ZTE Corporation has shed light on the company’s cybersecurity assurance by its Chief Security Officer Zhong Hong.
According to Mr. Zhong Hong, ZTE puts security value of its customers above commercial interests, and complies with relevant laws and regulations on cybersecurity so as to ensure the end-to-end delivery of secure and trustworthy products and services.
Cybersecurity is one of the highest priorities for ZTE’s product development and delivery. ZTE will establish a holistic cybersecurity governance structure based on the company’s development strategy plan, with reference to international standards, laws, and regulations, thereby fostering good security awareness for all employees and emphasizing the security of the entire process.
In order to achieve an end-to-end secure delivery of products and services, ZTE integrates security policies and controls into every phase of the product lifecycle, establishing a cybersecurity assurance mechanism covering areas such as product development, supply chain and manufacturing, engineering services, security incident management, and verification and audits. Meanwhile, ZTE has also built three lines of defense cybersecurity governance structure to implement baselined, process-oriented, and closed-loop security management.
In terms of organizational structure, ZTE has adopted the three lines of defense cybersecurity governance model to implement and review cybersecurity from multiple perspectives. The business units act as the first line of defense to achieve cybersecurity self-management and control while the company security laboratory functions as the second line of defense to implement independent security verification and supervision. The external professional institutions and customers act as the third line of defense, auditing the effectiveness of the first and second lines of defense.
ZTE’s Product Security Incident Response Team (PSIRT) identifies and analyzes security incidents, tracks incident handling processes, and communicates closely with internal and external stakeholders to disclose security vulnerabilities ina timely manner to mitigate the adverse effects of security incidents. As a member of the Forum of Incident Response and SecurityTeams (FIRST) and a member of the CVE Numbering Authority (CNA), ZTE is collaborating with customers and stakeholders in a more open manner.
ZTE has passed ISO 27001 certification for information security management systems in 2005 and updated its certificate every year. In 2017, ZTE passed the ISO 28000(Specification for security management systems for the supply chain) certification.
In terms of security assessment, the company has internationally certified professionals with CISSP, CISA, CCIE, CISAW, and CCSK to enable mature multidimensional security assessment capabilities in the aspects of code review, vulnerability scanning, and penetration testing.