Cybersecurity is the highest priority for ZTE's product R&D and service delivery. ZTE is committed to providing secure and trustworthy products and services for its customers.
With its vision of “Security in DNA, Trust through Transparency,” ZTE conforms to industry-recognized standards and best practices to continuously enhance security with three central pillars:
ZTE has a comprehensive cybersecurity governance structure to mitigate risk. ZTE’s Cyber Security Committee, chaired by the CEO, is the top decision-making organization, and ensures that industry-recognized cybersecurity practices are deployed and integrated across all business units. ZTE adopts the three lines model for cybersecurity governance: The first line is business units that implement controls over the cybersecurity of products; the second line is the Product Security Department with three cybersecurity labs (more to come), implementing internal and external independent security assessments and supervision; the third line is the Internal Control & Audit Department to audit the effectiveness of the first line and second line.
Adhering to the principle of “secure by design and by default,” ZTE adopts industry-recognized standards and best practices and embeds security controls into all business units over the full product lifecycle, including R&D, supply chain, delivery, and incident response. For example, ZTE benchmarks the GSMA Network Equipment Security Assurance Scheme (NESAS)?in its product development and lifecycle process, and has passed the NESAS audit performed by atsec in July 2020. ZTE adopts the Building Security in Maturity Model (BSIMM) to improve software security initiatives and has completed the BSIMM assessment by Synopsys with high marks. In addition, ZTE evaluates its risk management in supply chain and delivery processes against the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and makes continuous improvements.
ZTE develops its products in line with industry-recognized standards and specifications, including 3GPP security specifications, ITU X.805, and Software Engineering Institute (SEI) CERT secure coding standards. For example, ZTE 5G products has passed NESAS network equipment evaluation against 3GPP Security Assurance Specification (SCAS), and ZTE 5G RAN solution has obtained the Common Criteria evaluation assurance level (EAL) 3+ certificate. ZTE also employs a second-line independent security assessment that relies on professional cybersecurity experts (Cybersecurity Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information System Auditor (CISA), Offensive Security Certified Professional (OSCP), etc.); follows industry security assessment standards, such as the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), and NIST SP800-115; and adopts professional security assessment tools for source code review, vulnerability scanning, protocol robustness, and others.