Unleash Your Potential - Namagunga Girls Coding Club
Cyber Security Education Materials.pptx
1. HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
Huawei Confidential
Security Level: 内部公开
December 27, 2023
April, 2014
Cyber Security Awareness and
Code of Conduct
INTERNAL
Cyber Security Office, GTS
2. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 2
Chapter 1 What Is Cyber Security About?
Chapter 2 Cyber Security Case Studies
Chapter 3 Requirements and Regulations on
Cyber Security
3. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 3
Cyber Security Issues May Lead International Political Crisis
Caution:
Telecommunications networks are key national infrastructure, any risk on it might bring crisis to
even a country.
Cyber security issue is not only technical issues; It may lead to international political crisis.
8th October, 2012: the US Congress released an
investigative report on the US national security issues posed
by Huawei and ZTE;
6th June 2013: Snowdon Disclosure National Security
Agency and the United States Federal Bureau of
Investigation is carrying out a code for "prism" secret project,
direct access to the nine U.S. Internet company central
server, data mining to collect intelligence.
24th March 2014: For recent media reports the U.S.
National Security Agency (NSA) invade Huawei server events,
Shenzhen Huawei responded by saying: Huawei oppose all
acts that endanger network security
4. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 4
Cyber Security Is Critical to Company’s Survival
As the British media revealed on July 5, 2011, employees of News of
the World had illegally eavesdropped on voice-mails and deleted voice
messages on the mobile phone of slain schoolgirl Millie Doyle while
police were searching for the missing 13-year-old in 2002, interfering
with a police investigation into the missing person-turned-murder case.
On July 6, 2011, more reports exposed the phone-hacking scandal. On
the same day, Prime Minister Cameron requested to initiate an
investigation into the matter.
The 168-year-old newspaper was one of the best-selling newspapers
in the UK. As a result of the scandal, the publication was shut down on
July 10, 2011.
On July 4, 2014, British Prime Minister David Cameron's former media
director Andy Coulson (2003-2007 “NEWS World" editor) involved in
wiretapping plan convicted, was sentenced to 18 months jail
The News of the World closed down because of illegal interception and
monitoring :
5. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 5
Cyber security is to ensure the availability, integrity, confidentiality, traceability, and robustness & resilience of
products, solutions, and services based on a legal framework. Additionally, it protects the customers' or users'
communication content, personal data and privacy carried therein, and the flow of unbiased information.
Cyber security assurance aims to prevent the economic benefits and reputation of Huawei and its customers
from harm. Cyber security protects Huawei‘s employees or the company itself from bearing civil, administrative liability,
or even criminal liability, avoids cyber security to be used as an excuse for trade protection, and a fuse that sets off an
international political crisis which may lead to the collapse of the company.
Carried & protected
data/privacy
Business continuity &
robust network
Integrity
Availability
Confidentiality
Traceability
Robustness &
Resilience
1: Cyber security=Information
security
2: Cyber security= anti-attack &
anti-virus
3: Cyber security= physical &
personal safety
4: Cyber= Network
What is Cyber Security?
Huawei definition of Cyber Security
Cyber Security
Cyber Security is to protect customer’s networks.
And in the same time, protect Huawei and Huawei’s employee.
6. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6
Government supervision
Technical impact
Many countries such as US and countries in
EU regard cyber security as an integral part
of their national security strategy.
Governments of UK, France & India etc.
proposed security compliance requirements
on operators & vendors in government
supervision & laws and regulations,
based on trust issue & security concerns.
Legal regulations
Market access
The legislation of cyber security and privacy
protection globally tends become more stringent
In European & American countries, compared with
general corporate legal breach (tax, IPR, breach of
contract), a breach of cyber security legislation
will be seen in the light of violation of human
rights and national security threats. Therefore,
government and the public will condemn it
more aggressively and it is more likely to
damage the trustworthiness of the company.
As ICT technology becomes increasingly open,
telecom networks develop towards all-IP, devices
become smarter, and with the convergence of
multiple businesses, the telecom network is facing
increasingly serious security threats and
challenges. Vendors should attach great
importance to robustness & resilience;
Improper solutions or implementation (e.g.
undocumented interface) may trigger external
attacks and cause trust crisis;
Cyber security incidents cause material risks & loss to
customers’ normal business. Security protection
must be enhanced to further reduce the cost of
security Mgmt & O&M.
Major security issues in the industry and
cyber security concerns make vendors
lose orders or prevent them from
entering key markets;
Operators transfer the legal obligations
to vendors. More & more mainstream
operators require vendors to sign security
agreements, and require vendors to comply
with local laws & regulations and propose the
requirements of product security, security
education & vetting, etc. e.g.: all Indian
operators prescribe that a vendor will face a
large penalty and withdrawal from the network if
any security problems are found.
Cyber security concern is the trend of the times
7. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 7
“It(Cyber Security)is for our survival. “
“Recession is tolerable but collapse is not(允许
衰退但不允许崩溃) . Be more aware of cyber
security. Do not cause any cyber security issues
that may lead to international political crisis."
--- Huawei EMT Meeting Minutes No. [2012] 003
Summary of Cyber Security Meeting (Excerpts)
Cyber security is one of the important strategy for Huawei
8. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Cyber Security
Content in BCG
Outline
4.1 Support the secure operation of customers’ networks and business
Huawei will never tolerate any of the following conduct:
• Accessing, without customers’ authorization, customers’ systems and equipment to collect, possess, process or
modify data and information in customers’ networks and equipment, or disclose and disseminate customers’ data
and information.
• Embedding malicious code, malware or backdoors in products and services, developing and/ or distributing
viruses, or conducting other illegal behavior.
• Attacking, destroying or damaging customers’ networks or taking advantage of customers’ networks to steal or
destroy information or commit any activity that endangers national security, the public interest, or the legal rights
and/or interests of other parties.
• Soliciting or helping any third party to do any of the above.
2.0 Basic Guidelines
The responsibility to protect the security of customers’ network and business will never be outweighed by
the Company’s own commercial interests.
4.2 Protect End Users’ Privacy and Communication Freedom
• The Universal Declaration of Human Rights states that no one shall be subjected to arbitrary interference with their
privacy and correspondence. Many countries have implemented, or are planning to implement, privacy or personal
data protection laws.
Huawei will never tolerate any of the following conduct:
• Illegal collection, disclosure, distortion, impairment, sale or provision of end users’ personal data and information.
• Misuse of information and telecommunication technology to conduct surveillance on end users’ communications
and / or movements, or to block or disrupt communications, or to restrict the free flow of unbiased information.
As a leading global ICT solutions provider, we provide information network products and services. The global network
needs to be stable at all times. It is our primary social responsibility to support stable and secure networks for
customers, including in times of natural disasters, such as earthquake and tsunami, and other emergencies like war.
Cyber Security Requirements have been Included in BCG as one Commercial
Conduct Regulation
9. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Carrier Network BG
Cyber Security Office
Consumer BG
Cyber Security Office
Enterprise BG
Cyber Security Office
GCSC: Strategic direction. Responsible for agreeing the
strategy, planning, policies, road map, investment, driving the
implementation resolving conflicting strategic priorities and
auditing.
GCSO: Leading the team to develop the security strategy,
establishing the cyber security assurance system internally,
supporting GR/PR and supporting global accounts customers
externally.
GCSO Office: coordinating related departments to formulate
detailed operational rules and actions to support the strategy
and its implementation, promoting the application, auditing
and tracking of the implementation. The company focal point
to identify and resolve cyber security issues
Regional/ Department Security
Officers: Accountable for working
with GCSO to identify changes to
departmental/ business unit
processes so that the cyber
security strategy and its
requirements are fully imbedded in
their areas.. They are also experts
in their own right and contribute to
the development and
enhancement of the strategy
Director of GCSO Office
Jupiter Wang
CEO
Ren Zhengfei
GCSO
John Suffolk
Chairman of GCSC
Ken Hu
PAC
LA
MKT
JCR
CHR
BP&IT
Audit
Security
Competence
Centre
Supply
Chain
Cyber
Security
Office
2012
Lab
Cyber
Security
Office
CCSO
of
USA
CCSO
of
France
CCSO
of
India
Procurement
Cyber
Security
Office
External Cyber Security Lab/
CSEC
CCSO
of
UK
Internal Cyber Security Lab
Huawei Cyber Security Management
Organization
10. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Implement Cyber Security Policy
Requirements, Proactively Identify Risk Points
Domain Policy recommendations
Laws Huawei comply with all applicable laws and regulations in each administrative region, tracking cyber security-
related legislation, particularly for critical infrastructure-related legislative requirements
R&D Local R&D institutions shall comply with the cyber security requirements, and local laws and regulations
baseline.
Verification Guide the customer's certification requirements are: internal cyber security validation lab, sharing the reports,
Security Certification Center, third-party testing agency. Certification involves the use of safety and the need
for government intervention endorsement, third-party testing to avoid source-level testing.
Sales Proactively identify customer cyber security requirements, effective management and delivery; timely update
sales management and control strategies to ensure the implementation of landing.
GTS Enhanced cyber security personnel awareness, customer authorization awareness, customer data protection.
Emergency
Response
According to the frontline country and key account, make the CERT connection through PSIRT
Supply chain On the reverse logistics deal with the GTS comply with the provisions of the storage medium, for customer
data clean-up and even scrap material handling
Procurement Strengthen local procurement, project management outsourcer, back to back signed a security agreement,
the transfer of network security requirements.
HR Locally, in conjunction with national or regional legal requirements for localization of human resources policy
11. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
GTS Cyber Security Management Organization
• Implementing cyber security
management and internal control
requirements to ensure the healthy
development of the business
Managers at all levels is the first
responsibility of cyber security and internal
controls. To keep the risks to cyber security
and internal control, the initiative to prevent
and reduce the incidence of the problem, to
put an end to cyber security, internal control
and to guard against corruption. From HQ
and frontline, managers at all levels have to
really pay attention to cyber security
management, business executives are the
first responsible person
--Liang Hua at
GTS Annual Conference in 2012
GTS
Region
1
PS DS
Q&O
CSO
Region
Q&O
NIS
AMS LS PMO RMD
Appoint the responsibility
Securit
y TDT
12. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
GTS Cyber Security Management Organization
Policy
Bidding、FAQ
Business Improvement
Rules、Process
Consciousn
ess
Check
安全TDT
CSO
Stand
ard
Technic
al
Problem
Mgmt
Process
Merge
Business
Improvement
Redline
Rectify
Forec
ast
Training &
Campaign
Technical
Implement
Self-
check
BU
Cyber Security Office(CSO)
Policy Analysis: Analyze company
policies and issued GTS guidance
documents; Support the bidding of
safety part; FAQs
Business Improvement:Develop GTS
Business Improvement rules to promote
processes integration
Consciousness Atmosphere : Create a
safe cyber security atmosphere in GTS,
enhance employee safety awareness
Check:Develop operational security
check standards and inspection system,
periodic inspection business security
risks and promote business improvement
Cyber security TDT
Security Technology Standards: Develop GTS
business security technology standards to
provide input for BU Business
Security Technology Solutions: Promote
security technology solutions, to let BU
business technically meet the operational and
compliance requirements
Security Problem Management: Build security
management mechanism, discover cyber security
issues in the process and technical to
improve the business
BU
Business Improvement Implementation: Join the
business improvement program organized by CSO,
execute the plans and security processes into
the red rectification (services & physical
products)
Consciousness Atmosphere : Create a positive BU
internal cyber security environment, enhance
employee safety awareness
Check:Doing business security self check to
find the risks and timely corrective
Technical implementation : Complete the
implementation of cyber security solutions in BU
Pre-warning management: cyber security early
warning into early warning management product
category
Monito
r
13. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Through continuous business improvement and building systems /
platforms / tools, pay close attention to the regional implementation and
compliance, eliminate cyber security incidents caused by human errors
GTS cyber security management architecture
Strategy II . Improve robustness of systems and platforms,
and capability of security services.
Measure 5 : Complete security redline tests on 100% tool
software and clear non-compliance tools.
Measure 6 : Apply the "three locks" and achieve manageable
and traceable remote access.
Measure 7 : Develop security serviceability to support
security delivery in the frontline.
Strategy I. Persist service improvement and reduce cyber
security risks.
Measure 1 : Further refine the cyber security business
standards , form a clear Executable guidance and implement
improvements
Measure 2 : Perform penetration tests on Romania GSC
networks to improve the cyber security capability.
Measure 3 : Improve E2E customer data management and
eliminate related risks in data sensitive areas.
Measure 4 : Prevent any controlled spare parts from backing to
China by implementing customer authorization and return repair
processes.
Meet
customer
demands
and
gain
trust
in
cyber
security.
Customer
security
demands
Portfoli
o
Security serviceability (physical products)
SOP (Instruction guides, contract templates)
Security platform hardening
Tool software security authentication
Network deployment
Build cyber
security on
product elements.
Make a sales control system and salable list.
Review bids/contracts.
Build cyber
security on
service sales.
System
integration
service
Network
deployme
nt service
Customer
support
service
Customer
experienc
e service
Traini
ng
servic
e
Managem
ent
service
Consultan
t service
Global
delivery
organizations
consistently
comply
to
cyber
security
requirements.
Behavior
standardizat
ion
Privacy
protection
Security
hardening
Software
integrity
…
Accountability system
Network OM and customer support
Project management
Build cyber
security on
delivery
execution.
Self-check and
audit
Security
technologies/Management
standards
(1)
(2)
(3)
Strategy III. Continually educate staff about cyber security to
improve security delivery compliance.
Measure 8 : Take measures on data and account management
to eliminate outflow of sensitive data.
Measure 9 : Improve cyber security awareness of staff and
apply management responsibilities at the project level.
For GTS, The largest cyber security risks
from employee behavior. Each employee
must responsible for what he has done, to
avoid unintentional violations.
14. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Build Cyber Security responsibility matrix in GTS to ensure cyber security
requirements can be fulfill in service and delivery activities
HQ
(GTS BUs /
CSO/TDT)
Region & Key
Account
(BU Manager /
CSO)
Project
(PD/PM/TD/PC/
QA)
Undertake cyber security policy
• Regional security programs /
platform construction
• Establish notification mechanism.
Organize handling security incidents
• Improve business continuously by
self-audit & correction
Analysis of customer needs on cyber security to develop business rules and establish GTS
management system
• Analysis of cyber security from customer/ government to develop business rules
• Integrate Cyber security elements into GTS delivery process to meet requirement
• Develop GSC solutions and delivery-able tools to meet operational safety requirements
with technology
• Build Cyber Security responsibility matrix in GTS: the competent responsibilities and
levels; Improve business continuously by self-audit & correction.
1)Deliver service with cyber security
policy according delivery process
• Data protection
• Process
approval
• Sub-contractor
2)Discuss data privacy protection measures
with customer in delivery process
3)Routine learning cyber security
requirements and case, etc., Periodically
self-check on delivery activities
Actively thinking security business
• Analysis of local government & customers
requirement on CS; organize workshop on
CS
• Customize security solutions according to
customer demand
• Provide demands on CS serviceable
features
• Check on Configuration
• Manage access
account
• Identify & notice on
Safety issue
15. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Key Dimensions of
Cyber Security
Hig
h
Low
USA, Australia, and China
Taiwan
Japan, France, Germany,
Great Britain, New Zealand,
Denmark, Canada, and
South Korea
Other countries
Coverage
of VDF
subnets
Coverage
of TEF, FT,
DT
subnets
Government:
36 countries that are
sensitive to cyber security,
defined by Huawei
Customer:
Customers with high
requirements on cyber
security, such as VDF,
Telefonica, FT, and DT
Regional implementation:
(Self-check results and
cyber security events of
2013)
Regions in which the cyber
security risk is high and
security events frequently
occur, such as South
Pacific, Mid-Asia, and
South America
Medium
Russia, Saudi Arabia,
Turkey, Austria, Spain, Italy,
Poland, Mexico, Brazil,
South Africa, India, Malaysia,
and Indonesia
High and medium level regions: Be aligned with
customers' requirements on cyber security and
manage big risks.
Formulate service-based management
schemes for regions-Q1
Implement anonymity in data collection, to
prevent leaking of personal data.
Account management: Clear the accounts of
quit personnel and staff whose positions have
shifted.-Q2
Focus on audit these areas account using,
Customer authorizes,E2E data management,
project team etc requirements Implement
status.
Sensitivity Level Management Policy
Continuous education on cyber security
Routine perform self-check on
implementation.
Account management: Solve the issue of
incomplete transfer of transfer-to-
maintenance accounts and the sharing of
accounts.-Q3
Technical
sensitivity
Take Measures on Data and Account Management to
Eliminate Outflow of Sensitive Data
16. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 16
Chapter 1 What Is Cyber Security About?
Chapter 2 Cyber Security Case Studies
Chapter 3 Requirements and Regulations
on Cyber Security
17. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 17
GTS Should Focus on Cyber Security
Three business areas of the GTS are closely related to cyber
security. We attach great importance to cyber security of the GTS.
—Global Cyber Security Office Manager
GTS Businesses Are Closely Related to Cyber Security
Development of
Service Products
The same as physical
products, the service
products can also bring
many Cyber Security
problems, such as
vulnerabilities, back doors,
etc. Misuse of service
products will cause serious
damage.
Many tools used in delivery
and service can also be
used to access and collect
sensitive informations.
GTS staff often directly access customer networks ,so
they face high risks with respect to cyber security.
For example, they may access customer assets without
authorization; misuse accounts and passwords; expose
data in the customer network; get out of line to conduct
remote operation or transfer data in the customer network;
use tools obtained from non-official channels; use virus-
infected computers to access customer assets.
Unauthorized access, remote access, and personal data
transfer are illegal in most countries.
Sales of Service
Products
Engineers of the GTS are
also responsible for
contacting customers. Their
behaviors influence Huawei's
image.
When communicating with
customers, engineers should
avoid using sensitive words
and exercise caution not to
share or expose customer
information.
Project Delivery & Maintenance and
Management Services
For GTS, the most severe cyber security risk is staff’s behavior. Employees should avoid Cyber
Security Accidents because of unawareness.
18. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 18
Case Study I: Unauthorized Operation (Event Description)
Causes:
In September 20XX, in an engineering delivery project. In order to test and verify whether
the email format sent from customer's network was correct, Employee B from Company A,
without obtaining the customer's written permission, added his personal emails
address(including qq.com ,163.com ) to the list of email addresses in which alerts would be
sent by the customer's network.
Consequences:
The customer's IT Department discovered the relevant records through its internal email
system. The customer, very unsatisfied with Company A, made a complaint in writing
claiming that Company A was very unprofessional and brought forth information exposure
risks.
Without customer
authorization, I
modified...as
necessary.
Customer Service
Engineer
Without my authorization,
how dare you access my
network.
Customer
19. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 20
Case Study II: Using Another Person's Account to
Log into Customer's Network (Event Description)
Causes: Maintenance employees in Country F always change. New arrivals need to apply for their own accounts,
but the company's approval process takes a long time. These new arrivals therefore use other employees' accounts
to operate and maintain the customer's network.
Consequences:
In the customer's opinion, this company was very unprofessional. The customer
complained to regional executives of the company and expressed strong dissatisfaction.
This event decreased the customer's confidence in this company and was likely to
negatively influence later cooperation between the two.
I haven't got my
account yet. May I use
yours to log into the
customer's network?
Sure. My
account is
XXX.
You are so unprofessional...
Customer Service
Engineer 2
Customer
Customer Service
Engineer 1
20. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 22
Case Study III: Exposing and Disseminating Data
in Customer Network (Event Description)
Causes: In an exhibition held by a company, service and sales employee of the
company talked with all visitors about how they improved the network
performance for Customer A and displayed this customer's network information
(including some confidential information).
Consequences:
Customers who visited the exhibition thought this company was very
unprofessional. They worried that their network information might one day be
displayed in such a manner. This event decreased the level of confidence these
potential customers had in the company.
How can I trust you?
Hey, look at the network
diagram of Company X. It
used to have many
problems.
Sales Personnel
Customer
21. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 24
Case Study IV: Unauthorized Tools (Event Description)
Causes:
In May 2012, during a microwave delivery project, in order to enhance the delivery efficiency,
engineer B of Company A, requested tools from R&D employee C.
The R&D employee C provided B a tool that had not been strictly tested.
Project teams in frontline used the tool to deliver many products. Unfortunately, when the delivery
was almost completed , the tool activated a fault and caused incident.
Project delivery is moving too
slowly. I hope that R&D can
provide us special tools to
enhance the delivery.
You are lucky! I have a
tool that can help. I will
send it to you directly.
Consequences:
Such behaviors caused N hours of service interruption in N sites, led
costumer complain.
Oh my, what
did I do?
Customer Service
Engineer
Customer Service
Engineer R&D Engineer
22. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 26
Case Study V: Access Customer Network by Virus-
Infected Computer (Event Description)
Causes:
In March 20XX, when providing on-site maintenance for a customer, an
employee of Company A directly accessed the customer's network through a
virus-infected laptop.
The customer's security center monitored data packages that were sent
outward and triggered alerts.
Consequences:
This event attracted highly negative attention from the customer. The
customer's global security center sent weekly security reports to their CTO.
The customer clearly expressed: "The frequent occurrence of such events will
decrease confidence in your company."
Why is so much data being
sent outward? I am
wondering if you are
eavesdropping on us!
My computer is infected by a
virus, but the customer
requested services over and
over, so I have to use this
computer to access the
customer's network.
Customer Service
Engineer
Customer
23. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 28
Case Study VI: Remote Access Brings Risks (Event
Description)
Causes:
Since April 20XX, a European customer required Company A to collect their end user’s data from the
customer's system and send the data to the customer every day.
In October 20XX, employee B of Company A who was responsible for the job was on vacation in
China. Without the customer's authorization, Employee B accessed the customer's network remotely
from China and downloaded the end user’s data. The employee then uploaded the information to a
server located in China through which the information was sent to the customer.
Customer
Network
Access a European
customer's network
remotely.
Consequences:
The customer found that their network was remotely accessed from China
without their authorization, and the sensitive data was sent to China. The
customer filed a serious complaint and asked Company A for explanation.
Our network is remotely
accessed by someone from
China. Is it a Chinese spy?
Though I am on vacation, I still handle
customer requests. How dedicated I am!
Customer Service
Engineer
Customer
24. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 30
Consider: Key Points of Cyber Security
Which cyber security issues do
we need to consider in our daily
work?
25. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 31
Answer: Key Points of Cyber Security
Scenario No. Key points of focus with respect to cyber security
Accessing the
customer's
network.
1
Customer authorization is a prerequisite. Without the customer's written permission, employees are not
allowed to access the customer's network.
2
Do not use other people's accounts. Employees are not allowed to use other people's accounts or
unauthorized accounts to log into customer equipment.
3
Be cautious when launching any remote access. Employees are not allowed to access a customer's network
remotely without the customer's written authorization.
Employees are prohibited from accessing the networks of customers in sensitive regions remotely from China.
4
Check and kill viruses. We must killing viruses on all computers, communications terminals, and storage
media before using them to access the customer's network.
Operating the
customer's
network.
5
Customer authorization is necessary. Without the customer's written authorization, employees are not
allowed to install or use any software in the customer's network.
Without the customer's written authorization, employees are not allowed to collect data contained in the
customer's network.
Never perform any operations that are beyond the scope of customer's written authorization.
6
Use only official software and tools. Never use software versions, patches, licenses, or tools that are not
obtained through Huawei's official channels (such as Support Website, delivered with equipment, or official
procurement by field offices).
7
Be cautious when sending data back to China. Employees are not allowed to send data (including personal
data) in a customer's network back to China without the customer's written authorization. (2) Even though
customer authorization has been obtained, employees are still not allowed to send personal data of customers
located in sensitive countries back to China.
8
Keep accounts and passwords secret. Without the customer's written authorization, employees are not
allowed to disseminate or share accounts and/or passwords.
9
Never disrupt a customer's network. Employees are prohibited from attacking or disrupting a customer's
network, or cracking the customer's accounts and/or passwords.
Leaving the
post that
involves work
relating to the
customer's
network.
10
Do not take the customer's data. Without the customer's written authorization, employees are not allowed to
take equipment or storage media that contain data (including personal data) in the customer's network away
from customer's premises.
11
Do not expose the customer's data. Employees are not allowed to expose or disseminate data and
information contained in the customer's network.
12
Relinquish accounts. After a customer's network is put into commercial use or is maintained by another party,
employees must relinquish and delete their administrator accounts and any other accounts that become
unauthorized as a result.
26. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 32
Chapter 1 What Is Cyber Security About?
Chapter 2 Cyber Security Case Studies
Chapter 3 Requirements and Regulations on
Cyber Security
27. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 33
Red Lines of GTS Cyber Security Conducts
1. Access customer's system and collect, process, or modify the data and information on
customer network without documented permission.
2. Connect personal portable device or storage media to customer network without
documented permission.
3. Operations beyond the scope approved by customer.
4. Operations by using other people's account or unauthorized account to log in to
customer's devices.
5. Implant malicious codes, malicious software, backdoor, reserve concealed interfaces or
accounts in products or services.
6. Attack and undermine customer networks. Crack customer's account password.
7. Disclose and spread the data and information on customer's network.
8. Use shared accounts and passwords without customer's documented permission.
9. Retain or use the administrator account and unauthorized accounts after the commercial
use of network or the maintenance transition.
10. Run illegal software on customer network. Use software versions, patches, or licenses
that are not obtained through official channels.
11. Use information and data in customer's system to seek improper gains or for illegal
purposes.
28. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Accountability System of Cyber Security Violation
Page 34
Purpose: to improve employees’ cyber security awareness to mitigate risks of cyber security violations &
ensure smooth operation of the corporate business; take disciplinary actions against cyber security
violations through strict accountability system.
Principle:
• Accountability is not based on the consequence or whether the actor had malicious intent. Instead,
it is based on the behavior itself. The actor has to bear liability if he/she violates the laws or
regulations;
Accountability levels & measures
Cyber Security Violations
Accountabili
ty Level
Punishment
Level 1 of Cyber Security Violations or
causing severe crises, complaints, severe
loss, potential security dangers, and risks
1
1. Terminate the employment contract with the violator. 2. Do not provide economic
compensation for the violator in situations where no economic compensation should be paid
according to the Regulations on Compensation for Employment Contract Rescinding or
Termination (Huawei BOD Doc. No. [2007] 01). 3. Pursue or reserve the right to pursue legal
actions against the employee if he/she violates the laws and regulations.
4. Record the incident in the Employee Integrity Database and never rehire the employee.
Level 2 of Cyber Security Violations (see
Attachment 1) or causing major customer
complaints, loss, potential security
dangers, and risks
2
1. Give severe warning to the violator. 2. Specify the violation as a key event to the
competency and qualification of the violator, demote the violator and decrease the violator's
benefits based on the violator's position. 3. Record the incident in the Employee Integrity
Database.
Level 3 of Cyber Security Violations or
causing minor loss, potential security
dangers, and risks
3
1. Give minor warning to the violator. 2. Reduce the grade of related incentive appraisal.
3. Two level-3 violations within 12 months will be escalated to one level-2 violation. 4. Record
the incident in the Employee Integrity Database.
Level 4 of Cyber Security Violations or
causing no loss, but causing minor
potential security dangers and risks
4
1. Warning the violator by email. 2. The violation should be considered during the violator's
incentive appraisal.
3. Two level-4 violations within 12 months will be escalated to one level-3 violation.
29. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Cyber security violations in various scenarios (1/2)
Page 35
Scenario Description of cyber security violations Level
Common
behavior
Use networks to carry out any activities that harm national security and the public interest, steal or destroy others’ data,
infringe others’ legal rights; be instigated or bribed or take advantage of one's position to carry out any of the above
activities.
1
Without written authorization from the customer, access the customer's network; collect, keep, process and modify any
data and information in the customer's network.
1
Disclose and disseminate data and information in customers’ networks 1
Without written authorization from the customer, access and process users' voice information, accurate location
information and key pressing information; those behaviors that may lead to suspicion of infringement of users' private
communication content and personal data.
1
Without written authorization from the customer, remove devices or storage media with customer network data
(including personal data) out of the customer's premises.
1
Attack and crack communication facilities like customers' network; crack customers' passwords of accounts. 1
Embed any malicious code, malware and backdoor in products or services; maintain any undocumented interfaces
and accounts.
1
Without the authorization of the company, hold and disseminate the relevant information of product security
vulnerabilities.
2
Customer
communic
ation &
commitme
nt
Without written authorization from the customer, use any data and information from the customer's network for external
communication except the data and information from public channels.
1
Without written authorization from the customer, disclose and disseminate the customer's confidential information in
external communication.
1
Make commitments to customers that may violate the relevant cyber security laws(e.g.: Disrupt, Monitor, Track etc.). 1
Without the authorization of the company, reveal or disclose redline problems or vulnerabilities or other information that
may arouse customers' cyber security concerns in external communication.
2
Disseminate method tool to break the system of terminal devices (jailbreak) 3
In customer communication and demonstrations, use sensitive wording in the materials or presentation that make
customers misunderstand our cyber security.
3
30. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Cyber security violations in various scenarios (2/2)
Page 36
Scenario Description of cyber security violations Level
delivery
&Service
Without written authorization from the customer, access the customer's operation networks of production or
testing, or office network etc, by using equipment like computers, communication devices and storage media to
carry out any operation beyond the approval of the customer.
1
Without written authorization from the customer, installs or run software in the customer's network; or use any
software versions, patches, licenses and software tools that are not from official channels.
1
Without written authorization from the customer, use self-designed or third party tools for data collection and
performance analysis, etc.
1
Log in on a system by using others' accounts or an unauthorized account to carry out operations. 1
Retain or use the previous administrator account or other unauthorized accounts after the system is in
commercial use or has been transferred to the maintenance phase.
1
Collecting and processing personal data without the users’ authorization in after-sales repairing process of
devices.
1
Without written authorization from the customer or the onsite supervision of the designated person, access and
maintain legal interception interfaces or transfer relevant information out of the operators' network.
1
Without written authorization from the customer, remotely access the customer's network from China. 1
Without written authorization from the customer, transfer the customer's network data (including personal data)
back to China.
1
Not killing virus in computers, communication devices and storage media before accessing the customer's
network, which causes the customer network to be infected with virus or a virus to be detected on the customer
network.
2
Without written authorization from the customer, disseminate and use shared accounts and passwords. 2
After the expiration of the customer's authorization, fail to delete and destroy the stored customer network data. 2
31. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Page 37
Respect freedom and privacy; keep customer data secret.
Obtain customer authorization first; get access later.
Keep account and passwords secret; never share your account
with anybody.
Use official software and tools; always check and kill viruses.
Be cautious when launching remote access; be vigilant when
sending data back to China.
Report hidden dangers immediately; the company needs an early
warning.
Avoid behaviors that may cause violations; increase security
awareness.
Code of Conduct Concerning Cyber Security
32. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Assistance and Feedback Channels for Cyber
Security Issues
Assistance and feedback channels:
First, you can seek help from your business supervisor.
Second, you can seek help from local lawyers or Cyber Security contact
persons.
If you find any external forums and third-party individuals or organizations
provide the security vulnerabilities of products, please report this information to
GTS Cyber Security community.
GTS cyber security community: http://3ms.huawei.com/hi/group/1005849
You can gain knowledge, discuss issues, or seek help here.
Or you can in put “GTS cyber security community” in W3 home page to find the link)
Page 38
34. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 40
Attachment:High risk regions of cyber security
Country Rep office Region
Europe (all countries in
WE and NE Regions)
UK
UK office
Western Europe Sub-
Regional Division
Ireland
France France office
Germany Germany office
Italy
Italy office
Malta
Switzerland
Liechtenstein
the Netherland
The Netherland office
Belgium
Luxemburg
Portugal
Spain & Portugal office
Spain
Poland
Poland office
Eastern Europe Sub-
Regional Division
Estonia
Latvia
Republic of Lithuania
Hungary Hungary office
Czekh
Czekh office
Slovakia
Slovenia
Austria
Greece
Greece office
Bulgaria
Cyprus
Sweden
Sweden office
Denmark
Finland
Norway
Iceland
Romania Romania office
North America
United States USA office USA office
Canada Canada office Canada office
Southern Pacific
Australia
Australia office
Southern Pacific Sub-
Regional Division
New Zealand
Japan Japan Japan office Japan office
35. HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 41
Learning materials for GTS employees
Huawei GCSC Doc. No.[2012] 02 -Compliance Policy of Privacy Protection & Cyber Security
Huawei GCSC Doc. No.[2012] 05 -Accountability System of Cyber Security Violations
HW GTS Dept Doc. No.006[2012]-Red Lines Management Regulations of GTS Cyber Security
Conducts
HW GTS Dept Joint Cir _No 020 2012-Requirements on Anti-Virus before Laptops Accessing
to Customer Networks
HW GTS Dept Cir No.018[2012]-Notice on Controlling Remote Access Security Risks
GTS PMO Dept. Cir. No.【2013】Requirements Regarding Enhancing Cyber Security
Management in Major Delivery Projects Management
Huawei CNBG GTS Q&O Dept. No. [2013]005-Notice on Enhancing the Field Cyber Security
Management for Staff on Business Trip
Link to GTS Cyber Security related circulars:
http://3ms.huawei.com/hi/group/1005849/thread_3553999.html?mapId=1998927
Link to the service delivery cyber security flash:
http://ilearning.huawei.com/ilearning/app/management/LMS_ActDetails.aspx?UserMode=0&Ac
tivityId=15145