Cybersecurity is the highest priority for ZTE's product R&D and service delivery. ZTE is committed to providing secure and trustworthy products and services for its customers.
With its vision of “Security in DNA, Trust through Transparency,” ZTE conforms to industry-recognized standards and best practices to continuously enhance security with three central pillars:
ZTE has a comprehensive cybersecurity governance structure to mitigate risk. ZTE’s Cyber Security Committee, chaired by the CEO, is the top decision-making organization, and ensures that industry-recognized cybersecurity practices are deployed and integrated across all business units. ZTE has three lines of defense for cybersecurity governance: The first line is business units that implement controls over the cybersecurity of products (currently full-time security specialists comprise 1.6% of ZTE’s total R&D staff); the second line is the Product Security Department with three cybersecurity labs, implementing independent security assessments and supervision (currently over 80 employees in China and Europe); the third line is ZTE's Internal Control & Audit Department to audit the effectiveness of the first line and second line.
Adhering to the principle of “secure by design and by default,” ZTE adopts industry-recognized standards and best practices and embeds security controls into all business units over the full product lifecycle, including R&D, supply chain, delivery, and incident response. For example, ZTE benchmarks the GSMA Network Equipment Security Assurance Scheme (NESAS) in its product development and lifecycle process, and has passed the NESAS audit performed by atsec in July 2020. ZTE adopts the BSIMM to improve software security initiatives and has completed the BSIMM assessment by Synopsys with high marks. In addition, ZTE evaluates its risk management in supply chain and delivery processes against the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and makes continuous improvements.
ZTE develops its products in line with industry-recognized standards and specifications, including 3GPP security specifications, ITU X.805, and Software Engineering Institute (SEI) CERT secure coding standards. ZTE also employs a second-line independent security assessment that relies on professional cybersecurity experts (Cybersecurity Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information System Auditor (CISA), Offensive Security Certified Professional (OSCP), etc.); follows industry security assessment standards, such as the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), and NIST SP800-115); and adopts professional security assessment tools for source code review, vulnerability scanning, protocol robustness, and others.