Beruflich Dokumente
Kultur Dokumente
V100R003
Security Description
Issue 01
Date 2017-07-28
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
This document details the securities of the system, thus helping you to understand the security
solution of Mobile Money.
Intended Audience
This document is intended for:
Technical support engineers
Maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
S D
y e
m s
b c
o ri
l p
ti
o
n
I
n
d
ic
at
e
s
a
n
i
m
m
S D
y e
m s
b c
o ri
l p
ti
o
n
i
n
e
n
tl
y
h
a
z
a
r
d
o
u
s
si
t
u
at
i
o
n
w
h
ic
h,
if
n
o
t
a
v
o
i
d
e
d,
w
il
l
r
e
s
u
S D
y e
m s
b c
o ri
l p
ti
o
n
lt
i
n
d
e
at
h
o
r
s
e
ri
o
u
s
i
n
j
u
r
y.
I
n
d
ic
at
e
s
a
p
o
te
n
ti
al
l
y
h
a
z
a
r
d
o
S D
y e
m s
b c
o ri
l p
ti
o
n
u
s
si
t
u
at
i
o
n
w
h
ic
h,
if
n
o
t
a
v
o
i
d
e
d,
c
o
u
l
d
r
e
s
u
lt
i
n
d
e
at
h
o
r
s
e
S D
y e
m s
b c
o ri
l p
ti
o
n
ri
o
u
s
i
n
j
u
r
y.
I
n
d
ic
at
e
s
a
p
o
te
n
ti
al
l
y
h
a
z
a
r
d
o
u
s
si
t
u
at
i
o
n
w
h
S D
y e
m s
b c
o ri
l p
ti
o
n
ic
h,
if
n
o
t
a
v
o
i
d
e
d,
m
a
y
r
e
s
u
lt
i
n
m
i
n
o
r
o
r
m
o
d
e
r
at
e
i
n
j
u
r
y.
S D
y e
m s
b c
o ri
l p
ti
o
n
I
n
d
ic
at
e
s
a
p
o
te
n
ti
al
l
y
h
a
z
a
r
d
o
u
s
si
t
u
at
i
o
n
w
h
ic
h,
if
n
o
t
a
v
o
i
S D
y e
m s
b c
o ri
l p
ti
o
n
d
e
d,
c
o
u
l
d
r
e
s
u
lt
i
n
e
q
u
i
p
m
e
n
t
d
a
m
a
g
e,
d
at
a
l
o
s
s,
p
e
rf
o
r
m
a
S D
y e
m s
b c
o ri
l p
ti
o
n
n
c
e
d
et
e
ri
o
r
at
i
o
n,
o
r
u
n
a
n
ti
ci
p
at
e
d
r
e
s
u
lt
s.
N
O
T
I
C
E
is
u
s
e
d
t
o
S D
y e
m s
b c
o ri
l p
ti
o
n
a
d
d
r
e
s
s
p
r
a
ct
ic
e
s
n
o
t
r
el
at
e
d
t
o
p
e
rs
o
n
al
i
n
j
u
r
y.
C
al
ls
at
te
n
ti
o
S D
y e
m s
b c
o ri
l p
ti
o
n
n
t
o
i
m
p
o
rt
a
n
t
i
n
f
o
r
m
at
i
o
n,
b
e
st
p
r
a
ct
ic
e
s
a
n
d
ti
p
s.
N
O
T
E
is
u
s
S D
y e
m s
b c
o ri
l p
ti
o
n
e
d
t
o
a
d
d
r
e
s
s
i
n
f
o
r
m
at
i
o
n
n
o
t
r
el
at
e
d
t
o
p
e
rs
o
n
al
i
n
j
u
r
y,
e
S D
y e
m s
b c
o ri
l p
ti
o
n
q
u
i
p
m
e
n
t
d
a
m
a
g
e,
a
n
d
e
n
v
ir
o
n
m
e
n
t
d
et
e
ri
o
r
at
i
o
n.
Change History
Changes between document versions are cumulative. Therefore, the latest document issue
contains all changes made in previous issues.
Issue 01 (2017-07-28)
This issue is the first releases.
1 Overview
Users denying operations, attackers exploiting applications without trace, and attackers
covering their tracks.
Spoofing, also called identity obfuscation, is a means to hide one's true identity on the
network. A fake source address is used that does not represent the actual packet
originator's address. Spoofing can be used to hide the original source of an attack or to
work around network access control lists (ACLs) that are in place to limit host access
based on source address rules.
Session hijacking
With session hijacking, also known as man-in-the-middle attacks, an attacker uses an
application that masquerades as either a client or a server. This results in either the server
or client being tricked into thinking that the upstream host is the legitimate host.
However, the upstream host is actually the attacker's host that is manipulating the
network so that it appears to be the desired destination. Session hijacking can be used to
obtain login information that can then be used to gain access to a system or to
confidential information.
Denial of service
A denial of service attack is the act of denying legitimate users access to a server or
services. Network-layer denial of service attacks usually tries to deny service by flooding
the network with traffic, which consumes the available bandwidth and resources.
Security credentials and other sensitive data must be stored securely. Balances must be
protected against tampering. Bills transfer confidentiality and integrity must be ensured.
Transaction Security
The payment system must provide security mechanism for transactions such as transfer
and payment.
Law and Standard Compliance
Information security monitoring, personal data protection, and privacy protection must
follow the relevant laws and standards.
The Mobile Money security design is based on Huawei security baseline, and business
analysis of Mobile Money. Mobile Money provides end-to-end security solutions from the
network, system, application, management, and legal compliance aspects.
S P U
P o s
/ rt e
O a r
r l N
g a
a m
n e
i +
z P
a a
ti s
o s
n w
P o
o r
rt d
a +
l P
e
rs
o
n
al
C
e
rt
if
ic
at
e
U U M
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
S S S
S S I
D D S
D
a N
c +
c P
e I
s N
s
g
a
t
e
w
a
y
S S M
T T S
K K I
S
a D
c N
c +
e P
s I
s N
g
a
t
e
w
a
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
y
I A M
V P S
R I I
a S
c D
c N
e +
s P
s I
g N
a
t
e
w
a
y
A A O
T P n
M I e
a ti
c m
c e
e v
s o
s u
g c
a h
t e
e r
w c
a o
y d
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
/I e
S +
O P
- I
8 N
5 +
8 O
3 t
g h
a e
t r
e K
w Y
a C
y d
et
ai
ls
P A T
O P o
S I b
a e
c d
c e
e fi
s n
s e
g d
a la
t te
e r.
w T
a h
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
y e
s
e
c
u
ri
t
y
a
u
t
h
e
n
ti
c
at
i
o
n
f
o
r
A
P
I
w
il
l
b
e
u
s
e
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
d
a
s
le
a
st
.
A A C
P P r
I I e
a d
c e
c n
e ti
s al
s i
g n
a A
t P
e I
w m
a e
y s
s
a
g
e
+
T
h
ir
d
-
C A A
h c u
a c t
n e h
n s e
e s n
l G ti
a c
t a
e ti
w o
a n
y F
a
c
t
o
r
s
p
a
rt
y
c
e
rt
if
ic
at
e
S PP
P eo
/ rrt
O ma
r l
is
g si
a o
n n
i a
z n
a d
ti r
o o
n le
P m
o a
rt n
a a
l g
e
U U m
S S e
S S n
D D t:
A
a n
c y
c o
e p
s e
s r
g at
a i
t o
e
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
w n
a o
y r
m
S S e
T T n
K K u
o
a n
c a
c w
e e
s b
s p
g o
a rt
t al
e c
w a
a n
y b
e
I A
d
V P
e
R I
fi
a
n
c
e
c
d
e
a
s
s
s
a
g
p
a
e
t
r
e
m
w
is
a
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
y si
o
A A n
T P it
M I e
a m
c .
c A
e ll
s p
s e
g r
a m
t is
e si
w o
a n
y it
/I e
S m
O s
- c
8 a
5 n
8 b
3 e
g g
a r
t o
e u
w p
a e
y d
a
P A
s
O P
d
S I
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
a
if
c
f
c
e
e
r
s
e
s
n
g
t
a
r
t
o
e
le
w
s
a
t
y
o
b
A A e
P P a
I I s
a si
c g
c n
e e
s d
s t
g o
a o
t p
e e
w r
a at
y o
rs
o
r
c
u
st
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
o
m
e
rs
.
P
r
o
d
u
ct
a
n
d
s
e
r
v
ic
e
a
s
si
g
n
m
e
n
t
m
a
n
a
g
e
m
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
e
n
t:
P
r
o
d
u
ct
s
a
n
d
s
e
r
v
ic
e
s
a
r
e
a
s
si
g
n
e
d
t
o
r
e
g
is
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
te
r
e
d
i
d
e
n
ti
ti
e
s
i
n
t
h
e
M
o
b
il
e
M
o
n
e
y
s
y
st
e
m
.
M
o
b
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
il
e
M
o
n
e
y
c
o
n
tr
o
ls
p
r
o
d
u
ct
s
a
n
d
s
e
r
v
ic
e
s
a
v
ai
la
b
le
C A A
h c u
a c t
n e h
n s o
e s ri
l G z
a a
t ti
e o
w n
a M
y e
t
h
o
d
t
o
i
d
e
n
ti
ti
e
s
b
a
s
e
d
o
n
t
h
e
a
s
si
g
n
m
e
n
t.
Identity Management
Identity in the system must be unique.
An administrator can create, delete, modify, lock, and unlock identities in the system.
If the name of an identity to be created is the same as that of a deleted identity, the new
identity cannot inherit any information (such as personal, authentication, and
authorization information) of the deleted identity.
An identity has multiple states. An identity administrator can maintain the status of an
identity.
An operator can be automatically locked if it has not been used for a specified number of
days (0-999). It is recommended that the default setting of 60 days be used. If the period
is set to 0, the automatic locking feature is disabled. A locked identity can be manually
unlocked only by an authority identity administrator.
Authentication
Application account authentication mechanisms are as follows:
The system provides GUIs for login authentication and logout.
Multiple authentication factors are supported, for example, user name, password, and
digital certificate. Digital certificates can be associated with users to implement
bidirectional authorization.
For web application account authentication, web verification codes that support
background interference and character distortion are used to enhance the security.
Strong password policies must be used for the user name plus password authentication
mode.
When a user applies to access restricted resources or perform an operation that requires
authentication, the system authenticates and authorizes the user at first.
User authentication is performed on the application server to ensure the authentication
validity.
Service log cannot be bypassed. If a user fails to be authenticated, the user cannot
perform any operation.
The automatic login and password remembering functions are disabled for the web
application management portal.
To prevent server information leakage, the system does not prompt the detailed failure
cause if authentication fails.
Re-authentication is required for key management and business transactions to prevent
customer loss due to session hijacking and cross-site counterfeiting.
An identity will be locked if the number of failed login attempts reaches N in a specified
time period. During the N-1 login attempt, the system prompts the identity that the
identity will be locked after one more unsuccessful login attempt.
The number of consecutive failed login attempts before being locked can be set to a
value between 0 and 99. The value 0 indicates that this feature is disabled. The default
value is 5.
If the number of consecutive login failures reaches a certain threshold, the system will
lock the password of the operator who attempts to login. A locked password can be
automatically unlocked by the system after a specified time period, or manually
unlocked by an administrator. An administrator can also change the status of a common
user.
Digital Certificate
When an operator logs in to Mobile Money from a web GUI, Mobile Money authenticates the
operator by user name, password, and certificate (SN).
An operator can apply for a certificate from Certificate Authority (CA) system and email
it to an administrator who has the permission to manage the certificate CA will be
responsible for this.
After being transmitted to an administrator, an operator certificate can be associated with
the operator in the operator creation procedure. When an operator is created, the
certificate serial number must be verified, collected, and stored in Mobile Money.
Password Policies
The following password polices are supported for application accounts:
The length of a password is configurable and ranges from 0 to 32 characters. The
minimum and maximum password lengths are configurable. A password must contain at
least eight characters by default.
A password must contain at least two of the following types of characters:
− One lowercase letter
− One uppercase letter
− One digit
− One special character: `~!@#$%^&*()-_=+\|[{}];:'",<.>/?, and space
If a password does not meet the requirement, the password setting fails, and the system
displays the error information.
The number of historic passwords that cannot be reused is configurable. The value must
be greater than 0. The default value 5 is recommended.
A validity period must be configured for passwords. The minimum validity period ranges
from 0 to 9999 minutes. The recommended validity period is 90 days. The maximum
validity period ranges from 0 to 999 days. If the validity period is set to 0 for a password,
the password will be effective permanently. The default setting is 90 days (about three
months).
If an operator's password is about to expire, the system can prompt the operator N
(configurable) days in advance when the operator logs in. The value of N ranges from 0
to 99. If N is set to 0, no advance expiration prompt will be displayed. The default setting
is 7 days.
When an operator changes the password, the old password is required. An operator
except an administrator can change only the operator's own password.
A system administrator can reset the passwords of other users without being restricted by
the minimum password validity period.
An initial password can be provided for an operator or end user by default or by a system
administrator. When an operator or end user attempts to log in to the system, the system
requires the operator or end user to change the initial password and allows the login only
after the initial password is successfully changed.
Passwords must not be displayed in plaintext on the GUI, on terminals, or in logs. When
being entered on the GUI, passwords can be masked as asterisks (*) or not displayed.
Plaintext passwords stored in the memory (for example, during the login process) must
be erased immediately after being used.
Values of password fields cannot be copied.
Passwords must not be stored as plaintext in the system.
Access control can be implemented on password files. Common users cannot read or
copy the files.
A user can change the password only after being authenticated.
During the password changing process, a user must enter the new password twice to
confirm the new password.
In web applications, accounts whose passwords are to be changed can be obtained only
from server sessions and cannot be specified by clients.
A password cannot be the same as the account ID or the inverted account ID.
Complexity rules can be configured for default passwords of built-in accounts.
A weak password dictionary can be configured.
If an operator forgets the password, the operator can answer security questions to reset
the password. The system sends the new password to the operator by email or short
message if the operator has correctly answered all security questions.
Authorization Management
Application authorization management is described as follows:
The system uses a role-based account management model.
When an account is created, no role is assigned or the role with the minimum permission
is assigned by default.
The account used to run applications is an operating system account with the minimum
permission.
The account used to access the database system is a database account with the minimum
permission.
For each web page access or Servlet request that requires authorization, the system
verifies users' permission and the validity the users' session flags to prevent uniform
resource locator (URL) overstepping.
A user cannot access sensitive data of other users without permission
Authorization data and user permission data are stored on a server instead of on a client.
Authentication is also executed on the server.
Only minimum permission is assigned on system directories and files, including
temporary directories and files generated during system running.
Functions are provided for updating digital certificate status and managing association
relationships of digital certificates.
Session Management
Session cookies are used to maintain sessions. The cookie of a session is released after
the session ends.
After a user name and password are authenticated, the session flag is changed to avoid
the session fixation vulnerability.
Information that cannot be modified during a session is stored and maintained as part of
the session on the server.
An exit or logout button or menu is provided on all pages that can be accessed only after
login.
When a user logs out, the user's session information is cleared.
Process security control is implemented on the server to ensure that processes are
executed and authentication steps are performed in the correct sequence.
If a user does not perform any operation in a specified period, the system automatically
logs off the user, or clears the user's session information.
Security Logs
All management activities and operation commands must be logged.
Logs must support follow-up audits and contain user IDs, time, event types, names of
resources that are accessed, access results, and so on.
User activities to be logged include:
− Logging in and logging out
− Adding, deleting, and modifying user attributes, such as accounts, passwords, and
validity periods
− Locking, unlocking, suspending, and resuming users
− Changing permission of a role
− Changing system security configurations, such as security log content
configurations.
− Changing key resources, such as deleting and modifying critical files
Operation commands to be logged include the commands for:
− Modifying system parameters
− Loading and unloading services
− Upgrading software locally or remotely
− Creating, deleting and modifying critical service data, especially finance-related
data, such as card IDs, balances, charge rates, fees, orders, vouchers, and bills.
− Executing command lines using accounts
An access control mechanism must be provided for logs to prevent unauthorized access,
deletion, and modification.
Privacy Protection
Private data to be exported out of the carrier network for error location must be filtered
and anonymized.
The system provides security protection mechanisms (such as authentication, permission
control, and logging) for personal data collection and processing.
Logs must not contain security credentials, bank account IDs, or service short messages.
Sensitive data is customizable based on market requirements and can be flagged using
labels in audit logs.
Interface Security
The system does not support functions for accessing the system or data by bypassing
security mechanisms such as authentication, permission control, and logging.
The system does not support secret access channels, including hidden accounts,
passwords, unauthenticated commands or parameters, combination keys, protocols,
ports, services, production commands or ports, commissioning commands or ports, and
operations (except the query operation) that are not logged.
The system does not support unmanageable authentication or access modes, such as
unmanageable account IDs, man-machine interfaces, hard-coded commands of remote
machine-machine interfaces, and interfaces that can access the system without
authentication.
All WebService interfaces are authenticated before being invoked.
Encrypted channels are used to transmit sensitive data through WebService interfaces.
Parameter values used for redirection must not contain any carriage return or line break
characters because these characters can be used in HTTP response split attacks.
Precompiled prepared statements can be used to replace SQL statements that are directly
executed, preventing the risk of SQL injection attacks.
Transaction Consistency
Account balances can be updated only during normal services when the balance in one
account is increased and the balance in another account is decreased.
Accounts are reconciled inside Mobile Money and with bank systems to ensure account
balance security.
empty and that the permission configurations for home directories and configuration files
are secure. Default mask codes are changed to prevent unauthorized access to files. If a
user does not perform any operation in a specified time period after logging using a
maintenance account, the system automatically terminates the login session.
Password policy: Strong password polices are used and password life cycle management
is enabled. If a user enters incorrect passwords for a specified number of times when
logging in to the system, the system locks the user's account. When a user logs in to the
system using a password configured or reset by an administrator, the system requires the
user to change the password, and allows the user to log in only when the password is
successfully changed.
Login prompt: Internal system information is hidden and security alarms are configured
for SHELL and FTP login operations.
Database Security
Installation: Only required components and the latest verified patches are installed.
Operating system access: Only Oracle users and DBA groups are allowed to access
Oracle files. For the Oracle database, the default mask is set to 022 to prevent
replacement and modification on Oracle files.
Account management: Unused default accounts are locked and set to the Expired state.
Default passwords for these accounts are changed.
Password policies: Strong password policies are used to restrict the length and
composition (uppercase letters, lowercase letters, and digits) of passwords. Life cycle
control is applied over passwords. Historical passwords cannot be reused. For example, a
password must be changed after being used for a specified time period.
Permission control: Database user accounts must be verified. Data dictionaries and
system tables are protected against unnecessary access from common accounts. The
Public group is disabled and the permission of the Public group is revoked. The
administrator group, application work group, application maintenance group, backup
group, and log access group are set up and their database access permissions are
restricted. A user account is assigned only the predefined role with the minimum
permission required for work.
Network access: A firewall is used to restrict access to the database. Only port 1521
(configurable) can be used for access by default. Client IP addresses can also be
restricted to prevent unauthorized access. A listener is prevented from reading and
writing database files to prevent attacks to the database through a listener.
Auditing and log recording: All security events are logged and the audit function is
enabled for all data definition language (DDL) operations. For maintenance accounts, all
operations are audited. Activities of application running accounts can also be audited if
necessary. A special log access account is created for the centralized log server to
retrieve logs to be audited.
Transaction Point - TP
The TP is the core node of the Mobile Money system. The node includes the following
components:
− Transaction Center (TC): The TC processes transaction and action services and
handles accounting. The TC mainly consists of the account subsystem and
Transaction Execution Framework (TEF). The account subsystem provides the
capabilities to manage account entities, move funds (accounting), and update
account statements. The TEF controls the transaction execution process and ensure
that the account subsystem moves the funds between debit and credit accounts
successfully.
The TC is deployed in a load balanced cluster, which can be scaled out linearly.
− Identity Center (IC): The IC focuses on identity information management, identity
entity operation, and identity data provisioning.
The IC is deployed in a load balanced cluster, which can be scaled out linearly.
− Notification Center (NC): The NC is a bidirectional communication component
providing the capabilities to format and send notifications. It can send messages and
receive responses such as the SMS delivery confirmation from external systems.
The NC is deployed in a load balanced cluster, which can be scaled out linearly.
Business Supporting Point - BSP
The BSP runs all components supporting functions for core business services other than
real-time business logic. It includes the following components:
− Bulk Center (BC): The BC actually is a central point of the periodic task scheduling
in the Mobile Money system. The BC schedules tasks, delivers task items, handles
task item execution results, and allocates task data quota. The task is actually
executed in the relevant application component.
Management zone: includes the I2000 server or iTrace used to collect logs and alarm
information for the system and network devices.
Backup network: used to back up service data and operating system data from key
service running hosts. Only one switch is used in the backup network. A two-node cluster
can be configured based on customer requirements.
Disaster recovery network: used to transmit data between the production center and
disaster recovery center. Two switches working in active/standby mode are used in the
disaster recovery network to connect to remote networks. If the carrier has no
requirement on disaster recovery, the disaster recovery network can also be omitted. In
the Mobile Money networking, the disaster recovery data cable runs through the ATAE
backplane to ensure high data rate without occupying bandwidth of the switch board.
Security protection between the external access zone and DMZ zone:
The IPS intrusion detection system is deployed to prevent intrusion from the external
access zone.
IP address and port filtering policies are configured in firewall B. IP address filtering
policies are configured to prevent users in an external access zone from directly
accessing core services and the data zone. Users in an external access zone are allowed
to access only web server addresses in the DMZ zone. Port filtering policies are
configured to filter requests through non-MM service ports from external users.
The DMZ zone can access external zones through a firewall without destination address
restrictions.
Security protection between the external access zone and core service and data zone:
Policies are configured in firewall B so that servers in the DMZ zone can access only the core
internal service and data zone through specified communication ports.
Time Synchronization
The IP address of a time synchronization server can be configured in devices in the network
so that the time of devices can be synchronized to the server time.
3 Security Assurance
However, we accept that just because you have a process that does not mean that it is a good
process, or that anyone actually executes the process. To address these issues, we have taken
the following actions:
1. Huawei has established standardized business processes globally and has identified
Global Process Owners (GPOs) for each process and Key Control Points (KCPs). In
addition, Huawei has established a Global Process Control Manual and a Segregation of
Duties Matrix that are applicable to all subsidiaries and business units. The GPOs are
responsible for ensuring the overall internal control effectiveness, in light of changes in
operational environment and risk exposures.
2. From a governance perspective, there is a standing Board Committee dedicated to cyber
security chaired by a Deputy Chairman. On this Board sits the main Board Members and
Global Process Owners who have a role in ensuring that cyber security requirements are
imbedded in processes, policies and standards and that they are executed effectively. If
there is any conflict, or resource issue in cyber security, this committee has the power,
remit and seniority to make decisions and change the business without reference to
anyone else.
3. Huawei auditors use the Key Control Points and the Global Process Control manual to
ensure processes are executed and that they are effective. Audits, external inspections
and third-party reviews all validate what is happening against what should happen.
Individual personal accountability and liability (the rules and regulations) are built into
Huawei's Business Conduct Guidelines and business processes that specify how we must
behave in our daily operations. Knowledge is updated through online exams every year
to keep knowledge current, and this forms part of our Internal Compliance Program.
At Huawei, because we have built cyber security requirements into our processes, each
executive, manager and individual has personal accountability and ownership of their
responsibilities. This level of responsibility implies several underlying factors, including
continuous training, getting the balance right between incentive and personal liability, and
continuous loop-back processes to enhance our capabilities and validate our assurance level.
This is the Huawei way of meeting the challenges of cyber security.