Communication networks must be robust, particularly as the extent, variety, and complexity of today's cybersecurity threats grow tremendously. Leading in the telecommunication industry, ZTE Corporation places a premium on security and has created an effective governance framework that encompasses the whole product life span. In this way, ZTE security policy assures clients of secure network products, contributing to the establishment of a reliable communication network.
ZTE Corporation is famous as a global superpower in integrated communication schemes. Since its foundation, ZTE has been devoted to network infrastructure security, designing and producing secure and dependable equipment. Meanwhile, ZTE positively seeks cooperation with other industry leaders, operators, exploring industry security standardization.
It is well-known that third-party buddies are an integral part of the delivery crew. However, they may present new security concerns. ZTE has expanded its security protection borders in collaboration with third-party partners, forming effective partner management.
To assure the security and dependability of these third-party partners, a complex methodology is required for their security management. As a result, ZTE has established a certification management system with emphasis on the assessment of certification and the management of qualification, security, performance and credit, which are currently utilized throughout the third-party partner's entire life cycle, covering the selection, cooperation, and even exit phases.
Also, ZTE has developed and implemented a security baseline, which specifies the basic security requirements for products and services that third-party partners should meet. Before establishing cooperation with potential third-party partners, ZTE will check if they have passed an evaluation that includes cybersecurity and other issues. All certified and selected third-party partners are required to sign the Product Security Commitment, which outlines the product security obligations and liabilities associated with contract violations.
ZTE conducts a complete risk assessment on its third-party partners' service performance and security level on a regular basis, implements level-based management, and then defines future collaboration frequencies and options based on assessment results.
ZTE integrates the controls to the HPPD process, which is backed by the DevOps toolchain, and executes the whole lifecycle management of open-source providing by third-party components used in the production from its introduction to its end of life.
In order to comply with open-source licensing, export control, data protection, and the enterprise's product security red line criteria, ZTE thoroughly analyzes and verifies the functionalities and performance of components at the introduction stage of the third-party components.
In order to fulfill its service commitment to customers, ZTE also takes into account the replaceability of the components and the lifecycle that the supplier has promised to provide. The company's component management system can only accept third-party components that have passed the security evaluation and been certified. After approval, developers can gain access rights to the components and choose the ones they need for the desired products.
The product's chosen third-party components must pass security evaluation and meet ZTE's security requirements. Once a security flaw in one of the products is discovered during its life cycle by a customer, supplier, third party, or ZTE, ZTE will swiftly assess the flaw, offer solutions or risk-reduction strategies, and eradicate the risk.
At the same time, ZTE updates or abandons the third-party software through the component management system to make sure that the third-party software used in its product is the latest whenever the version of the third-party software is updated, or patches are introduced due to function, performance, or security needs, or at the ends of the third-party software lifecycle.
The HPPD process includes the node management and control of third-party software security risk assessment throughout the entire process, from component picking, introduction, testing, delivery, and maintenance to ensure that security risks are discovered in time for ZTE to provide the necessary security solutions or effective mitigation measures.
Additionally, in order to track its use, ZTE considers the third-party software to be a product configuration item and incorporates it into the configuration control process. If flaws are discovered later, ZTE can determine how widely they were used and fix all issues with the third-party software.
ZTE keeps tracking vulnerabilities reported by the community and contributes to offering vulnerability repair solutions as an active participant in the open-source community.
To build a reliable communication network for the whole society, ZTE aspires to invest more resources in the future to create, study, and invent security technologies and methods and optimise security management mechanisms. ZTE will continue to supply customers with trustworthy products and services.
Company Name: ZTE
Contact Person: Lunitta LU