ZTE has a comprehensive cybersecurity governance structure to mitigate risk. ZTE's Cybersecurity Committee, chaired by the CEO, is the top decision-making organization, and ensures that industry-recognized cybersecurity practices are deployed and integrated across all business units. The first line are business units that implement self-control over the cybersecurity of products; the second line is the Product Security Department, implementing independent security assessment and supervision of first line security work; the third line is ZTE Internal Control & Audit, whose role is to audit the effectiveness of the first-line and second-line work.
ZTE uses industry standards and best practices to implement top-down, risk-based cybersecurity governance throughout the product lifecycle. For supply chain, ZTE emphasizes the security and credibility of manufacturing and guarantees continuity and resilience of supply. For R&D, ZTE adopts the "security by design" principle and embeds security controls in all stages of the R&D process, ensuring that products are secure by design and by default. For engineering service, ZTE continues to benchmark the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for security governance of the entire business process, and form an end-to-end professional team to achieve efficient operations and deliver security.
ZTE benchmarks the GSMA Network Equipment Security Assurance Scheme (NESAS) in its product development and lifecycle process and adopts the Building Security in Maturity Model (BSIMM) and Capability Maturity Model Integration (CMMI) to formulate ZTE's product security maturity model and corresponding specifications which are regularly assessed and improved.
ZTE integrates security governance into all business processes throughout the product lifecycle, supported by the digital technology. It implements a cybersecurity assurance digital operating framework that runs through supply chain, R&D, and project delivery.
Digital platforms such as the Intelligent Supply Collaboration Platform (ISCP), Product Research and Development Cloud (RD Cloud), and Global Customer Support Center (GCSC) are established to support security management and control throughout the entire product lifecycle. Based on the platforms, interacted processes such as resilient supply, continuous planning, collaborative development, continuous testing, release and deployment, and security issue handling can operate efficiently, precisely, and sustainably.
The configuration management system and vulnerability management system provide tracking capabilities for the entire product life cycle. Product security requirements can be traced end-to-end to the final product, and security issues of the final product can also be traced back all along to the source of product requirements.
The cybersecurity assurance digital operating infrastructure uses the DevSecOps tool chain to achieve security management and control throughout the whole process. For key security activities such as material security testing, third-party software security scanning, code scanning, vulnerability scanning, penetration testing, version protection, and security hardening, the tool chain is equipped with professional security tools to check whether products and services meet security requirements.