Security hardening Software integrity … Accountability system Network OM and customer support Project management Build cyber security on delivery execution. Self-check and audit Security technologies/Management standards (1) (2) (3) Strategy III. Continually educate staff about cyber security to improve security delivery compliance. Measure 8 : Take measures on data and account management to eliminate outflow of sensitive data. Measure 9 : Improve cyber security awareness of staff and apply management responsibilities at the project level. For GTS, The largest cyber security risks from employee behavior. Each employee must responsible for what he has done, to avoid unintentional violations.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Build Cyber Security responsibility matrix in GTS to ensure cyber security requirements can be fulfill in service and delivery activities HQ (GTS BUs / CSO/TDT) Region & Key Account (BU Manager / CSO) Project (PD/PM/TD/PC/ QA) Undertake cyber security policy • Regional security programs / platform construction • Establish notification mechanism. Organize handling security incidents • Improve business continuously by self-audit & correction Analysis of customer needs on cyber security to develop business rules and establish GTS management system • Analysis of cyber security from customer/ government to develop business rules • Integrate Cyber security elements into GTS delivery process to meet requirement • Develop GSC solutions and delivery-able tools to meet operational safety requirements with technology • Build Cyber Security responsibility matrix in GTS: the competent responsibilities and levels; Improve business continuously by self-audit & correction. 1)Deliver service with cyber security policy according delivery process • Data protection • Process approval • Sub-contractor 2)Discuss data privacy protection measures with customer in delivery process 3)Routine learning cyber security requirements and case, etc., Periodically self-check on delivery activities Actively thinking security business • Analysis of local government & customers requirement on CS; organize workshop on CS • Customize security solutions according to customer demand • Provide demands on CS serviceable features • Check on Configuration • Manage access account • Identify & notice on Safety issue
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Key Dimensions of Cyber Security Hig h Low USA, Australia, and China Taiwan Japan, France, Germany, Great Britain, New Zealand, Denmark, Canada, and South Korea Other countries Coverage of VDF subnets Coverage of TEF, FT, DT subnets Government: 36 countries that are sensitive to cyber security, defined by Huawei Customer: Customers with high requirements on cyber security, such as VDF, Telefonica, FT, and DT Regional implementation: (Self-check results and cyber security events of 2013) Regions in which the cyber security risk is high and security events frequently occur, such as South Pacific, Mid-Asia, and South America Medium Russia, Saudi Arabia, Turkey, Austria, Spain, Italy, Poland, Mexico, Brazil, South Africa, India, Malaysia, and Indonesia High and medium level regions: Be aligned with customers' requirements on cyber security and manage big risks.  Formulate service-based management schemes for regions-Q1  Implement anonymity in data collection, to prevent leaking of personal data.  Account management: Clear the accounts of quit personnel and staff whose positions have shifted.-Q2  Focus on audit these areas account using, Customer authorizes,E2E data management, project team etc requirements Implement status. Sensitivity Level Management Policy Continuous education on cyber security  Routine perform self-check on implementation.  Account management: Solve the issue of incomplete transfer of transfer-to- maintenance accounts and the sharing of accounts.-Q3 Technical sensitivity Take Measures on Data and Account Management to Eliminate Outflow of Sensitive Data
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 16 Chapter 1 What Is Cyber Security About? Chapter 2 Cyber Security Case Studies Chapter 3 Requirements and Regulations on Cyber Security
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 17 GTS Should Focus on Cyber Security Three business areas of the GTS are closely related to cyber security. We attach great importance to cyber security of the GTS. —Global Cyber Security Office Manager GTS Businesses Are Closely Related to Cyber Security Development of Service Products The same as physical products, the service products can also bring many Cyber Security problems, such as vulnerabilities, back doors, etc. Misuse of service products will cause serious damage. Many tools used in delivery and service can also be used to access and collect sensitive informations. GTS staff often directly access customer networks ,so they face high risks with respect to cyber security. For example, they may access customer assets without authorization; misuse accounts and passwords; expose data in the customer network; get out of line to conduct remote operation or transfer data in the customer network; use tools obtained from non-official channels; use virus- infected computers to access customer assets. Unauthorized access, remote access, and personal data transfer are illegal in most countries. Sales of Service Products Engineers of the GTS are also responsible for contacting customers. Their behaviors influence Huawei's image. When communicating with customers, engineers should avoid using sensitive words and exercise caution not to share or expose customer information. Project Delivery & Maintenance and Management Services For GTS, the most severe cyber security risk is staff’s behavior. Employees should avoid Cyber Security Accidents because of unawareness.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 18 Case Study I: Unauthorized Operation (Event Description)  Causes: In September 20XX, in an engineering delivery project. In order to test and verify whether the email format sent from customer's network was correct, Employee B from Company A, without obtaining the customer's written permission, added his personal emails address(including qq.com ,163.com ) to the list of email addresses in which alerts would be sent by the customer's network.  Consequences: The customer's IT Department discovered the relevant records through its internal email system. The customer, very unsatisfied with Company A, made a complaint in writing claiming that Company A was very unprofessional and brought forth information exposure risks. Without customer authorization, I modified...as necessary. Customer Service Engineer Without my authorization, how dare you access my network. Customer
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 20 Case Study II: Using Another Person's Account to Log into Customer's Network (Event Description)  Causes: Maintenance employees in Country F always change. New arrivals need to apply for their own accounts, but the company's approval process takes a long time. These new arrivals therefore use other employees' accounts to operate and maintain the customer's network.  Consequences: In the customer's opinion, this company was very unprofessional. The customer complained to regional executives of the company and expressed strong dissatisfaction.  This event decreased the customer's confidence in this company and was likely to negatively influence later cooperation between the two. I haven't got my account yet. May I use yours to log into the customer's network? Sure. My account is XXX. You are so unprofessional... Customer Service Engineer 2 Customer Customer Service Engineer 1
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 22 Case Study III: Exposing and Disseminating Data in Customer Network (Event Description)  Causes: In an exhibition held by a company, service and sales employee of the company talked with all visitors about how they improved the network performance for Customer A and displayed this customer's network information (including some confidential information).  Consequences: Customers who visited the exhibition thought this company was very unprofessional. They worried that their network information might one day be displayed in such a manner. This event decreased the level of confidence these potential customers had in the company. How can I trust you? Hey, look at the network diagram of Company X. It used to have many problems. Sales Personnel Customer
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 24 Case Study IV: Unauthorized Tools (Event Description) Causes: In May 2012, during a microwave delivery project, in order to enhance the delivery efficiency, engineer B of Company A, requested tools from R&D employee C. The R&D employee C provided B a tool that had not been strictly tested. Project teams in frontline used the tool to deliver many products. Unfortunately, when the delivery was almost completed , the tool activated a fault and caused incident. Project delivery is moving too slowly. I hope that R&D can provide us special tools to enhance the delivery. You are lucky! I have a tool that can help. I will send it to you directly.  Consequences: Such behaviors caused N hours of service interruption in N sites, led costumer complain. Oh my, what did I do? Customer Service Engineer Customer Service Engineer R&D Engineer
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 26 Case Study V: Access Customer Network by Virus- Infected Computer (Event Description) Causes: In March 20XX, when providing on-site maintenance for a customer, an employee of Company A directly accessed the customer's network through a virus-infected laptop. The customer's security center monitored data packages that were sent outward and triggered alerts.  Consequences: This event attracted highly negative attention from the customer. The customer's global security center sent weekly security reports to their CTO. The customer clearly expressed: "The frequent occurrence of such events will decrease confidence in your company." Why is so much data being sent outward? I am wondering if you are eavesdropping on us! My computer is infected by a virus, but the customer requested services over and over, so I have to use this computer to access the customer's network. Customer Service Engineer Customer
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 28 Case Study VI: Remote Access Brings Risks (Event Description) Causes: Since April 20XX, a European customer required Company A to collect their end user’s data from the customer's system and send the data to the customer every day. In October 20XX, employee B of Company A who was responsible for the job was on vacation in China. Without the customer's authorization, Employee B accessed the customer's network remotely from China and downloaded the end user’s data. The employee then uploaded the information to a server located in China through which the information was sent to the customer. Customer Network Access a European customer's network remotely.  Consequences: The customer found that their network was remotely accessed from China without their authorization, and the sensitive data was sent to China. The customer filed a serious complaint and asked Company A for explanation. Our network is remotely accessed by someone from China. Is it a Chinese spy? Though I am on vacation, I still handle customer requests. How dedicated I am! Customer Service Engineer Customer
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 30 Consider: Key Points of Cyber Security Which cyber security issues do we need to consider in our daily work?
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 31 Answer: Key Points of Cyber Security Scenario No. Key points of focus with respect to cyber security Accessing the customer's network. 1 Customer authorization is a prerequisite. Without the customer's written permission, employees are not allowed to access the customer's network. 2 Do not use other people's accounts. Employees are not allowed to use other people's accounts or unauthorized accounts to log into customer equipment. 3 Be cautious when launching any remote access. Employees are not allowed to access a customer's network remotely without the customer's written authorization. Employees are prohibited from accessing the networks of customers in sensitive regions remotely from China. 4 Check and kill viruses. We must killing viruses on all computers, communications terminals, and storage media before using them to access the customer's network. Operating the customer's network. 5 Customer authorization is necessary. Without the customer's written authorization, employees are not allowed to install or use any software in the customer's network. Without the customer's written authorization, employees are not allowed to collect data contained in the customer's network. Never perform any operations that are beyond the scope of customer's written authorization. 6 Use only official software and tools. Never use software versions, patches, licenses, or tools that are not obtained through Huawei's official channels (such as Support Website, delivered with equipment, or official procurement by field offices). 7 Be cautious when sending data back to China. Employees are not allowed to send data (including personal data) in a customer's network back to China without the customer's written authorization. (2) Even though customer authorization has been obtained, employees are still not allowed to send personal data of customers located in sensitive countries back to China. 8 Keep accounts and passwords secret. Without the customer's written authorization, employees are not allowed to disseminate or share accounts and/or passwords. 9 Never disrupt a customer's network. Employees are prohibited from attacking or disrupting a customer's network, or cracking the customer's accounts and/or passwords. Leaving the post that involves work relating to the customer's network. 10 Do not take the customer's data. Without the customer's written authorization, employees are not allowed to take equipment or storage media that contain data (including personal data) in the customer's network away from customer's premises. 11 Do not expose the customer's data. Employees are not allowed to expose or disseminate data and information contained in the customer's network. 12 Relinquish accounts. After a customer's network is put into commercial use or is maintained by another party, employees must relinquish and delete their administrator accounts and any other accounts that become unauthorized as a result.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 32 Chapter 1 What Is Cyber Security About? Chapter 2 Cyber Security Case Studies Chapter 3 Requirements and Regulations on Cyber Security
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 33 Red Lines of GTS Cyber Security Conducts 1. Access customer's system and collect, process, or modify the data and information on customer network without documented permission. 2. Connect personal portable device or storage media to customer network without documented permission. 3. Operations beyond the scope approved by customer. 4. Operations by using other people's account or unauthorized account to log in to customer's devices. 5. Implant malicious codes, malicious software, backdoor, reserve concealed interfaces or accounts in products or services. 6. Attack and undermine customer networks. Crack customer's account password. 7. Disclose and spread the data and information on customer's network. 8. Use shared accounts and passwords without customer's documented permission. 9. Retain or use the administrator account and unauthorized accounts after the commercial use of network or the maintenance transition. 10. Run illegal software on customer network. Use software versions, patches, or licenses that are not obtained through official channels. 11. Use information and data in customer's system to seek improper gains or for illegal purposes.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Accountability System of Cyber Security Violation Page 34  Purpose: to improve employees’ cyber security awareness to mitigate risks of cyber security violations & ensure smooth operation of the corporate business; take disciplinary actions against cyber security violations through strict accountability system.  Principle: • Accountability is not based on the consequence or whether the actor had malicious intent. Instead, it is based on the behavior itself. The actor has to bear liability if he/she violates the laws or regulations;  Accountability levels & measures Cyber Security Violations Accountabili ty Level Punishment Level 1 of Cyber Security Violations or causing severe crises, complaints, severe loss, potential security dangers, and risks 1 1. Terminate the employment contract with the violator. 2. Do not provide economic compensation for the violator in situations where no economic compensation should be paid according to the Regulations on Compensation for Employment Contract Rescinding or Termination (Huawei BOD Doc. No. [2007] 01). 3. Pursue or reserve the right to pursue legal actions against the employee if he/she violates the laws and regulations. 4. Record the incident in the Employee Integrity Database and never rehire the employee. Level 2 of Cyber Security Violations (see Attachment 1) or causing major customer complaints, loss, potential security dangers, and risks 2 1. Give severe warning to the violator. 2. Specify the violation as a key event to the competency and qualification of the violator, demote the violator and decrease the violator's benefits based on the violator's position. 3. Record the incident in the Employee Integrity Database. Level 3 of Cyber Security Violations or causing minor loss, potential security dangers, and risks 3 1. Give minor warning to the violator. 2. Reduce the grade of related incentive appraisal. 3. Two level-3 violations within 12 months will be escalated to one level-2 violation. 4. Record the incident in the Employee Integrity Database. Level 4 of Cyber Security Violations or causing no loss, but causing minor potential security dangers and risks 4 1. Warning the violator by email. 2. The violation should be considered during the violator's incentive appraisal. 3. Two level-4 violations within 12 months will be escalated to one level-3 violation.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Cyber security violations in various scenarios (1/2) Page 35 Scenario Description of cyber security violations Level Common behavior Use networks to carry out any activities that harm national security and the public interest, steal or destroy others’ data, infringe others’ legal rights; be instigated or bribed or take advantage of one's position to carry out any of the above activities. 1 Without written authorization from the customer, access the customer's network; collect, keep, process and modify any data and information in the customer's network. 1 Disclose and disseminate data and information in customers’ networks 1 Without written authorization from the customer, access and process users' voice information, accurate location information and key pressing information; those behaviors that may lead to suspicion of infringement of users' private communication content and personal data. 1 Without written authorization from the customer, remove devices or storage media with customer network data (including personal data) out of the customer's premises. 1 Attack and crack communication facilities like customers' network; crack customers' passwords of accounts. 1 Embed any malicious code, malware and backdoor in products or services; maintain any undocumented interfaces and accounts. 1 Without the authorization of the company, hold and disseminate the relevant information of product security vulnerabilities. 2 Customer communic ation & commitme nt Without written authorization from the customer, use any data and information from the customer's network for external communication except the data and information from public channels. 1 Without written authorization from the customer, disclose and disseminate the customer's confidential information in external communication. 1 Make commitments to customers that may violate the relevant cyber security laws(e.g.: Disrupt, Monitor, Track etc.). 1 Without the authorization of the company, reveal or disclose redline problems or vulnerabilities or other information that may arouse customers' cyber security concerns in external communication. 2 Disseminate method tool to break the system of terminal devices (jailbreak) 3 In customer communication and demonstrations, use sensitive wording in the materials or presentation that make customers misunderstand our cyber security. 3
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Cyber security violations in various scenarios (2/2) Page 36 Scenario Description of cyber security violations Level delivery &Service Without written authorization from the customer, access the customer's operation networks of production or testing, or office network etc, by using equipment like computers, communication devices and storage media to carry out any operation beyond the approval of the customer. 1 Without written authorization from the customer, installs or run software in the customer's network; or use any software versions, patches, licenses and software tools that are not from official channels. 1 Without written authorization from the customer, use self-designed or third party tools for data collection and performance analysis, etc. 1 Log in on a system by using others' accounts or an unauthorized account to carry out operations. 1 Retain or use the previous administrator account or other unauthorized accounts after the system is in commercial use or has been transferred to the maintenance phase. 1 Collecting and processing personal data without the users’ authorization in after-sales repairing process of devices. 1 Without written authorization from the customer or the onsite supervision of the designated person, access and maintain legal interception interfaces or transfer relevant information out of the operators' network. 1 Without written authorization from the customer, remotely access the customer's network from China. 1 Without written authorization from the customer, transfer the customer's network data (including personal data) back to China. 1 Not killing virus in computers, communication devices and storage media before accessing the customer's network, which causes the customer network to be infected with virus or a virus to be detected on the customer network. 2 Without written authorization from the customer, disseminate and use shared accounts and passwords. 2 After the expiration of the customer's authorization, fail to delete and destroy the stored customer network data. 2
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 37 Respect freedom and privacy; keep customer data secret. Obtain customer authorization first; get access later. Keep account and passwords secret; never share your account with anybody. Use official software and tools; always check and kill viruses.  Be cautious when launching remote access; be vigilant when sending data back to China.  Report hidden dangers immediately; the company needs an early warning.  Avoid behaviors that may cause violations; increase security awareness. Code of Conduct Concerning Cyber Security
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Assistance and Feedback Channels for Cyber Security Issues  Assistance and feedback channels:  First, you can seek help from your business supervisor.  Second, you can seek help from local lawyers or Cyber Security contact persons.  If you find any external forums and third-party individuals or organizations provide the security vulnerabilities of products, please report this information to GTS Cyber Security community. GTS cyber security community: http://3ms.huawei.com/hi/group/1005849 You can gain knowledge, discuss issues, or seek help here. Or you can in put “GTS cyber security community” in W3 home page to find the link) Page 38
Thank you www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 40 Attachment:High risk regions of cyber security Country Rep office Region Europe (all countries in WE and NE Regions) UK UK office Western Europe Sub- Regional Division Ireland France France office Germany Germany office Italy Italy office Malta Switzerland Liechtenstein the Netherland The Netherland office Belgium Luxemburg Portugal Spain & Portugal office Spain Poland Poland office Eastern Europe Sub- Regional Division Estonia Latvia Republic of Lithuania Hungary Hungary office Czekh Czekh office Slovakia Slovenia Austria Greece Greece office Bulgaria Cyprus Sweden Sweden office Denmark Finland Norway Iceland Romania Romania office North America United States USA office USA office Canada Canada office Canada office Southern Pacific Australia Australia office Southern Pacific Sub- Regional Division New Zealand Japan Japan Japan office Japan office
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 41 Learning materials for GTS employees  Huawei GCSC Doc. No.[2012] 02 -Compliance Policy of Privacy Protection & Cyber Security  Huawei GCSC Doc. No.[2012] 05 -Accountability System of Cyber Security Violations  HW GTS Dept Doc. No.006[2012]-Red Lines Management Regulations of GTS Cyber Security Conducts  HW GTS Dept Joint Cir _No 020 2012-Requirements on Anti-Virus before Laptops Accessing to Customer Networks  HW GTS Dept Cir No.018[2012]-Notice on Controlling Remote Access Security Risks  GTS PMO Dept. Cir. No.【2013】Requirements Regarding Enhancing Cyber Security Management in Major Delivery Projects Management  Huawei CNBG GTS Q&O Dept. No. [2013]005-Notice on Enhancing the Field Cyber Security Management for Staff on Business Trip Link to GTS Cyber Security related circulars: http://3ms.huawei.com/hi/group/1005849/thread_3553999.html?mapId=1998927 Link to the service delivery cyber security flash: http://ilearning.huawei.com/ilearning/app/management/LMS_ActDetails.aspx?UserMode=0&Ac tivityId=15145

Recommended

HCSCA101 Basic Concepts of Information Security.pptx
HCSCA101 Basic Concepts of Information Security.pptxHCSCA101 Basic Concepts of Information Security.pptx
HCSCA101 Basic Concepts of Information Security.pptxJordanKinobe1
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistMatthew Rosenquist
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealthInvest
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3Asad Zaman
 
101 Basic concepts of information security
101 Basic concepts of information security101 Basic concepts of information security
101 Basic concepts of information securitySsendiSamuel
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsKristian Alisasis Pura
 

Recommended

HCSCA101 Basic Concepts of Information Security.pptx
HCSCA101 Basic Concepts of Information Security.pptxHCSCA101 Basic Concepts of Information Security.pptx
HCSCA101 Basic Concepts of Information Security.pptxJordanKinobe1
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistMatthew Rosenquist
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealthInvest
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3Asad Zaman
 
101 Basic concepts of information security
101 Basic concepts of information security101 Basic concepts of information security
101 Basic concepts of information securitySsendiSamuel
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsKristian Alisasis Pura
 
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterpriseMbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterpriseSelectedPresentations
 
L12. Digital Forensics BS.pptx
L12. Digital Forensics BS.pptxL12. Digital Forensics BS.pptx
L12. Digital Forensics BS.pptxtalhajann43
 
INT 1010 10-2.pdf
INT 1010 10-2.pdfINT 1010 10-2.pdf
INT 1010 10-2.pdfLuis R Castellanos
 
CTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin KoyabeCTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin Koyabesegughana
 
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfCYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfVikashSinghBaghel1
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
What is Importance of Cyber Security
What is Importance of Cyber Security What is Importance of Cyber Security
What is Importance of Cyber Security Wee Tang
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefJonathan Reyes
 
Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022ManviShukla4
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Protecting Americas Next Generation Networks
Protecting Americas Next Generation NetworksProtecting Americas Next Generation Networks
Protecting Americas Next Generation NetworksDigital Policy and Law Consulting
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityIRJET Journal
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...CBIZ, Inc.
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MISAmirul Shafiq Ahmad Zuperi
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesAmerican Chamber of Commerce in Bahrain
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
Cyber
Cyber Cyber
Cyber Alberto Peñaranda Echevarría
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 

More Related Content

Similar to Cyber Security Education Materials.pptx

Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterpriseMbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterpriseSelectedPresentations
 
L12. Digital Forensics BS.pptx
L12. Digital Forensics BS.pptxL12. Digital Forensics BS.pptx
L12. Digital Forensics BS.pptxtalhajann43
 
CTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin KoyabeCTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin Koyabesegughana
 
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfCYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfVikashSinghBaghel1
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
What is Importance of Cyber Security
What is Importance of Cyber Security What is Importance of Cyber Security
What is Importance of Cyber Security Wee Tang
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefJonathan Reyes
 
Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022ManviShukla4
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...CBIZ, Inc.
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 

Similar to Cyber Security Education Materials.pptx (20)

Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterpriseMbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
Mbs t17 o'neil-mbs-t17 rsa-realizing-mobile-enterprise
 
L12. Digital Forensics BS.pptx
L12. Digital Forensics BS.pptxL12. Digital Forensics BS.pptx
L12. Digital Forensics BS.pptx
 
INT 1010 10-2.pdf
INT 1010 10-2.pdfINT 1010 10-2.pdf
INT 1010 10-2.pdf
 
CTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin KoyabeCTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin Koyabe
 
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfCYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
What is Importance of Cyber Security
What is Importance of Cyber Security What is Importance of Cyber Security
What is Importance of Cyber Security
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-Brief
 
Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
Protecting Americas Next Generation Networks
Protecting Americas Next Generation NetworksProtecting Americas Next Generation Networks
Protecting Americas Next Generation Networks
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and Threats
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...Network Security and Privacy Liability - Four Reasons Why You need This Cove...
Network Security and Privacy Liability - Four Reasons Why You need This Cove...
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Cyber
Cyber Cyber
Cyber
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Cyber Security Education Materials.pptx

  • 1. HUAWEI TECHNOLOGIES CO., LTD. www.huawei.com Huawei Confidential Security Level: 内部公开 December 27, 2023 April, 2014 Cyber Security Awareness and Code of Conduct INTERNAL Cyber Security Office, GTS
  • 2. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 2 Chapter 1 What Is Cyber Security About? Chapter 2 Cyber Security Case Studies Chapter 3 Requirements and Regulations on Cyber Security
  • 3. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 3 Cyber Security Issues May Lead International Political Crisis Caution:  Telecommunications networks are key national infrastructure, any risk on it might bring crisis to even a country.  Cyber security issue is not only technical issues; It may lead to international political crisis. 8th October, 2012: the US Congress released an investigative report on the US national security issues posed by Huawei and ZTE; 6th June 2013: Snowdon Disclosure National Security Agency and the United States Federal Bureau of Investigation is carrying out a code for "prism" secret project, direct access to the nine U.S. Internet company central server, data mining to collect intelligence. 24th March 2014: For recent media reports the U.S. National Security Agency (NSA) invade Huawei server events, Shenzhen Huawei responded by saying: Huawei oppose all acts that endanger network security
  • 4. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 4 Cyber Security Is Critical to Company’s Survival  As the British media revealed on July 5, 2011, employees of News of the World had illegally eavesdropped on voice-mails and deleted voice messages on the mobile phone of slain schoolgirl Millie Doyle while police were searching for the missing 13-year-old in 2002, interfering with a police investigation into the missing person-turned-murder case.  On July 6, 2011, more reports exposed the phone-hacking scandal. On the same day, Prime Minister Cameron requested to initiate an investigation into the matter.  The 168-year-old newspaper was one of the best-selling newspapers in the UK. As a result of the scandal, the publication was shut down on July 10, 2011.  On July 4, 2014, British Prime Minister David Cameron's former media director Andy Coulson (2003-2007 “NEWS World" editor) involved in wiretapping plan convicted, was sentenced to 18 months jail The News of the World closed down because of illegal interception and monitoring :
  • 5. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 5 Cyber security is to ensure the availability, integrity, confidentiality, traceability, and robustness & resilience of products, solutions, and services based on a legal framework. Additionally, it protects the customers' or users' communication content, personal data and privacy carried therein, and the flow of unbiased information. Cyber security assurance aims to prevent the economic benefits and reputation of Huawei and its customers from harm. Cyber security protects Huawei‘s employees or the company itself from bearing civil, administrative liability, or even criminal liability, avoids cyber security to be used as an excuse for trade protection, and a fuse that sets off an international political crisis which may lead to the collapse of the company. Carried & protected data/privacy Business continuity & robust network Integrity Availability Confidentiality Traceability Robustness & Resilience 1: Cyber security=Information security 2: Cyber security= anti-attack & anti-virus 3: Cyber security= physical & personal safety 4: Cyber= Network What is Cyber Security? Huawei definition of Cyber Security Cyber Security Cyber Security is to protect customer’s networks. And in the same time, protect Huawei and Huawei’s employee.
  • 6. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6 Government supervision Technical impact  Many countries such as US and countries in EU regard cyber security as an integral part of their national security strategy.  Governments of UK, France & India etc. proposed security compliance requirements on operators & vendors in government supervision & laws and regulations, based on trust issue & security concerns. Legal regulations Market access  The legislation of cyber security and privacy protection globally tends become more stringent  In European & American countries, compared with general corporate legal breach (tax, IPR, breach of contract), a breach of cyber security legislation will be seen in the light of violation of human rights and national security threats. Therefore, government and the public will condemn it more aggressively and it is more likely to damage the trustworthiness of the company.  As ICT technology becomes increasingly open, telecom networks develop towards all-IP, devices become smarter, and with the convergence of multiple businesses, the telecom network is facing increasingly serious security threats and challenges. Vendors should attach great importance to robustness & resilience;  Improper solutions or implementation (e.g. undocumented interface) may trigger external attacks and cause trust crisis;  Cyber security incidents cause material risks & loss to customers’ normal business. Security protection must be enhanced to further reduce the cost of security Mgmt & O&M.  Major security issues in the industry and cyber security concerns make vendors lose orders or prevent them from entering key markets;  Operators transfer the legal obligations to vendors. More & more mainstream operators require vendors to sign security agreements, and require vendors to comply with local laws & regulations and propose the requirements of product security, security education & vetting, etc. e.g.: all Indian operators prescribe that a vendor will face a large penalty and withdrawal from the network if any security problems are found. Cyber security concern is the trend of the times
  • 7. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 7 “It(Cyber Security)is for our survival. “ “Recession is tolerable but collapse is not(允许 衰退但不允许崩溃) . Be more aware of cyber security. Do not cause any cyber security issues that may lead to international political crisis." --- Huawei EMT Meeting Minutes No. [2012] 003 Summary of Cyber Security Meeting (Excerpts) Cyber security is one of the important strategy for Huawei
  • 8. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Cyber Security Content in BCG Outline 4.1 Support the secure operation of customers’ networks and business Huawei will never tolerate any of the following conduct: • Accessing, without customers’ authorization, customers’ systems and equipment to collect, possess, process or modify data and information in customers’ networks and equipment, or disclose and disseminate customers’ data and information. • Embedding malicious code, malware or backdoors in products and services, developing and/ or distributing viruses, or conducting other illegal behavior. • Attacking, destroying or damaging customers’ networks or taking advantage of customers’ networks to steal or destroy information or commit any activity that endangers national security, the public interest, or the legal rights and/or interests of other parties. • Soliciting or helping any third party to do any of the above. 2.0 Basic Guidelines The responsibility to protect the security of customers’ network and business will never be outweighed by the Company’s own commercial interests. 4.2 Protect End Users’ Privacy and Communication Freedom • The Universal Declaration of Human Rights states that no one shall be subjected to arbitrary interference with their privacy and correspondence. Many countries have implemented, or are planning to implement, privacy or personal data protection laws. Huawei will never tolerate any of the following conduct: • Illegal collection, disclosure, distortion, impairment, sale or provision of end users’ personal data and information. • Misuse of information and telecommunication technology to conduct surveillance on end users’ communications and / or movements, or to block or disrupt communications, or to restrict the free flow of unbiased information. As a leading global ICT solutions provider, we provide information network products and services. The global network needs to be stable at all times. It is our primary social responsibility to support stable and secure networks for customers, including in times of natural disasters, such as earthquake and tsunami, and other emergencies like war. Cyber Security Requirements have been Included in BCG as one Commercial Conduct Regulation
  • 9. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Carrier Network BG Cyber Security Office Consumer BG Cyber Security Office Enterprise BG Cyber Security Office GCSC: Strategic direction. Responsible for agreeing the strategy, planning, policies, road map, investment, driving the implementation resolving conflicting strategic priorities and auditing. GCSO: Leading the team to develop the security strategy, establishing the cyber security assurance system internally, supporting GR/PR and supporting global accounts customers externally. GCSO Office: coordinating related departments to formulate detailed operational rules and actions to support the strategy and its implementation, promoting the application, auditing and tracking of the implementation. The company focal point to identify and resolve cyber security issues Regional/ Department Security Officers: Accountable for working with GCSO to identify changes to departmental/ business unit processes so that the cyber security strategy and its requirements are fully imbedded in their areas.. They are also experts in their own right and contribute to the development and enhancement of the strategy Director of GCSO Office Jupiter Wang CEO Ren Zhengfei GCSO John Suffolk Chairman of GCSC Ken Hu PAC LA MKT JCR CHR BP&IT Audit Security Competence Centre Supply Chain Cyber Security Office 2012 Lab Cyber Security Office CCSO of USA CCSO of France CCSO of India Procurement Cyber Security Office External Cyber Security Lab/ CSEC CCSO of UK Internal Cyber Security Lab Huawei Cyber Security Management Organization
  • 10. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Implement Cyber Security Policy Requirements, Proactively Identify Risk Points Domain Policy recommendations Laws Huawei comply with all applicable laws and regulations in each administrative region, tracking cyber security- related legislation, particularly for critical infrastructure-related legislative requirements R&D Local R&D institutions shall comply with the cyber security requirements, and local laws and regulations baseline. Verification Guide the customer's certification requirements are: internal cyber security validation lab, sharing the reports, Security Certification Center, third-party testing agency. Certification involves the use of safety and the need for government intervention endorsement, third-party testing to avoid source-level testing. Sales Proactively identify customer cyber security requirements, effective management and delivery; timely update sales management and control strategies to ensure the implementation of landing. GTS Enhanced cyber security personnel awareness, customer authorization awareness, customer data protection. Emergency Response According to the frontline country and key account, make the CERT connection through PSIRT Supply chain On the reverse logistics deal with the GTS comply with the provisions of the storage medium, for customer data clean-up and even scrap material handling Procurement Strengthen local procurement, project management outsourcer, back to back signed a security agreement, the transfer of network security requirements. HR Locally, in conjunction with national or regional legal requirements for localization of human resources policy
  • 11. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential GTS Cyber Security Management Organization • Implementing cyber security management and internal control requirements to ensure the healthy development of the business Managers at all levels is the first responsibility of cyber security and internal controls. To keep the risks to cyber security and internal control, the initiative to prevent and reduce the incidence of the problem, to put an end to cyber security, internal control and to guard against corruption. From HQ and frontline, managers at all levels have to really pay attention to cyber security management, business executives are the first responsible person --Liang Hua at GTS Annual Conference in 2012 GTS Region 1 PS DS Q&O CSO Region Q&O NIS AMS LS PMO RMD Appoint the responsibility Securit y TDT
  • 12. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential GTS Cyber Security Management Organization Policy Bidding、FAQ Business Improvement Rules、Process Consciousn ess Check 安全TDT CSO Stand ard Technic al Problem Mgmt Process Merge Business Improvement Redline Rectify Forec ast Training & Campaign Technical Implement Self- check BU Cyber Security Office(CSO) Policy Analysis: Analyze company policies and issued GTS guidance documents; Support the bidding of safety part; FAQs Business Improvement:Develop GTS Business Improvement rules to promote processes integration Consciousness Atmosphere : Create a safe cyber security atmosphere in GTS, enhance employee safety awareness Check:Develop operational security check standards and inspection system, periodic inspection business security risks and promote business improvement Cyber security TDT Security Technology Standards: Develop GTS business security technology standards to provide input for BU Business Security Technology Solutions: Promote security technology solutions, to let BU business technically meet the operational and compliance requirements Security Problem Management: Build security management mechanism, discover cyber security issues in the process and technical to improve the business BU Business Improvement Implementation: Join the business improvement program organized by CSO, execute the plans and security processes into the red rectification (services & physical products) Consciousness Atmosphere : Create a positive BU internal cyber security environment, enhance employee safety awareness Check:Doing business security self check to find the risks and timely corrective Technical implementation : Complete the implementation of cyber security solutions in BU Pre-warning management: cyber security early warning into early warning management product category Monito r
  • 13. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Through continuous business improvement and building systems / platforms / tools, pay close attention to the regional implementation and compliance, eliminate cyber security incidents caused by human errors GTS cyber security management architecture Strategy II . Improve robustness of systems and platforms, and capability of security services. Measure 5 : Complete security redline tests on 100% tool software and clear non-compliance tools. Measure 6 : Apply the "three locks" and achieve manageable and traceable remote access. Measure 7 : Develop security serviceability to support security delivery in the frontline. Strategy I. Persist service improvement and reduce cyber security risks. Measure 1 : Further refine the cyber security business standards , form a clear Executable guidance and implement improvements Measure 2 : Perform penetration tests on Romania GSC networks to improve the cyber security capability. Measure 3 : Improve E2E customer data management and eliminate related risks in data sensitive areas. Measure 4 : Prevent any controlled spare parts from backing to China by implementing customer authorization and return repair processes. Meet customer demands and gain trust in cyber security. Customer security demands Portfoli o Security serviceability (physical products) SOP (Instruction guides, contract templates) Security platform hardening Tool software security authentication Network deployment Build cyber security on product elements. Make a sales control system and salable list. Review bids/contracts. Build cyber security on service sales. System integration service Network deployme nt service Customer support service Customer experienc e service Traini ng servic e Managem ent service Consultan t service Global delivery organizations consistently comply to cyber security requirements. Behavior standardizat ion Privacy protection Security hardening Software integrity … Accountability system Network OM and customer support Project management Build cyber security on delivery execution. Self-check and audit Security technologies/Management standards (1) (2) (3) Strategy III. Continually educate staff about cyber security to improve security delivery compliance. Measure 8 : Take measures on data and account management to eliminate outflow of sensitive data. Measure 9 : Improve cyber security awareness of staff and apply management responsibilities at the project level. For GTS, The largest cyber security risks from employee behavior. Each employee must responsible for what he has done, to avoid unintentional violations.
  • 14. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Build Cyber Security responsibility matrix in GTS to ensure cyber security requirements can be fulfill in service and delivery activities HQ (GTS BUs / CSO/TDT) Region & Key Account (BU Manager / CSO) Project (PD/PM/TD/PC/ QA) Undertake cyber security policy • Regional security programs / platform construction • Establish notification mechanism. Organize handling security incidents • Improve business continuously by self-audit & correction Analysis of customer needs on cyber security to develop business rules and establish GTS management system • Analysis of cyber security from customer/ government to develop business rules • Integrate Cyber security elements into GTS delivery process to meet requirement • Develop GSC solutions and delivery-able tools to meet operational safety requirements with technology • Build Cyber Security responsibility matrix in GTS: the competent responsibilities and levels; Improve business continuously by self-audit & correction. 1)Deliver service with cyber security policy according delivery process • Data protection • Process approval • Sub-contractor 2)Discuss data privacy protection measures with customer in delivery process 3)Routine learning cyber security requirements and case, etc., Periodically self-check on delivery activities Actively thinking security business • Analysis of local government & customers requirement on CS; organize workshop on CS • Customize security solutions according to customer demand • Provide demands on CS serviceable features • Check on Configuration • Manage access account • Identify & notice on Safety issue
  • 15. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Key Dimensions of Cyber Security Hig h Low USA, Australia, and China Taiwan Japan, France, Germany, Great Britain, New Zealand, Denmark, Canada, and South Korea Other countries Coverage of VDF subnets Coverage of TEF, FT, DT subnets Government: 36 countries that are sensitive to cyber security, defined by Huawei Customer: Customers with high requirements on cyber security, such as VDF, Telefonica, FT, and DT Regional implementation: (Self-check results and cyber security events of 2013) Regions in which the cyber security risk is high and security events frequently occur, such as South Pacific, Mid-Asia, and South America Medium Russia, Saudi Arabia, Turkey, Austria, Spain, Italy, Poland, Mexico, Brazil, South Africa, India, Malaysia, and Indonesia High and medium level regions: Be aligned with customers' requirements on cyber security and manage big risks.  Formulate service-based management schemes for regions-Q1  Implement anonymity in data collection, to prevent leaking of personal data.  Account management: Clear the accounts of quit personnel and staff whose positions have shifted.-Q2  Focus on audit these areas account using, Customer authorizes,E2E data management, project team etc requirements Implement status. Sensitivity Level Management Policy Continuous education on cyber security  Routine perform self-check on implementation.  Account management: Solve the issue of incomplete transfer of transfer-to- maintenance accounts and the sharing of accounts.-Q3 Technical sensitivity Take Measures on Data and Account Management to Eliminate Outflow of Sensitive Data
  • 16. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 16 Chapter 1 What Is Cyber Security About? Chapter 2 Cyber Security Case Studies Chapter 3 Requirements and Regulations on Cyber Security
  • 17. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 17 GTS Should Focus on Cyber Security Three business areas of the GTS are closely related to cyber security. We attach great importance to cyber security of the GTS. —Global Cyber Security Office Manager GTS Businesses Are Closely Related to Cyber Security Development of Service Products The same as physical products, the service products can also bring many Cyber Security problems, such as vulnerabilities, back doors, etc. Misuse of service products will cause serious damage. Many tools used in delivery and service can also be used to access and collect sensitive informations. GTS staff often directly access customer networks ,so they face high risks with respect to cyber security. For example, they may access customer assets without authorization; misuse accounts and passwords; expose data in the customer network; get out of line to conduct remote operation or transfer data in the customer network; use tools obtained from non-official channels; use virus- infected computers to access customer assets. Unauthorized access, remote access, and personal data transfer are illegal in most countries. Sales of Service Products Engineers of the GTS are also responsible for contacting customers. Their behaviors influence Huawei's image. When communicating with customers, engineers should avoid using sensitive words and exercise caution not to share or expose customer information. Project Delivery & Maintenance and Management Services For GTS, the most severe cyber security risk is staff’s behavior. Employees should avoid Cyber Security Accidents because of unawareness.
  • 18. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 18 Case Study I: Unauthorized Operation (Event Description)  Causes: In September 20XX, in an engineering delivery project. In order to test and verify whether the email format sent from customer's network was correct, Employee B from Company A, without obtaining the customer's written permission, added his personal emails address(including qq.com ,163.com ) to the list of email addresses in which alerts would be sent by the customer's network.  Consequences: The customer's IT Department discovered the relevant records through its internal email system. The customer, very unsatisfied with Company A, made a complaint in writing claiming that Company A was very unprofessional and brought forth information exposure risks. Without customer authorization, I modified...as necessary. Customer Service Engineer Without my authorization, how dare you access my network. Customer
  • 19. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 20 Case Study II: Using Another Person's Account to Log into Customer's Network (Event Description)  Causes: Maintenance employees in Country F always change. New arrivals need to apply for their own accounts, but the company's approval process takes a long time. These new arrivals therefore use other employees' accounts to operate and maintain the customer's network.  Consequences: In the customer's opinion, this company was very unprofessional. The customer complained to regional executives of the company and expressed strong dissatisfaction.  This event decreased the customer's confidence in this company and was likely to negatively influence later cooperation between the two. I haven't got my account yet. May I use yours to log into the customer's network? Sure. My account is XXX. You are so unprofessional... Customer Service Engineer 2 Customer Customer Service Engineer 1
  • 20. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 22 Case Study III: Exposing and Disseminating Data in Customer Network (Event Description)  Causes: In an exhibition held by a company, service and sales employee of the company talked with all visitors about how they improved the network performance for Customer A and displayed this customer's network information (including some confidential information).  Consequences: Customers who visited the exhibition thought this company was very unprofessional. They worried that their network information might one day be displayed in such a manner. This event decreased the level of confidence these potential customers had in the company. How can I trust you? Hey, look at the network diagram of Company X. It used to have many problems. Sales Personnel Customer
  • 21. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 24 Case Study IV: Unauthorized Tools (Event Description) Causes: In May 2012, during a microwave delivery project, in order to enhance the delivery efficiency, engineer B of Company A, requested tools from R&D employee C. The R&D employee C provided B a tool that had not been strictly tested. Project teams in frontline used the tool to deliver many products. Unfortunately, when the delivery was almost completed , the tool activated a fault and caused incident. Project delivery is moving too slowly. I hope that R&D can provide us special tools to enhance the delivery. You are lucky! I have a tool that can help. I will send it to you directly.  Consequences: Such behaviors caused N hours of service interruption in N sites, led costumer complain. Oh my, what did I do? Customer Service Engineer Customer Service Engineer R&D Engineer
  • 22. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 26 Case Study V: Access Customer Network by Virus- Infected Computer (Event Description) Causes: In March 20XX, when providing on-site maintenance for a customer, an employee of Company A directly accessed the customer's network through a virus-infected laptop. The customer's security center monitored data packages that were sent outward and triggered alerts.  Consequences: This event attracted highly negative attention from the customer. The customer's global security center sent weekly security reports to their CTO. The customer clearly expressed: "The frequent occurrence of such events will decrease confidence in your company." Why is so much data being sent outward? I am wondering if you are eavesdropping on us! My computer is infected by a virus, but the customer requested services over and over, so I have to use this computer to access the customer's network. Customer Service Engineer Customer
  • 23. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 28 Case Study VI: Remote Access Brings Risks (Event Description) Causes: Since April 20XX, a European customer required Company A to collect their end user’s data from the customer's system and send the data to the customer every day. In October 20XX, employee B of Company A who was responsible for the job was on vacation in China. Without the customer's authorization, Employee B accessed the customer's network remotely from China and downloaded the end user’s data. The employee then uploaded the information to a server located in China through which the information was sent to the customer. Customer Network Access a European customer's network remotely.  Consequences: The customer found that their network was remotely accessed from China without their authorization, and the sensitive data was sent to China. The customer filed a serious complaint and asked Company A for explanation. Our network is remotely accessed by someone from China. Is it a Chinese spy? Though I am on vacation, I still handle customer requests. How dedicated I am! Customer Service Engineer Customer
  • 24. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 30 Consider: Key Points of Cyber Security Which cyber security issues do we need to consider in our daily work?
  • 25. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 31 Answer: Key Points of Cyber Security Scenario No. Key points of focus with respect to cyber security Accessing the customer's network. 1 Customer authorization is a prerequisite. Without the customer's written permission, employees are not allowed to access the customer's network. 2 Do not use other people's accounts. Employees are not allowed to use other people's accounts or unauthorized accounts to log into customer equipment. 3 Be cautious when launching any remote access. Employees are not allowed to access a customer's network remotely without the customer's written authorization. Employees are prohibited from accessing the networks of customers in sensitive regions remotely from China. 4 Check and kill viruses. We must killing viruses on all computers, communications terminals, and storage media before using them to access the customer's network. Operating the customer's network. 5 Customer authorization is necessary. Without the customer's written authorization, employees are not allowed to install or use any software in the customer's network. Without the customer's written authorization, employees are not allowed to collect data contained in the customer's network. Never perform any operations that are beyond the scope of customer's written authorization. 6 Use only official software and tools. Never use software versions, patches, licenses, or tools that are not obtained through Huawei's official channels (such as Support Website, delivered with equipment, or official procurement by field offices). 7 Be cautious when sending data back to China. Employees are not allowed to send data (including personal data) in a customer's network back to China without the customer's written authorization. (2) Even though customer authorization has been obtained, employees are still not allowed to send personal data of customers located in sensitive countries back to China. 8 Keep accounts and passwords secret. Without the customer's written authorization, employees are not allowed to disseminate or share accounts and/or passwords. 9 Never disrupt a customer's network. Employees are prohibited from attacking or disrupting a customer's network, or cracking the customer's accounts and/or passwords. Leaving the post that involves work relating to the customer's network. 10 Do not take the customer's data. Without the customer's written authorization, employees are not allowed to take equipment or storage media that contain data (including personal data) in the customer's network away from customer's premises. 11 Do not expose the customer's data. Employees are not allowed to expose or disseminate data and information contained in the customer's network. 12 Relinquish accounts. After a customer's network is put into commercial use or is maintained by another party, employees must relinquish and delete their administrator accounts and any other accounts that become unauthorized as a result.
  • 26. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 32 Chapter 1 What Is Cyber Security About? Chapter 2 Cyber Security Case Studies Chapter 3 Requirements and Regulations on Cyber Security
  • 27. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 33 Red Lines of GTS Cyber Security Conducts 1. Access customer's system and collect, process, or modify the data and information on customer network without documented permission. 2. Connect personal portable device or storage media to customer network without documented permission. 3. Operations beyond the scope approved by customer. 4. Operations by using other people's account or unauthorized account to log in to customer's devices. 5. Implant malicious codes, malicious software, backdoor, reserve concealed interfaces or accounts in products or services. 6. Attack and undermine customer networks. Crack customer's account password. 7. Disclose and spread the data and information on customer's network. 8. Use shared accounts and passwords without customer's documented permission. 9. Retain or use the administrator account and unauthorized accounts after the commercial use of network or the maintenance transition. 10. Run illegal software on customer network. Use software versions, patches, or licenses that are not obtained through official channels. 11. Use information and data in customer's system to seek improper gains or for illegal purposes.
  • 28. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Accountability System of Cyber Security Violation Page 34  Purpose: to improve employees’ cyber security awareness to mitigate risks of cyber security violations & ensure smooth operation of the corporate business; take disciplinary actions against cyber security violations through strict accountability system.  Principle: • Accountability is not based on the consequence or whether the actor had malicious intent. Instead, it is based on the behavior itself. The actor has to bear liability if he/she violates the laws or regulations;  Accountability levels & measures Cyber Security Violations Accountabili ty Level Punishment Level 1 of Cyber Security Violations or causing severe crises, complaints, severe loss, potential security dangers, and risks 1 1. Terminate the employment contract with the violator. 2. Do not provide economic compensation for the violator in situations where no economic compensation should be paid according to the Regulations on Compensation for Employment Contract Rescinding or Termination (Huawei BOD Doc. No. [2007] 01). 3. Pursue or reserve the right to pursue legal actions against the employee if he/she violates the laws and regulations. 4. Record the incident in the Employee Integrity Database and never rehire the employee. Level 2 of Cyber Security Violations (see Attachment 1) or causing major customer complaints, loss, potential security dangers, and risks 2 1. Give severe warning to the violator. 2. Specify the violation as a key event to the competency and qualification of the violator, demote the violator and decrease the violator's benefits based on the violator's position. 3. Record the incident in the Employee Integrity Database. Level 3 of Cyber Security Violations or causing minor loss, potential security dangers, and risks 3 1. Give minor warning to the violator. 2. Reduce the grade of related incentive appraisal. 3. Two level-3 violations within 12 months will be escalated to one level-2 violation. 4. Record the incident in the Employee Integrity Database. Level 4 of Cyber Security Violations or causing no loss, but causing minor potential security dangers and risks 4 1. Warning the violator by email. 2. The violation should be considered during the violator's incentive appraisal. 3. Two level-4 violations within 12 months will be escalated to one level-3 violation.
  • 29. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Cyber security violations in various scenarios (1/2) Page 35 Scenario Description of cyber security violations Level Common behavior Use networks to carry out any activities that harm national security and the public interest, steal or destroy others’ data, infringe others’ legal rights; be instigated or bribed or take advantage of one's position to carry out any of the above activities. 1 Without written authorization from the customer, access the customer's network; collect, keep, process and modify any data and information in the customer's network. 1 Disclose and disseminate data and information in customers’ networks 1 Without written authorization from the customer, access and process users' voice information, accurate location information and key pressing information; those behaviors that may lead to suspicion of infringement of users' private communication content and personal data. 1 Without written authorization from the customer, remove devices or storage media with customer network data (including personal data) out of the customer's premises. 1 Attack and crack communication facilities like customers' network; crack customers' passwords of accounts. 1 Embed any malicious code, malware and backdoor in products or services; maintain any undocumented interfaces and accounts. 1 Without the authorization of the company, hold and disseminate the relevant information of product security vulnerabilities. 2 Customer communic ation & commitme nt Without written authorization from the customer, use any data and information from the customer's network for external communication except the data and information from public channels. 1 Without written authorization from the customer, disclose and disseminate the customer's confidential information in external communication. 1 Make commitments to customers that may violate the relevant cyber security laws(e.g.: Disrupt, Monitor, Track etc.). 1 Without the authorization of the company, reveal or disclose redline problems or vulnerabilities or other information that may arouse customers' cyber security concerns in external communication. 2 Disseminate method tool to break the system of terminal devices (jailbreak) 3 In customer communication and demonstrations, use sensitive wording in the materials or presentation that make customers misunderstand our cyber security. 3
  • 30. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Cyber security violations in various scenarios (2/2) Page 36 Scenario Description of cyber security violations Level delivery &Service Without written authorization from the customer, access the customer's operation networks of production or testing, or office network etc, by using equipment like computers, communication devices and storage media to carry out any operation beyond the approval of the customer. 1 Without written authorization from the customer, installs or run software in the customer's network; or use any software versions, patches, licenses and software tools that are not from official channels. 1 Without written authorization from the customer, use self-designed or third party tools for data collection and performance analysis, etc. 1 Log in on a system by using others' accounts or an unauthorized account to carry out operations. 1 Retain or use the previous administrator account or other unauthorized accounts after the system is in commercial use or has been transferred to the maintenance phase. 1 Collecting and processing personal data without the users’ authorization in after-sales repairing process of devices. 1 Without written authorization from the customer or the onsite supervision of the designated person, access and maintain legal interception interfaces or transfer relevant information out of the operators' network. 1 Without written authorization from the customer, remotely access the customer's network from China. 1 Without written authorization from the customer, transfer the customer's network data (including personal data) back to China. 1 Not killing virus in computers, communication devices and storage media before accessing the customer's network, which causes the customer network to be infected with virus or a virus to be detected on the customer network. 2 Without written authorization from the customer, disseminate and use shared accounts and passwords. 2 After the expiration of the customer's authorization, fail to delete and destroy the stored customer network data. 2
  • 31. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 37 Respect freedom and privacy; keep customer data secret. Obtain customer authorization first; get access later. Keep account and passwords secret; never share your account with anybody. Use official software and tools; always check and kill viruses.  Be cautious when launching remote access; be vigilant when sending data back to China.  Report hidden dangers immediately; the company needs an early warning.  Avoid behaviors that may cause violations; increase security awareness. Code of Conduct Concerning Cyber Security
  • 32. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Assistance and Feedback Channels for Cyber Security Issues  Assistance and feedback channels:  First, you can seek help from your business supervisor.  Second, you can seek help from local lawyers or Cyber Security contact persons.  If you find any external forums and third-party individuals or organizations provide the security vulnerabilities of products, please report this information to GTS Cyber Security community. GTS cyber security community: http://3ms.huawei.com/hi/group/1005849 You can gain knowledge, discuss issues, or seek help here. Or you can in put “GTS cyber security community” in W3 home page to find the link) Page 38
  • 34. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 40 Attachment:High risk regions of cyber security Country Rep office Region Europe (all countries in WE and NE Regions) UK UK office Western Europe Sub- Regional Division Ireland France France office Germany Germany office Italy Italy office Malta Switzerland Liechtenstein the Netherland The Netherland office Belgium Luxemburg Portugal Spain & Portugal office Spain Poland Poland office Eastern Europe Sub- Regional Division Estonia Latvia Republic of Lithuania Hungary Hungary office Czekh Czekh office Slovakia Slovenia Austria Greece Greece office Bulgaria Cyprus Sweden Sweden office Denmark Finland Norway Iceland Romania Romania office North America United States USA office USA office Canada Canada office Canada office Southern Pacific Australia Australia office Southern Pacific Sub- Regional Division New Zealand Japan Japan Japan office Japan office
  • 35. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 41 Learning materials for GTS employees  Huawei GCSC Doc. No.[2012] 02 -Compliance Policy of Privacy Protection & Cyber Security  Huawei GCSC Doc. No.[2012] 05 -Accountability System of Cyber Security Violations  HW GTS Dept Doc. No.006[2012]-Red Lines Management Regulations of GTS Cyber Security Conducts  HW GTS Dept Joint Cir _No 020 2012-Requirements on Anti-Virus before Laptops Accessing to Customer Networks  HW GTS Dept Cir No.018[2012]-Notice on Controlling Remote Access Security Risks  GTS PMO Dept. Cir. No.【2013】Requirements Regarding Enhancing Cyber Security Management in Major Delivery Projects Management  Huawei CNBG GTS Q&O Dept. No. [2013]005-Notice on Enhancing the Field Cyber Security Management for Staff on Business Trip Link to GTS Cyber Security related circulars: http://3ms.huawei.com/hi/group/1005849/thread_3553999.html?mapId=1998927 Link to the service delivery cyber security flash: http://ilearning.huawei.com/ilearning/app/management/LMS_ActDetails.aspx?UserMode=0&Ac tivityId=15145