Security

Level:

Awareness of Information Secur

ity

IS Mgmt Office, SSAR

Seven Yuan www.huawei.com

Author/ Email: Author's name/Author's email

Version: V1.0(20YYMMDD)
HUAWEI TECHNOLOGIES CO., LTD.
You could find more information in here:
http://3ms.huawei.com/hi/group/2029321

Commissioner ID: 90005678

Email:Yuansiwen@Huawei.com
Contents
IS Violation Cases
 Case 1 Employee who collect company confidential document and send to personal mailbox
was dismissed
 Case 2 Employee who lend personal W3 account and password to other person to
download Huawei product information was dismissed
 Case 3 Employee who steal company confidential information by taking photos was dismissed
 Case 4 Employee who hide the BCG event, and been persuaded to quit
 Case 5 Employee who send confidential document to personal mailbox after changing the
filename was dismissed

Key Points of Information Security in Daily Work

Key Information Asset Mgmt & Sharing

Regulations on Information Security Awards and
Punishments
Case 1---Employee who collect company confidential
document and send to personal mailbox was dismissed

Employee A in SSA Contract & Negotiation Dept, was found to collect nume
rous company confidential documents and send to personal mailbox. His co
nduct severely violated the Employee Business Conduct Guidelines (BCG)
and constituted level 1 violation of Company’s Information Security Regulati
ons.
The following decisions are made based upon the fact and in accordan
ce with the Regulations:
Employee A is to be dismissed from employment and will not be hired
by the Company again. The proven violation will be recorded in his personal
integrity file and his credit scores will be cleared. The Company reserves th
e right to take legal actions against him.
Case 2-Employee who lend his personal W3 account and password to
other person to download Huawei product information was dismissed

Employee B in SSA Wireless Network Dept, was found to lend his personal W3 ac
count and password to other person to download Huawei product information, he i
ntentionally concealed and denied the fact in the process of investigation. His con
duct severely violated the Employee Business Conduct Guidelines (BCG) and con
stituted level 1 violation of Company’s Information Security Regulations.
The following decisions are made based upon the fact and in accordance wit
h the Regulations:
Employee B is to be dismissed from employment and will not be hired by the
Company again. The proven violation will be recorded in his personal integrity file
and his credit scores will be cleared. The Company reserves the right to take legal
actions against him.
Case 3-Employee who steal company confidential information
by taking photos was dismissed

Employee C of SSA Public Relations Dept, was found to copy lots of co

mpany confidential and proprietary documents to his own private compu
ter by using LAN, His conduct severely violated the Employee Business
Conduct Guidelines (BCG) and constituted level 1 violation of Compan
y’s Information Security Regulations.
The following decisions are made based upon the fact and in
accordance with the Regulations:
Employee C was dismissed from employment, and the Company r
eserves the right to take legal actions against him.
Case 4- Employee who hide the BCG event, and been
persuaded to quit

Employee D of SSAR concealed BCG behaviors many times, His co

nduct severely violated the Employee Business Conduct Guidelines (B
CG) and constituted level 1 violation.
The following decisions are made based upon the fact and in accor
dance with the Regulations:
Employee D is persuaded to quit and will not be hired by the Compa
ny again. The proven violation will be recorded in his personal integrity fi
le and his credit scores will be cleared. The Company reserves the right
to take legal actions against him.
Case 5-Employee who send confidential document to personal
mailbox after changing the file’s name was dismissed

Employee E of MTN GKAD SSAR, was found to transmit lots of confidential

and proprietary documents of Company to his iPad by means of changing fil
e names to escape information security surveillance. His conduct severely vi
olated the Employee Business Conduct Guidelines (BCG) and constituted le
vel 1 violation of Company’s Information Security Regulations. 
The following decisions are made based upon the fact and in accordan
ce with the Regulations:
Employee E, is to be dismissed from employment, and the Company r
eserves the right to take legal actions against him.
Contents
IS Violation Cases

Key Points of Information Security in Daily Work

 Password setting of working computers
 Operating System Installing and Using
 Application Software Installation
 Data Transferring
 Data Backup
 Email Sending
 Information Security for printers, copiers, scanners and fax mach
ines etc office peripherals
Key Information Asset Mgmt & Sharing
Regulations on Information Security Awards and Punishments

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 9

Password setting
Password setting ： Office computer must set the
following password.
 Hard disk password setting ★
 BIOS password setting
 Windows OS password setting ★

Password setting requirements ：

 The password must be at least eight digits long
 contain three of the following: upper case letters, lower case

letters, numbers, and special characters.

Note: Hard disk password setting can avoid data leakage after the laptop loss.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 10

Operating System Installing and Using
 Office computer only allow to install: the Chinese/English versions of Microsof
t Windows 7 and XP,It’s prohibited installation other operating systems.
 Never operate following action without approval ：
Without

approval, on the same computer to install
Installing multiple operating systems
two ormore
Installingoperating systems(including
a virtual operating system virtual
 The use of Ghost to perform disk mirroring or restoration
operating systems) will constitute level 1
 The use of operating system CD, Windows System Restore

violation(Rescinding thethe
 If you need to reinstall/recover labor contract)
operating system for work purpose,you ca
n use Huawei BDD reinstall system.
 If you need to install a non-standard operating system and multiple operating
systems and a virtual operating system for work purpose,you may submit followi
ng application e-flow to your supervisor and director for approval.
http://w3.huawei.com/spa

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 11

 Application Software Installation
 Only the software included in ‘Q/DKBA 6100.1-2013 IT Technical Standard–Desktop Terminal Service Software S
tandard’ can be installed on office computers. It is not allowed to install non-standard software that is not inclu
ded in the company's desktop standards.
 ‘Q/DKBA 6100.1-2013 IT Technical Standard–Desktop Terminal Service Software Standard ’ Please refer to the f
ollowing link: ：
http://w3.huawei.com/eaportal/doc/viewDoc.do?did=2688&cata=68
 Installing/using any pirated or cracked software on office computers is prohibited.

Pay attention ：
Without the approval,never use non-standard software(such as :
If you have installed MSN 、 Skype 、 Gtalk 、 iTunes 、 Dropbox 、 ICQ 、 Yahoo!Messenger 、 GoToMyP
C skype,Ipsmg
、 TrademManager ,FeiQ, Fetion,etc)
、 QQ 、 Ipsmg 、 FeiQ 、transfer corporate
Mikgo 、 Fetion document.
、 NETEASE POPO 、 Netmeeting etc non-st
andard software without approval, Please uninstall them immediately. Such behaviors have seriously violated
(according to the document classification level you transferred, and
'Security Management Regulations on Office Computers, Networks, Applications, Storage Media, and Perip
herals'. If employee who were found install Non-standard software without approval that will be punished according t
shall be punished level 1 violation maximum or level 3 violation
o ‘Regulations on Information Security Awards and Punishments’.
minimum.)
Note:If you need to install non-standard software for work purpose,you may submit following application e-fl
ow to your supervisor and director for approval.
http://w3.huawei.com/spa/softwareApply.do?method=createApply

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 12

Data transferring
 Copying out working documents or burning disks for work purpose
Submit the following CPM application e-flow to your supervisor for approval ,you send
filename to your supervisor approval and copy to IS Mgmt office before you need
copy documents or Burning disks .
Without the approval, Never transfer corporate
http://security.huawei.com/SpesWEB/simple.do?method=simpleLogin
 documents to Non-Huawei
Copying Documents storage
from Old laptop media
to new laptop(according
toSharing
1、 the document
the documents classification level
in old laptop to the new withyou copied,
connecting and
the two shall
laptops in Huawei
intranet.
beCPM
2、 punished leveland1 send
encrypt copying violation
email to maximum
your supervisor or leveland3 copy
approval violation
IS Mgmt
office.
minimum.)
 Data copying as the computer failing, such as OS crash or hard
drive damage ）
Finish the following exception Report table and contact local IT engineer to handle it.

ÀýÍâÊÂÏî˵Ã÷±í

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 13

Data backup

Some work documents backup for work purpose, please use formal way
http://onebox.huawei.com
Note:
Without approval, it is prohibited use external network disk storage to
1.It's forbidden to upload non-working related documents to the backup s
save
pace, company
such documents,
as movies, such as:Dropbox,
photographs etc. Baidu cloud network
disk,Dbank,SkyDrive,Thunder
2.Top networktodisk,124
secret documents are not allowed save innetwork diskspace.
the backup
etc,according to the document classification level you copied, and
Attention:
1 、shall
Staffbeare
punished level 1to
only allowed violation
backup maximum(Rescinding the labor
their working documents on company
net contract
space if)orneeded.
level 3 violation minimum(Reducing the grade of

2 、performance appraisal).
Staff who backup their work documents to private storage or network
space shall seriously violate the information security regulations.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 14

Email Sending
 Principles of Email use:
 Employees should use Huawei email system for all information or activities related to work.
Employees are prohibited to use external email accounts for work purpose
 Accessing personal email accounts on office computers is prohibited.
Without the approval,never send corporate document to personal mailbox
 Employees may not use Email for any activities unrelated to Huawei business without ap
 If employee who send information of the SECRET level and above to personal
proval.
mailbox(such as: Google mailbox,yahoo mailbox, hotmail mailbox etc) or any third

 party
Email use security requirements: -------Level-1 violations
1. IfThe
employee
Email must who
includesend CONFIDENTIAL
a confidentiality statement. information to personal mailbox or any third
Please refer－－－
party. to The Email Automatic Installation Tool ：
Signatureviolations
Level-2
http://w3.huawei.com/info/cn/doc/viewDoc.do?did=1387801&cata=250651
 If employee who send INTERNAL information(such as: Training material,study
2. When sending top secret information or secret information to external parties for work purpose, it is necessary to get
material etc) to personal mailbox or any third party. －－－ Level-3 violations
the director's approval in advance and copy to director.
3. When sending confidential information to an external party for work purpose, copy to the director.
4. When sending internal public information to external parties for work purpose, the department can decide whether
it is necessary to copy it to director.
5. If receive chain mail or junk mail, please report to the IT hotline(Tel:0086-755-28560160) and refrain from forwardin
g.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 15
Information Security for printers, copiers, scanners and
fax machines etc office peripherals

Printers, copiers, scanners and fax machines etc office peripherals are only
used for Huawei work purpose, employees may not use them for any purpose unrelated
to Huawei business without permission. 
Principles of printers, copiers, scanners and fax machines etc office peripherals
If employee who printed company’s secret or top documents without
use:
approval, or fail to take away them in time, he/she may  be punished at
Employees may not print, copy, scan or fax secret or top secret documents without approval.
 Paper documents containing secret or top secret information must be destroyed by shredders after using. It
least  a Level- 3 Information Security Violation. (According to the printed
may not be reused for printing or copy other documents.
  Taking away the papers immediately after printing.
documents  confidential level and impacts ,it may be Level -1 or 2
The following rules must be adhered to when using the fax machine:
Information
  When sending Security
a fax, theViolation.) 
sender must first notify the receiver about the sending time. If
the information to be faxed is secret or top secret, the sender must request the receiver to
wait  nearby the machine before sending.
  When receiving a fax, the fax must be taken away immediately. If the information to be fa
xed is secret or top secret, wait it in advance.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 16

目录
IS Violation Cases

Key Points of Information Security in Daily Work

Key Information Asset Mgmt & Sharing

 Information Asset Categorization
 Information asset sharing rules
 Information feedback

Regulations on Information Security Awards and Punishments

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 17

 Information Asset Categorization
Both the classified information and public information are information assets of Huawei. By importanc
e, impact of disclosure, and scope of availability, the classified information can be divided into four leve
ls: TOP SECRET, SECRET, CONFIDENTIAL, and INTERNAL.
Public INTERNAL
Public INTERNAL
CONFIDENTIA
Information Asset CONFIDENTIA
L
Information Asset L
Classified
TOP
TOP SECRET
SECRET and
and SECRET
SECRET
SECRET information
Classified
Information
Information
SECRET information are
are Key
Key
TOP Information
Information Asset
Asset
TOP
SECRET
SECRET
Information critical for Huawei to maintain the leading position among competitors and win victories in market competition, for
example, core algorithms, pricing strategies, and strategic intents. Such information will cause great losses to the benefits of
TOP SECRET Huawei and create wide impact if made publicly available. Therefore, it can only be accessed by few people or designated
positions.

Information extremely important to corporate operation management or containing sensitive materials, for example, roadmaps
of key products, marketing strategies, operations analysis reports, sale project list, commercial authorization and price
SECRET information. Such information will cause great losses to the benefits of Huawei and create wide impact if made publicly
available. Therefore, it can only be accessed by few people or designated positions.

Important or sensitive information about Huawei. Such information will cause certain level of losses to the benefits of Huawei
CONFIDENTIAL and create limited impact if made publicly available. Therefore, it can be shared within a staff team, department, or a specific
organization.

INTERNAL Information to be shared across Huawei but not to be made publicly available.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 18

Information Asset Sharing

Information asset sharing rules ：

 Each employee has the right to use Internal document.
 Applying Secret level and above level, please ensure to ac
cess work-related documents.
 The Confidential document can be obtained with informatio
n demand-side direct supervisor's approval.
 The Secret/Top Secret document can be obtained with leve
l-2 supervisor's approval of both information generation-sid
e and demand-side.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 19

Information Feedback
Overprotected information reduces work efficiency. On f
inding such a case when you obtain the information, send yo
ur feedback to yuansiwen/90005678.The feedback include but
is not limit to ：
 Denial of information when you request information for business purposes fr
om other departments.
 Denial of access when you request documents on application systems such
as Huawei Bulletins, Corporate File, and 3MS .
 Improper document encryption, for example, INTERNAL documents are enc
rypted or the scope of authorization is too narrow

Note ： On detecting an information disclosure risk and finding information theft or

disclosure, report to yuansiwen/90005678 immediately.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 20

目录
IS Violation Cases

Key Points of Information Security in Daily Work

Key Information Asset Mgmt & Sharing

Key Information Asset in LTC Process

Regulations on Information Security Awards and Punishments

 Award Principles
 Award Levels and Measures
 Punishment Levels and Measures
 Examples of Common Behaviors of Violation and Applicab
le Disciplinary Action Levels
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 21
Award Principles
 Timely incentives: Give timely incentives to individ
uals or teams that have protected the company's info
rmation assets for a long time, thereby effectively
avoiding the missing, abuse or stealing of informati
on assets, or that have outperformed in driving the
reasonable information sharing.
 Informant confidentiality: Reward the staff who hav
e reported the violations in information security, a
nd ensure that their personal information is well pr
otected.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 22
Award Levels and Measures
Deeds
Teams or individuals who report or stop
the indulging and stealing of security
information or other violations that
seriously damage the company‘s
interests.
Individuals who stop the violations of
others or report information leak/theft or
other major security risks; teams that
set an example or make outstanding
contribution to information security.
Individuals who make contributions to
information security management,
report security risks or excessive
defense behaviors which are verified,
propose reasonable suggestions on
information security and have the
suggestions adopted; teams that make
contributions to information security.
HUAWEI TECHNOLOGIES CO., LTD.
Level Reward
A reward of CNY3,000 or above
(depending on particularities of the
Level 1 cases); public praise (the case shall be
properly processed to protect the
personnel information of the informants)
A reward of CNY600 or 800 for individuals
(depending on particularities of the
cases) and CNY2,000 for teams; public
Level 2
praise (the case shall be properly
processed to protect the personnel
information of the informants)
A reward of CNY200 or 400 for individuals
(depending on particularities of the
Level 3
cases) and CNY1,000 for teams; public
praise
Huawei Confidential 23
Violation Levels and Measures
Violation Level Disciplinary Action

Level-1 violation 1. Terminate the violator's employment contract.

2. Pursue or reserve the right to pursue legal action if the violation breaks the
law.
Level-2 violation 1. Issue a serious warning.
2. Record the violation as a key event for evaluating job competency, reduce the
violator's job level, and reduce his/her salary.
3. Freeze any job level upgrade, pay rise, and manager promotion for 12 to 18
months.
Level-3 violation 1. Issue a warning.
2. Lower the annual performance rating or incentive rating.
3. Freeze any job level upgrade, pay rise, and manager promotion for 6 to 12
months.
Level-4 violation 1. Issue a letter of reprimand.
2. Freeze any job level upgrade, pay rise, and manager promotion for 3 to 6
months.

All measure should be followed the local law first

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 24
 Examples of Common Behaviors of Violation and
Applicable Disciplinary Action Levels (1)

Level-1 violations
1. Selling the company's confidential information to any third party.
2. Using the company's confidential information for consulting and teaching purposes
outside the company without obtaining prior approval.
3. Unapproved transfer of the company's information with a security level of TOP SECRET
or key information assets to personal emails or copying of such information or assets
to personal storage devices.
4. Unapproved disclosure of the company's information with a security level of SECRET to
any third party.
5. Unapproved image, audio, or video capture of the company's large amounts of
information with a security level of CONFIDENTIAL.
6. Developing or deliberately running hacking and virus programs to attack the
company's networks or information systems.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 25

Examples of Common Behaviors of Violation and
Applicable Disciplinary Action Levels (2)
Level-2 violations: ：
1. Disclosing the company's information with a security level of INTERNAL to
competitors.
2. Unapproved uploading of the company's information with a security level of
CONFIDENTIAL to public information systems or disclosure of such information to any
third party.
3. Unapproved transfer of information with a security level of SECRET to employees'
personal information systems or copying of such information to personal storage
devices.
4. Unapproved acquisition of the company's information with a security level of
CONFIDENTIAL during the resignation process by sending the information to personal
emails or copying or printing such information.
5. Unapproved starting of computers storing the company's information with a security
level of CONFIDENTIAL using a personal USB flash drive or compact disc (CD).
6. Unapproved replacement of a hard disk of a company computer or copying of
information with a security level of CONFIDENTIAL in the hard disk to personal
storage devices.
7. Spreading the methods for cracking and attacking the company's security control
systems.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 26
Examples of Common Behaviors of Violation and
Applicable Disciplinary Action Levels (3)

Level-3 violations ：
1. Unapproved transfer of information with a security level of CONFIDENTIAL to
employees' personal emails or copying of such information to personal storage
devices.
2. Unapproved uploading of the company's internal process documents to public
information systems or disclosure of such documents to any third party.
3. Unapproved acquisition of the company's information with a security level of
INTERNAL during the resignation process by sending the information to personal
emails or copying or printing such information.
4. Unapproved starting of computers storing the company's information with a security
level of INTERNAL using a personal USB flash drive or CD.
5. Unapproved transfer of information with a security level of TOP SECRET or key
information assets to unauthorized personnel within the company.
6. Unauthorized installing of two or more operating systems on a machine, with at least
one operating system uninstalled with security control systems as required by the
company.
7. Unapproved taking of faulty hard disks out of the company for repair.
8. Unapproved removal of computer seals or security chassis.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 27

Examples of Common Behaviors of Violation and
Applicable Disciplinary Action Levels (4)

Level-4 violations:
1. Unauthorized copying of the company's information with a security level of INTERNAL, such as
process documents and internal training materials, to personal storage devices or information
systems.
2. Unapproved transfer of information with a security level of SECRET to unauthorized personnel
within the company.
3. Unapproved lending of personal information system accounts to people outside the company.
4. Unapproved possession of removed faulty hard disks without performing low-level formatting or
physically destroying them in accordance with corporate processes.
5. Failure to provide information as the information holder without justified reasons within five
working days after the information acquisition process has been approved.
6. Failure to take any rectification action within three working days after being notified by the IT
department in the case when the relevant computer (or system) is infected with viruses and
attacks other computers.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 28

 Thank you
www.huawei.com

Copyright©2011 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without
limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results
and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and
constitutes neither an offer nor an acceptance. Huawei may change the information at any
time without notice.
 Term Definition

It refers to a system involving people, computers and other peripheral devices,

Information
capable of collecting, transferring, storing, processing, maintaining and using
system information.

Data storage instruments, including floppy disk, CD, DVD, hard disk, flash
Storage media memory, U disk, CF card, SD card, MMC card, SM card, Memory Stick and
xD cards.

The third party in this document refers to any individual or organization other
3rd party than Huawei, information security violators and competitors.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 30