Regulations on Information Security

Management
Agenda

1. Main Target

2. Purpose

3. Information Security Managment System

4. Process

5. Prohibits event & Sanctions

Main Target

Awareness of Ilegal transfer information

from the company is Strictly Prohibited
Purpose

This standard is formulated to identify:

The guidelines, overall goals, general principles, and operating modes of

information security, the overall architecture of the information security
management system, security organization system, security policy system,
security process system, and other important items

To Whom is applicable:

 Internal and External ZTE´s Staff

 Sub-Contractors and,
 3rd Parties Companies
What is Information Security?

What is information security?

Definition： Practices that aim at protecting information assets from security threats
so as to facilitate continuous running of business and to keep losses caused by
security incidents to a minimum.

No
Objectives： leakage
Confidentiality

Not being Available

tampered when needed

Integrity Availability
© ZTE All rights reserved
5
What is Information Security?

Content IT
Security Security

Information
Security

Personnel Physical
Security Security

© ZTE All rights reserved

6
Information Security Management System (ISMS)

ISMS: As a part of the entire management system, the information security management
system is based on the method for identifying business risks to develop, implement,
operate, review, maintain and improve information security

What this SOC provides?

 It provides the information security overview and trend report at all organization
levels

 To help the security staff implementing an effective way to control and solve the
security-related risks, thus ensuring the day-to-day business operations of the
organization
Event
Event Source SOC Output
Source
No Acronym or Full Name
Applications
. Symbol
Compliance
Dashboard 1 ISMS Information Security Management
Databases System
Reports

Collectors 2 ISMT Information Security Management

Mainframe
Retrieve Log-
Team
Files
Operating 3 Company ZTE Colombia S.A.S and Corporation
System
Operational
Network Devices Dashboard

Alerts
Security Devices
Colombia ISMT

Information Security Management Organization

Chairman and approval first
any implementation

Monitoring, guideline,
Implement the plan,etc..

Objetive:
a.- Provide Risk assesment and list
Business unit leaders shall provide necessary resources and
b.- Risk tracking table
support for routine work of the information security
c.- Routine and Audits
manager
d.- To follow meeting and plan
e.- To solve any incident on time
IMST (Information Security Management Team)

ZTE COLOMBIA SAS MANAGER:

HAO ZHAO10084381/ ZHAO YANGANG10072080

Information Security Manager: Gong

Jian10078866
IMD: Jose Perez10129362
Administrative Department: Mu
N Acronym or Full Name ZhongLin10111033
o. Symbol
1 ISMS Information Security Management HR Department: Zhang WenFeng10100653
System
2 ISMT Information Security Management Legal Department: Lida00171539/Lu
Team ShuBiao10200406
3 Company ZTE Colombia S.A.S Financial Department: Jiang
li10091578/Carolina6183001004

TEF &ETB& GE Operation System: Nelson

10167545

Claro Operation System: Viviana 6183001546

Handset Operarion System: Jin JUNJUN10233907
Medellin Operation System: Liu Chuan (Vincent)
Technical Solution Team: Li LiChun10011007
Prohibits Situation

Without any authorization we can Not:

Information Security Requirements
Information Security Red Line

ZTE Information Security Red Line

Expel when Found; Prosecute when Violating the Law

1. Disclosing ZTE's business secrets

2. Illegally possessing Company's business secret(s)
3. Transfer Company's business secret(s) beyond control for non-work needs.
4. Intent to avoid or damage Corporation safety control measures
5. Act as spy
6. Intrude or destroy the Company's networks, servers, or information systems with no
authorization.
7. False usage of the Company identity information
8. Obstruct security incident investigation
Information Creation – UDS & UDM

In the header area:

Internal Use only, Confidential, Secret, Top secret

Classifying principles: Information is classified in line with its sensitivity and the
potential impact on ZTE in case of leakage.
For the scope of business secrets of the company, refer to Appendix F in the
Management Regulations on Information Security Rewards and Punishment.

Download office template: it.zte.com.cn

© ZTE All rights reserved

13
Process - Audits

Internal Audit Workflow

Review Audit Plan & fix

The company will organize cross-checking

between information security contact persons of
business units at least once a month, and keep
records.
 Audit Report .

Sender: Gong Jian10078866

To:
CC:
Date: 2020/06/14 19:52
Subject: Pls make record on the it.zte.com.cn and feedback. Pls Ruben help him 、、Fw:Re:【Important】Why did you had USB copy without
application in IT system.另外文锋帮忙查下这几个人的中方负责人是谁？
Please make record on the it.zte.com.cn. 2 tickts:1 for 0603; 1 for 0604

Name
of the employee Name
Security Check Point. Monthly review

For staff information security checkpoints, please strictly observe.

1. It is forbidden to send Secret and Top Secret information/documents through

mailbox, which must be transmitted through the UDM system.

2. It is forbidden to grant uncontrolled access to core information/documents of the

UDM libraries.

3. It is forbidden to send company information/documents to personal mailbox.

4. It is forbidden to install risk software. If necessary, please get approval in advance

by the IT system.

5. Local files must be encrypted according to different cryptographic levels of

documents.

The above actions will be checked in October. If the above actions occur
after September 30 2019

They will be notified within the representative office and applied to your
monthly assessment.
Process - Paths

What to do in case of any incident or request?

1) Information security incidents can be reported through telephone,

email, or the SOC system.

2) Reporters of information security incidents should try to keep original

evidence, and guarantee the legitimacy of evidence sources and collection
methods. Adequate information shall be recorded for follow-up assessment
of the incidents
Sanctions

Severity of
Measure
Violation

The personnel violating information security regulations

Critical shall be given a demotion or dismissal, and shall be held
liable for legal responsibilities when necessary.

The personnel violating information security regulations

Be aware of Major shall be given warning letters, or their variable bonus will
be deducted.

The information security manager shall communicate with

Medium relevant personnel, and criticize them for their misconduct
violating information security regulations.

The information security manager shall explain to relevant

Low personnel and remind them of complying with information
security regulations.

Check the documents already provided by mail about this regulations

Series Animation of Information Security

For Management Cadres For All Employees - New For All Employees - Information
Employees' Induction Security Redlines

For All Employees - It is Forbidden to For All Employees - For All Employees - Information
Transfer Company Information Behaviors that Need Security Control Requirements
Without Approval Approval or Recorded for the Use of Laptops
 Contents

01 02 03 04

Do Not Respect Cadres Report

Touch the Rules Have Actively
Red Line Responsibil
ities 20
Contact information
Q&A

Q&A

Awareness of Ilegal transfer information

from the company is Strictly Prohibited