Scribd Logo
Upload

Welcome to Scribd!

  • Attachment 3 - O&M Commitment Letter - WX Staff

    Uploaded by

    shashank.prajapati9389
    100 views4 pages

    Original Title

    Attachment 3 - O&M Commitment letter - WX Staff.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    100 views4 pages

    Attachment 3 - O&M Commitment Letter - WX Staff

    Uploaded by

    shashank.prajapati9389

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    O&M Process Criteria Compliance Commitment Letter Internal

    O&M Process Criteria Compliance and Red Lines of Cyber Security


    Conducts Commitment Letter

    (ENGLISH VERSION)
    Upon signing this O&M Process Criteria Compliance and Red Lines of Cyber Security Conducts Commitment
    Letter, I (KAMAL NAYAN PANDEY) hereby deeply recognize and understand that the O&M and red lines of cyber
    security conducts specified by Huawei are practices that may affect cyber security and prohibited by the laws and
    regulations of most countries. If I breach the regulations, I will assume the legal liabilities even criminal charges. I
    hereby commit that I will strictly follow Huawei cyber security management regulations and assume the
    corresponding legal liabilities according to the appropriate laws and regulations if I conduct any of the following red
    lines of cyber security conducts (include but not limited to just below). Also, I will be responsible for the losses
    brought to the company caused by these violations.

    1) Critical Incident Recovery Process


     Disguise the critical incident.
     Does not timely response for incident recover request.
     Does not timely report the critical incident to management and escalate it to upper expert group.
     Does not prepare or practice the preliminary emergency recovery scheme.
     Without customer and upper level management’s approval, implement recovery actions.
     Fail to define severity levels of accidents according to the standards for accidents severity, leading
    to lower accident levels. (Lowering of published accident level is not allowed.)
    2) Problem Handling Process
     Not timely resolve the issue which cause SLA lost or customer dissatisfaction.
     Without the permission of the customer and the leader, close or suspend or change the problem
    severity level of the ICARE ticket.
     Technical issue not recorded into ICARE.
    3) Preventative Maintenance Process
     Without special reasons and get the approval of management, does not timely implement the
    solution according the required time of the rectification bulletin, not execute SOP accordingly,
    causes critical incident happen.
    4) Change Request Process
     Without approved CR ("3 Approval”:Customer & Management & Technical), operate on live
    network.
     Does not prepare MOP accord to the requested template (Change Order Implementation Plan
    (Template)).

    Huawei Confidential
    No dissemination without prior permission
    O&M Process Criteria Compliance Commitment Letter Internal

     Does not prepare MOP according to the Technical Guide. Does not escalate to upper level technical
    review and technical support for medium/high risk change (L1 escalate to HQ GTAC and R&D, L2
    escalate to representative technical expert.
     Without the permission of the customer, perform operation on live network during daytime
    (Usually 6:00 to 24:00).
     Does not back up the important data and confirm the complete of back-up before operation.
     Does not operate strictly according to steps described in approved MOP.
     Arrange unqualified personnel to perform operations on live networks.
     Does not fully check the equipment and verify the service is normal after operation.
     Does not timely rollback (usually 4am) when the implementation of change fails.
     Does not report the critical incident to management level, when the service cannot be recovered
    after the scheduled rollback finish time (usually 6am). Does not provide the release notes or product
    manuals or documentation disks to customer.
    5) Cyber Security
     Without written authorization from customer, access the customer's operation networks of
    production or testing, or office network etc, by using equipment like computers, communication
    devices and storage media to carry out any operation beyond the approval of the customer.
     Without written authorization from customer, use self-designed or third party tools for data
    collection and performance analysis, etc.
     Log in on a system by using others' accounts or an unauthorized account to carry out operations.
     Retain or use the previous administrator account or other unauthorized accounts after the system is
    in commercial use or has been transferred to the maintenance phase.
     Collect and process personal data without the users’ authorization in after-sales repairing process.
     Without written authorization from customer or the onsite supervision of the designated person,
    access and maintain legal interception interfaces or transfer relevant information out of the
    operators' network.
     Without written authorization from customer, remotely access the customer's network from China.
     Without written authorization from customer, transfer the customer's network data (including
    personal data) back to China.
     Not killing virus in computers, communication devices and storage media before accessing the
    customer's network, which causes the customer network to be infected with virus or a virus to be
    detected on the customer network.
     Without written authorization from customer, disseminate and use shared accounts and passwords.
     After the expiration of customer's authorization, fail to delete and destroy the stored customer
    network data.

     Access customer's system and collect, process, or modify the data and information on customer
    network without express documented permission.

    Huawei Confidential
    No dissemination without prior permission
    O&M Process Criteria Compliance Commitment Letter Internal

     Connect personal portable device or storage media to customer network without express
    documented permission.
     Conduct operations beyond the scope approved by the customer.
     Implant malicious codes, malicious software, or backdoor, or reserve concealed interfaces or
    accounts in products or services.
     Attack and undermine customer networks. Crack customer's account password.
     Disclose and spread the data and information on customer's network.
     Use information and data in customer's system to seek improper gains or for illegal purposes.
     Without written authorization from customer, installs or run software in the customer's network; or
    use any software versions, patches, licenses and software tools that are not from official channels.

    O&M 及网络安全行为红线承诺书 -中文版-(CHINESE VERSION)


    本人(“承诺人”)通过充分学习,已经深刻认识和理解到下列“网络安全红线禁止行为”属于危害网络安全的行为,并被各国法
    律普遍禁止。一旦触犯,本人将直接面临各种法律责任,甚至刑事责任。因此,本人承诺严格遵守有关网络安全管理的相关规定,
    一旦触犯了以下“网络安全红线禁止行为”(*包括但不限于),将根据适用法律的规定,自行承担法律责任,如造成损失,还应依
    法承担相关法律责任。

    6) 事故恢复
     事故隐瞒不报。
     事故恢复要求未及时响应。
     事故未及时通报及升级。
     没有按要求和客户确认的计划完成巡检、整改、预警、演练等预防工作。
     未经管理层及客户同意进行恢复工作。
     未按照事故定级标准定级,降低事故级别。(已定事故不允许降级)
    7) 问题处理
     未及时解决及关闭问题单, 导致问题超期,影响客户满意度。
     未经客户确认,擅自关闭/挂起问题单/修改问题单级别。
     技术问题未录入 iCare。
    8) 预防维护
    交付方案未按流程要求审批,未按审批的方案及时间进行工程实施,或擅自超范围交付, 导致事故发生。
    9) 现网操作
     未获得“三个审批”或未按“三个审批”标准进行审批,对现网实施操作或接入。
     实施方案未根据合格模板。
     未根据技术指导书准备实施方案。
     中/高风险等级操作未提交到二线及以上进行评审。 (一线提交到 GTAC 及 R&D, 二线提交到产品技术专家)
     未经客户同意于高峰时段(6AM-12AM)进行现网操作。
     操作前未确认完成数据备份。
     未按照审批的实施方案进行操作。
     安排没有获得上岗证的人员进行现网操作。

    Huawei Confidential
    No dissemination without prior permission
    O&M Process Criteria Compliance Commitment Letter Internal

     操作完成后未及时检查设备,确认业务是否正常。
     当操作失败,未及时进行回退措施(4:00AM)
     实施回退措施后,业务还是无法恢复正常,没有即时通报给管理层 (6:00AM)。未提供版本说明书/产品手册/文
    档光盘给客户。
    10) 网络安全
     未经客户书面授权,使用电脑、通信终端、存储介质等设备接入客户生产、测试等运营网络或办公网络,进行
    超出客户审批范围的任何操作。
     未经客户书面授权,在客户网络使用自研或第三方的数据采集、性能分析等工具软件。
     使用他人账号或非授权账号登录设备进行操作。
     商用或转维后,保留或使用之前的管理员账号及其它非授权账号。
     终端类产品在售后维修过程中超出用户授权范围采集、处理个人数据。
     未获得客户书面授权及指定人员的现场监督,访问和维护合法监听接口,或将相关信息传出运营商网络。
     未经客户书面授权,从中国远程接入客户网络。未经客户书面授权,将客户网络数据(含个人数据)传回中国。
     未经客户书面授权,将客户网络数据(含个人数据)传回中国。
     接入客户网络的电脑、通信终端、存储介质等未先进行杀毒,导致客户网络感染或检测出病毒。
     未经客户书面授权,传播、使用共享账号和密码。
     客户授权到期后,未删除和销毁持有的客户网络数据。
     未经客户书面授权,访问客户系统,收集、持有、处理、修改客户网络中的任何数据和信息。
     未经客户书面许可,使用个人便携设备、存储介质接入客户网络。
     进行超出客户审批范围内的任何操作。
     在提供的产品或服务中植入任何恶意代码、恶意软件、后门,预留任何未公开接口和账号。
     攻击、破坏客户网络,破解客户账户密码。
     泄漏和传播客户网络中的数据和信息。
     利用客户系统的信息和数据谋取个人利益或用于其它非法目的。
     未经客户书面授权,软件部署在客户网络上运行,或没有使用来自正式渠道的软件版本、补丁、License、工具
    软件等。
    =================================================================

    Hereby I guarantee that I will not make the above violations and all related conducts prohibited in Cyber
    Security during my entire working period in Huawei.

    Commitment Maker's Info:

    Department: NPS
    Name: KAMAL NAYAN PANDEY Employee ID: WX612399
    Committed by (Signature):

    Date: 25/2/2020

    Huawei Confidential
    No dissemination without prior permission

    You might also like