As ICT technologies evolve and enriches our lives, we’re also seeing growing challenges to cyber security and privacy protection, writes Herman Kannenberg, Head of Legal Affairs and Cyber Security, Huawei South Africa.
Cyber security and privacy protection are the inherent requirements and core capabilities in an evolving digital world. At Huawei we understand this and have made providing secure, reliable, and high-quality ICT infrastructure a top priority.
A major part of ensuring we meet that commitment is the baseline end-to-end cyber security framework we’ve developed to manage cyber security. The baseline was created following extensive research on the most common and most critical security requirements and has been implemented across all Huawei products. Doing so ensures that all our products meet a consistent set of security quality requirements and that the security quality of our products continuously improves as we update the baseline.
At present, the baseline comprises 54 requirements under 15 categories. It is developed based on a wide range of laws, regulatory requirements, and technical standards, while also conforming to Huawei’s product development practices. It ensures that all products and versions we deliver to customers meet stakeholders’ fundamental security quality requirements.
It’s also worth pointing out that the baseline is embedded within Huawei’s integrated product development (IPD) process as a fundamental requirement. In this way, the baseline is executed repeatedly rather than randomly. All roles and organisations involved in the IPD process must strictly comply with the baseline throughout the product life cycle.
Here’s how the baseline is managed and implemented in all of our business processes:
- The Global Cyber Security and User Privacy Protection Officer (GSPO) office is responsible for developing, releasing, and continuously optimising the Baseline. It analyses laws, industry standards, industry best practices, customer requirements, industry cases and the latest developments in security technologies to identify the most critical requirements and continuously update the Baseline accordingly.
- Each domain updates related policies, processes, and procedures to ensure consistency with the updated baseline.
- As one of the inputs, the baseline is used by the research and development (R&D) team to develop and update technical standards, speciﬁcations, templates, and guides. We provide appropriate training and awareness education when needed, in order to standardise and guide product design and development. We regard the baseline as external requirements. Based on the baseline, external regulations and standards as well as internal and external best practices, we have developed our own speciﬁcations that the products must abide by during R&D, thereby developing product security capabilities in an efficient and standardised manner.
- Each business department implements the baseline; reviews, makes decisions on, executes, and monitors it in the business and decision-making systems; and backtracks Baseline violations and holds related personnel accountable.
- Before a product version is released, Huawei’s Independent Cyber Security Lab (ICSL) veriﬁes whether it meets the baseline requirements from the customers’ perspective. If it does not, the GSPO has the right to veto its release.
- Huawei manages the identiﬁed issues from start to ﬁnish, thus cyclically improving the baseline and corresponding management mechanism.
At Huawei, we have evolved our approach to cyber security and privacy frameworks over the past few years and operate on the assumption that in this globally intertwined world, cyberspace will face constant attacks. It has become an important part of ensuring that all our products are as secure as possible through every step of the development process.