Guidelines HUAWEI CLOUD Compliance with MPA Common

HUAWEI CLOUD Compliance with MPA CommonGuidelines

Issue 01

Date 2021-01-29

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: https://www.huawei.com

Email: [email protected]

Issue 01 (2021-01-29) Copyright © Huawei Technologies Co., Ltd. i

https://www.huawei.com

mailto:[email protected]

Contents

1 Overview....................................................................................................................................11.1 Scope of Application.............................................................................................................................................................. 11.2 Purpose of Publication...........................................................................................................................................................11.3 Basic Definitions...................................................................................................................................................................... 1

2 MPA Introduction.................................................................................................................... 4

3 HUAWEI CLOUD MPA Evaluation Form - Content Security Best Bractices -Common Guidelines (V4.08).................................................................................................... 53.1 MS Management System..................................................................................................................................................... 63.2 PS Physical Security.............................................................................................................................................................. 393.3 DS Data Security................................................................................................................................................................. 119

4 Conclusion.............................................................................................................................223

5 Version History.................................................................................................................... 224

HUAWEI CLOUD Compliance with MPA CommonGuidelines Contents

Issue 01 (2021-01-29) Copyright © Huawei Technologies Co., Ltd. ii

1 Overview

1.1 Scope of ApplicationThe information provided in this document applies to HUAWEI CLOUD and all itsproducts and services available in HUAWEI CLOUD International website.

1.2 Purpose of PublicationMotion Picture Association, Inc. (MPA) is a leading advocate of the film, televisionand streaming industry around the world. Its members include ParamountPictures, Inc., Sony Pictures Entertainment Inc., Universal City Studios LLC, Netflix,The Walt Disney Company and Warner Bros. Entertainment Inc. It has establisheda set of best practice standards for the securely storing, processing and deliveringprotected media and content, including Content Security Best Practices- CommonGuidelines and Content Security Best Practices- Application and Cloud/DistributedEnvironment Secruity Guidelines.

In order to meet MPA's expectations on content security and current industry bestpractices, HUAWEI CLOUD conducted a self-assessment on the controlrequirements in various domains of Content Security Best Practices- CommonGuidelines in this document, showing customers the efforts made by HUAWEICLOUD to improve content security and help customers understand:

● Main control requirements of Content Security Best Practices- CommonGuidelines in various domains;

● HUAWEI CLOUD's responses to the control requirements in various domains.

1.3 Basic Definitions● Customer (Tenant)

Refers to the registered users who build business relationships with HUAWEICLOUD. In this whitepaper, customers has the same meaning of tenant whichindicates the user organization that use the services provided by HUAWEICLOUD.

HUAWEI CLOUD Compliance with MPA CommonGuidelines 1 Overview

Issue 01 (2021-01-29) Copyright © Huawei Technologies Co., Ltd. 1

● Information Systems Audit and Control Association

Information Systems Audit and Control Association (ISACA) is a globallyrecognized leading organization for information technology governance,monitoring, security, and standards compliance.

● System Administration Networking and Security Institute

System Administration Networking and Security Institute (SANS) is the mosttrusted and by far the largest source for information security training andsecurity certification in the world. SANS provides intensive, immersion trainingdesigned to help the enterprise and its staff master the practical stepsnecessary for defending systems and networks against the most dangerousthreats.

● Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organizationdedicated to defining and raising awareness of best practices to help ensure asecure cloud computing environment.

● ISO 27001 Information Security Management System

ISO 27001 is a widely accepted international standard that specifiesrequirements for management of information security systems. Centered onrisk management, this standard ensures continuous operation of such systemsby regularly assessing risks and applying appropriate controls. ISO 27002 isthe best practices based on ISO 27001.

● ISO 27002 Practice Specification of Information Security Management

ISO 27002 is the best practice based on ISO 27001 and is also the officialmapping standard of MPA general guidelines. The standard is establishedaccording to various guidelines and principles, and is used to initiate,implement, improve and maintain information security management withinthe organization.

● ISO 27017 Cloud Service Information Security Management System

ISO 27017 is the practical rules for cloud service information security controlbased on the ISO 27001 system framework and ISO 27002 best practices. It isan international implementation procedures standard for cloud serviceinformation security control.

● ISO 27018 Public Cloud Personal Identifiable Information (PII)Management System

Based on ISO / IEC Information Security Standard ISO 27002, ISO 27018provides guidance on the implementation of control measures for personalinformation in public cloud. It aims to supplement the protectionrequirements of personal identifiable information (PII) in public cloud that theexisting control system combination of ISO 27002 fails to meet.

● ISO 22301 Business Continuity Management System

ISO 22301 is an international standard for business continuity managementsystems. ISO 22301 help organizations avoid potential incidents throughidentifying, analyzing and warning of risk, and formulate a complete businesscontinuity plan to effectively respond to quick recovery after interruption andmaintain normal running of core functions and minimize loss and recoverycosts.

● CSA CCM Cloud Security Alliance Cloud Control Matrix



The world’s only meta-framework of cloud-specific security controls mappedto leading standards, best practices and regulations.

● SOC Audit ReportsThe SOC audit reports are independent audit reports designed by a third-partyaudit institution based on relevant standards formulated by the AmericanInstitute of Certified Public Accountants (AICPA) for the system and internalcontrol of outsourced service providers.

● PCI DSS CertificationPayment Card Industry Data Security Standard (PCI DSS) is a data securitystandard published by Payment Card Industry Security Standards Councilwhich established by the five main credit card organizations: JCB, AmericanExpress, Discover, MasterCard, and Visa. For the content of HUAWEI CLOUD'sPCI DSS certification, please refer to HUAWEI CLOUD Practical Guide for PCIDSS.

● NIST Cybersecurity FrameworkThe NIST cyber security framework consists of three parts: standards,guidelines, and best practices for managing cyber security risks. The corecontent of the framework can be summarized as the classic IPDRR capabilitymodel namely the five capabilities: Identify, Protect, Detect, Response andRecovery.

● Open Web Application Security ProjectOpen Web Application Security Project (OWASP) is an online communitydedicated to web application security. The OWASP community includescorporations, educational organizations and individuals from around theworld. This community works to create freely-available articles,methodologies, documentation, tools and technologies.



2 MPA Introduction

The Motion Picture Association (Hereinafter referred to as MPA) has been inexistence for more than 30 years. Originally named after the Motion PictureAssociation of America, Inc. (Hereinafter referred to as MPAA), the associationchanged its name in September 2019 to The Motion Picture Association, Inc.(MPA). MPA has established a set of best practice standards for the securelystoring, processing and delivering protected media and content.

MPA best practices include Content Security Best Practices-Common Guidelinesand Content Security Best Practices-Application and Cloud DistributedEnvironment Security Guidelines, which describe best practice control guidelinesand implementation steps, taking into account relevant ISO standards, securitystandards, and industry best practices.

Content Security Best Practices-Common Guidelines consists of 3 modules, 7security fields, 49 security topics and 261 controls. Its reference standards includeISO 27001, ISO 27002, NIST, CSA, ISACA and SANS;

In this document, HUAWEI CLOUD conducts self-assessment on Content SecurityBest Practices-Common Guidelines, and to meet the content security requirementsof MPA, and improve the management and control ability of HUAWEI CLOUD inthe fields of Management System, Physical Security, Digital Content Security, etc.

HUAWEI CLOUD Compliance with MPA CommonGuidelines 2 MPA Introduction


3 HUAWEI CLOUD MPA Evaluation Form -Content Security Best Bractices - Common

Guidelines (V4.08)


3 HUAWEI CLOUD MPA Evaluation Form - ContentSecurity Best Bractices - Common Guidelines (V4.08)


3.1 MS Management SystemNO.

SecurityTopic

BestPractice

HUAWEI CLOUD'sResponses

ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-1.0

ExecutiveSecurityAwareness/Oversight

Establishaninformationsecuritymanagementsystemthatimplements acontrolframework forinformationsecuritywhich isapprovedby thebusinessowner(s)/seniormanagement.

HUAWEI CLOUD hasestablished aninformation securitymanagement system(ISMS), which haspassed ISO27001certification. As partof the ISO / IEC27001 ISMS certified,information securityrelated roles andresponsibilities areidentified in writingand approved bysenior leadership.HUAWEI CLOUD haspassed the audit ofdata security, privacyand security byindependent thirdparties and obtainedcertification. Therelevant certificationsinclude: ISO 27001,ISO 27017, ISO27018, CSA STAR,ISO27701, ISO29151,SOC1 / SOC2 / SOC3,PCI DSS. Relevantcertificates or reportscan be obtained fromthe Trust Center-compliance.

5.1.26.1.1

5.1.17.2.2

SOC11.1SOC11.2SOC29.1

GRM-02GRM-05GRM-06GRM-09AAC-02AAC-03

12.112.412.5

AT-2AT-3PM-1PM-2PM-6




https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety.html

https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety.html

NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-1.1


Reviewcontent/informationsecuritymanagementpoliciesandprocessesat leastannually.Policiesmust beapprovedby seniormanagement.

ISO27001 informationsecurity managementsystem requires thatinformation securitymanagement policyand processes bereviewed at leastonce a year. Changesin policies andprocesses need to beapproved by seniormanagement.HUAWEI CLOUD haspassed the ISO27001certification, and itwill invite a third-party independentcertification body toreview every year.

MS-1.2


Train andengageexecutivemanagement/owner(s)on thebusiness'responsibilities toprotectcontent atleastannually.

HUAWEI CLOUD hasestablished its owntraining mechanismand designedappropriate trainingprograms for differentroles. Ordinary staffwill be trained atleast once a year toenhance theirawareness ofinformationprotection. Thetraining frequency ofcore employees ishigher than that ofordinary employees.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-1.3


Create aninformationsecuritymanagement grouptoestablishandreviewinformationsecuritymanagementpolicies.

According to therequirements ofISO27001 and SOC2,HUAWEI CLOUDimplementsdocumentedinformation securitypolicies andprocedures to provideguidance for HUAWEICLOUD operation andinformation securitymanagement.Employees can viewthe publishedinformation securitypolicies andprocedures accordingto the authorization.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-2.0

RiskManagement

Develop aformal,documentedsecurityriskassessment processfocusedoncontentworkflowsandsensitiveassets inorder toidentifyandprioritizerisks ofcontenttheft andleakagethat arerelevantto thefacility.

HUAWEI CLOUD hasimplemented aformal anddocumented riskassessment policy,which is updated andreviewed at leastannually.The purpose of riskassessment is toidentify threats andvulnerabilities inHUAWEI CLOUD,assign risk ratings tothreats andvulnerabilities basedon business processesand assetmanagement,formally record theassessment, anddevelop risk handlingplans for solvingproblems.

5.1.26.1.1

SOC11.2SOC29.3

GRM-02GRM-08GRM-10GRM-11TVM-02

12.112.2

CA-1RA-1RA-2




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-2.1

RiskManagement

Conductaninternalsecurityriskassessmentannuallyand uponkeyworkflowchanges—basedon, at aminimum,the MPABestPracticeCommonGuidelinesand theapplicableSupplementalGuidelines—anddocumentand actuponidentifiedrisks.

HUAWEI CLOUDcarries out riskassessment everyyear, includingidentifying potentialdata security risks inkey process updatesand taking actionsaccording to theidentified risks. Therisk assessment reportwill be approved bysenior managementafter completion.During thecompliance audit ofSOC, PCI DSS, ISO27001, etc., HUAWEICLOUD riskmanagementframework isreviewed byindependent externalauditors.Customersretain ownership oftheir content dataand are responsiblefor assessing andmanaging risksassociated with theirdata to meet theirregulatory complianceneeds.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-3.0

SecurityOrganization

Identifysecuritykeypoint(s)of contactandformallydefineroles andresponsibilities forcontentand assetprotection.

In the HUAWEICLOUD SecurityWhite Paper,HUAWEI CLOUD usesa shared responsibilitymodel to illustratethe securitymanagementresponsibilities ofHUAWEI CLOUD as acloud service providerand its customers.HUAWEI CLOUDformulatescorrespondingsecurity basic abilitytraining planaccording to differentroles and positions.New employees mustpass the on-the-jobtraining andexamination relatedto cyber security andprivacy protectionbefore becoming aregular employee; theon-the-job employeesshould choosecorresponding coursesfor study andexaminationaccording to differentbusiness roles.Managers need toparticipate in thenecessary trainingand discussion ofcyber security.HUAWEI CLOUD hasobtained theISO27001 ISMScertification, andinvites third-partyaudit organizations to

6.1.3

SOC11.1

HRS-07

12.412.5

PM-2




https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf



NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

audit every year. Thispart of therequirements is alsoincluded in theISO27001 ISMS audit.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-4.0

PoliciesandProcedures

Establishpoliciesandproceduresregardingasset andcontentsecurity;policiesshouldaddressthefollowingtopics, ataminimum:Acceptable use(e.g.,socialmedia,Internet,phone,personaldevices,mobiledevices,etc.)Asset andcontentclassification andhandlingpoliciesBusinesscontinuity(backup,retentionandrestoration)Contenttransfer

The ISO27001 ISMSrequires enterprises toestablish relevantpolicies andprocedures includingasset and contentsecurity. HUAWEICLOUD has obtainedISO27001 ISMScertification, andinvites third-partyaudit institutions toaudit every year.

5.1.15.1.26.1.18.1.38.2.2

7.2.212.3.1

A.10.3


MOS-05BCR-01DSI-01BCR-11AAC-01AAC-02HRS-09

1.1

1.5

2.5

3.1

3.7

4.3

5.4

6.7

7.3

8.1

8.4

8.8

9.10

10.8

11.6

12.1

12.3

AT-1AT-2AT-3AT-4PL-1PS-7




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

processesandsystemsChangecontrolandconfigurationmanagement policyConfidentialitypolicyDigitalrecordingdevices(e.g.,smartphones,digitalcameras,camcorders)Exceptionpolicy(e.g.,process todocumentpolicydeviations)IncidentresponsepolicyMobiledevicepolicyNetwork,internetandwirelesspoliciesPasswordcontrols

12.4




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

(e.g.,passwordminimumlength,screensavers)SecuritypolicyVisitorpolicyDisciplinary/SanctionpolicyInternalanonymousmethodto reportpiracy ormishandling ofcontent(e.g.,telephonehotline oremailaddress)

MS-4.0.1


Establishdedicatedpoliciesgoverningthe use ofsocialmedia bycompanypersonnel.

HUAWEI CLOUDformulates socialmedia related policiesto prohibit the privateuse of Internetservices in the officenetwork, andemployees cannotaccess social mediathrough HUAWEIintranet.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-4.0.2


Establishpoliciesgoverningthe usingof mobilecomputing devices.

HUAWEI CLOUDestablishesprocedures for mobiledevice securitymanagement, andinvites a third-partyaudit organization toreview theapplicability of theprocedures every year.The procedurescontains themanagementrequirements formobile computerequipment.

MS-4.1


Reviewandupdatesecuritypoliciesandprocedures at leastannually.

ISO 27001 ISMSrequires thatinformation securitymanagement policyand processes bereviewed at leastonce a year andupdated as necessaryto reflect changes inbusiness objectives orrisk environment.Changes in policiesand processes need tobe approved by seniormanagement.HUAWEI CLOUD haspassed the ISO27001certification, and itwill invite a third-party independentcertification body toreview every year.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-4.2


Communicate andrequiresign-offfrom allcompanypersonnel(e.g.,employees,temporaryworkers,interns)and thirdpartyworkers(e.g.,contractors,freelancers, tempagencies)for allcurrentpolicies,procedures, and/orclientrequirements.

Cybersecurity iscovered in theBusiness ConductGuide (BCG).Huawei holds BCGcourses, exams, andsigning activitiesannually tocommunicatecybersecurityrequirementscompany-wide andraise employees'security awareness.By signing thecybersecurityagreement,employees commit toabiding by thecompany'scybersecurity policiesand regulations.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-4.3


Developandregularlyupdate anawarenessprogramaboutsecuritypoliciesandprocedures andtraincompanypersonneland thirdpartyworkersupon hireandannuallythereafteron thosesecuritypoliciesandprocedures,addressing thefollowingareas at aminimum:IT securitypoliciesandproceduresContent/assetsecurityandhandlingin generaland

HUAWEI CLOUDemployees arerequired toparticipate ininduction training,which includesinformation securitycontent. During theiremployment,employees willparticipate ininformation securitytraining every year,and the annualinformation securitytraining will beplanned,implemented andsupervised.HUAWEI CLOUDconducts informationsecurity awarenesstraining through avariety of trainingmethods, and allemployees need tocomplete the annualtraining.The trainingrecords can confirmthat all personnelhave read andunderstood theinformation securitypolicies. By signingthe cybersecurityagreement,employees commit toabiding by thecompany'scybersecurity policiesand regulations.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

client-specificrequirementsSocialmediapoliciesSocialengineeringpreventionSecurityincidentreportingandescalationDisciplinary policyEncryption and keymanagement for allindividuals whohandleencryptedcontentAssetdisposalanddestructionprocesses




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-5.0

IncidentResponse

Establisha formalincidentresponseplan thatdescribesactions tobe takenwhen asecurityincident isdetectedandreported.

HUAWEI CLOUDestablishes an ISMSaccording toISO27001, whichincludes incdentresponse process andplan. In addition,HUAWEI CLOUD hasdeveloped internalregulations forsecurity incidentresponse operation,which clarifying theclassification andnotificationmechanisms, handlingprocedures, andpersonnelresponsibilities ofcloud securityincidents.

16.1.116.1.2

A9.1

SOC18.1SOC18.2

BCR-01SEF-01SEF-02SEF-03

10.612.1

IR-1IR-2IR-4IR-5IR-6IR-7IR-8

MS-5.1

IncidentResponse

Identifythesecurityincidentresponseteam whowill beresponsible fordetecting,analyzing,andremediatingsecurityincidents.

HUAWEI CLOUDestablishes an ISMSaccording toISO27001, whichincludes incdentresponse process andplan. HUAWEI CLOUDalso establishe asecurity incidentresponse team,requiring personnel invarious roles in theprocess to performtheir correspondingduties.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-5.2

IncidentResponse

Establisha securityincidentreportingprocessforindividuals to reportdetectedincidentsto thesecurityincidentresponseteam.

HUAWEI CLOUD hasestablished anISO27001 informationsecurity managementsystem, whichincludes incidentresponse proceduresand plans. Securityincidents can benotified to incidentresponse teammembers throughmultiple channels.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-5.2.1

IncidentResponse

Anonymousreportingshould bemadeavailabletoorganizations with50 ormoreemployees andthirdpartypersonnelforreportingof contentprotectionandprivacyconcerns.Theanonymousreportingtoolconsistingof aninternal,anonymoustelephonenumber,emailaddress,and / orwebsiteshould bepublishedand alsoprovidedduringsecurity

HUAWEI CLOUDemployees arerequired toparticipate ininduction trainingwhen they areemployed. During theinduction training,employees will benotified of the way tomake an anonymousreport.Third-party personnelneed to completeinformation securitytraining beforeentering the venue,and they will benotified of the way tomake anonymousreport regardingsecurity incidentsduring the training.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

awarenesstraining.

MS-5.3

IncidentResponse

(RemovedandcombinedwithMS-5.2)

N/A

MS-6.0

BusinessContinuity &DisasterRecovery

Establisha formalplan thatdescribesactions tobe takento ensurebusinesscontinuity.

HUAWEI CLOUD hasobtained thecertification of theISO22301 businesscontinuitymanagement system,established thebusiness continuitymanagement systeminternally, andformulated businesscontinuity plans,which contains thepolicies and responseprocesses of naturaldisasters, accidentdisasters, informationtechnology risks andother emergencies.

17.1.1


BCR-01BCR-02BCR-05BCR-08BCR-10BCR-11

CP




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-6.1


Identifythebusinesscontinuityteam whowill beresponsible fordetecting,analyzingandremediatingcontinuityincidents.

HUAWEI CLOUD hasobtained thecertification of theISO22301 businesscontinuitymanagement systemstandard, establisheda business continuitymanagement systeminternally, andformulated businesscontinuitymanagementregulations,established a businesscontinuity responseteam and defined itsjob responsibilities.HUAWEI CLOUD alsoregularly tests theeffectiveness of thebusiness continuityplan.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-6.2


Establisha databackuppolicythataddressesthefollowing:Systemsand dataRetentionandprotectionrequirementsBackupfrequencyEncryptionRecoverytimeobjectives(RTO)Recoverypointobjectives(RPO)Restoration testingSecureoffsitestorage

HUAWEI CLOUD hasobtained thecertification of theISO22301 businesscontinuitymanagement system,established businesscontinuitymanagement systeminternally;In the businesscontinuitymanagement system,HUAWEI CLOUD isrequired to establish adata backup policy tosolve the problem ofsystem and dataavailability. Refer toHUAWEI CLOUDSecurity White Paperfor more details.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-7.0

ChangeControl&ConfigurationManagement

Establishpoliciesandprocedures toensurenew data,applications,network,andsystemscomponents havebeen pre-approvedbybusinessleadership.

In HUAWEI CLOUD,configurationmanagers areassigned to managethe configuration ofall services, includingextractingconfiguration models(configuration itemtypes, attributes, andrelationships) andrecordingconfigurations.Additionally, anindustry-gradeConfigurationManagementDatabase (CMDB) tool isutilized to manageconfiguration itemsand theirrelationships withconfiguration itemattributes.Changes toenvironments includebut are not limited todata centerequipment, networks,system hardware andsoftware, andapplications, whetherthose are changes inthe equipment used,architectural changes,system softwareupdates (includingnetwork devicesoftware, OS image,and applicationcontainer software),or changes inconfiguration. Allchanges must beperformed in an

14.2.2

12.1.2

SOC16.1

CCC-01CCC-03CCC-04CCC-05GRM-01

6.4

CM




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

organized andpriority-drivenfashion. After allchange requests aregenerated, they aresubmitted to theHUAWEI CLOUDChange Committee bythe change managerteam with changeclassificationassigned. After thecommittee hasreviewed andapproved therequests, theplannedchanges can beimplemented on theproduction network.Before submitting achange request, thechange must undergoa testing process thatincludes production-like environmenttesting, pilot release,and/or blue/greendeployment. Thismakes that thechange committeeclearly understandsthe change activitiesinvolved, duration,failure rollbackprocedure, and allpotential impacts.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-8.0

Workflow

Documentworkflowstrackingcontentandauthorizationcheckpoints. Includethefollowingprocessesfor bothphysicalanddigitalcontent:Delivery(receipt/return)IngestMovementStorageRemoval/destruction

Protecting workflowdocuments forcontent data is theresponsibility ofHUAWEI CLOUDcustomers, ascustomers retainownership andcontrol over theircustomer operatingsystems, software,applications and data.

11.1

MS-8.1

Workflow

(RemovedandcombinedwithMS-8.0)

N/A




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-9.0

SegregatinofDuties

Segregatedutieswithin thecontentworkflow.Implement anddocumentcompensatingcontrolswheresegregation is notpractical.

HUAWEI CLOUD hasestablished accesscontrol managementrequirements inaccordance with therequirements ofISO27001. It followsthe principle ofpermissionsminimization and theprinciple ofpermissionsseparation. Theemployees'permissions scope hasbeen regularlyreviewed to avoidpermissions exceedingtheir work scope.When an employee'son-the-job statuschanges, thepermissions shall becleaned and modifiedin time.HUAWEI CLOUDfacilitates dataisolation in the cloudthrough the VirtualPrivate Cloud (VPC)service, the VPC usesthe network isolationtechnology to isolatetenants at Layer 3.Tenants can controltheir own virtualnetwork constructionand configuration,and through theconfiguration ofnetwork ACL andsecurity group rules,the network traffic inand out of the subnetand virtual machine

6.1.2

IAM-01IAM-02IAM-03IAM-05IAM-06




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

are strictly controlled,in order to meettenant's specificrequirements forfiner-grained networksegregation.

HUAWEI CLOUD usesa combination ofphysical and logicalcontrol isolationmethods forproduction and non-productionenvironments, andcontrols the combinedisolation methods toimprove thenetwork's partitionself-protection andfault-tolerantrecovery capabilitiesin the face ofintrusions andinternal ghosts.

Based on differentbusiness roles andresponsibilities, accesspermissionsmanagement appliesRBAC and includesthe followingbasicroles: core network,access network,securitydevices,service systems,database systems,hardwaremaintenance, andmonitoringmaintenance. AnyO&M personnel isrestricted to accessonly devices withinthe administrativescope of his/her role




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

and is not grantedpermissions to accessother devices.

MS-10.0

Background

Performbackgroundscreeningchecks onallcompanypersonnel,thirdpartyworkers,and theirrelevantsubcontractors.

HUAWEI CLOUDrequires thatbackgroundinvestigation shouldbe carried out foremployees inconfidential positionsand key positionsbefore taking up theirposts. The interfacedepartment shouldconduct backgroundinvestigation forexternal personnelaccording to businessneeds.

7.1.1

SOC29.5

HRS-02

12.7

PS-3

MS-11.0

ConfidentialityAgreements

Requireallcompanypersonnelto sign aconfidentialityagreement (e.g.,non-disclosure) uponhire andreviewannuallythereafter,thatincludesrequirements forhandlingandprotectingcontent.

The employmentagreement signed byemployees containsconfidentialityclauses, andemployees inconfidential positionsmust also sign therelevant NDA.Employees are alsorequired to sign aletter of commitmentto cybersecurity, andemployees promise tocomply with thecompany'scybersecurity policiesand regulations.

7.1.28.1.4

A.10.1

HRS-01HRS-06

PL-4PS-6PS-8PS-4PS-6PS-8SA-9




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-11.1

ConfidentialityAgreements

Requireallcompanypersonnelto returnallcontentand clientinformation in theirpossession upontermination of theiremployment orcontract.

HUAWEI CLOUD hasformulatedmanagementregulations related topersonnel security,requiring employeesto hand over theassets of HUAWEICLOUD held to thecompany when theyresign or thransferfrom their postions.When the contractwith the partner/business relationshipis terminated, thepartner will delete theinformationgenerated in thecooperation project inthe own deviceaccording to thecooperationagreement, andreturn the assetsprovided by HUAWEICLOUD.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-12.0

ThirdPartyUse&Screening

Requireall thirdpartyworkers(e.g.,freelancers) whohandlecontent tosignconfidentialityagreements (e.g.,non-disclosure) uponengagement.

For externalpersonnel, theinterface departmentneeds to sign aconfidentialityagreement with itssubordinateorganization. If thecooperation involvessensitive information,it shall sign aconfidentialityagreement with theexternal personnel.

7.1.17.1.27.2.18.1.411.1.2

16.1.116.1.2

A.7.1

SOC15.11SOC15.12

DCS-02DCS-07DCS-09IVS-11

2.612.612.812.9

PL-4PS-4PS-6PS-7SA-9

MS-12.1


Requireall thirdpartyworkersto returnallcontentand clientinformation in theirpossession upontermination of theircontract.

HUAWEI CLOUDrequires that whenthe cooperation isterminated, theinterface departmentshall dispose of theinformationgenerated in thecooperation projectcontained in theequipment broughtby external personnelin accordance withthe cooperationagreement. If thecompany's sensitiveinformation isinvolved, it shall berecycled or destroyed.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-12.2


Includesecurityrequirements inthirdpartycontracts.

HUAWEI CLOUDmanages third-partysuppliers inaccordance withISO27001requirements, andsigns confidentialityand service levelagreements withthird-party suppliers.The contract signedwith the supplierrequires to gothrough multiplerounds of contractreview process, andthe content of thecontract is reviewedby the HUAWEICLOUD legal team.




https://www.huaweicloud.com/intl/en-us/declaration/sla.html

https://www.huaweicloud.com/intl/en-us/declaration/sla.html

NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-12.3


Implement aprocess toreclaimcontentwhenterminatingrelationships withthirdpartyserviceproviders.

Supplier security andprivacy requirementsare included in thesigned contractagreement. Businesspersonnel dockingwith third parties areresponsible formanaging their third-party relationships,including assetprotectionrequirements andsupplier access torelated applications.HUAWEI CLOUDrequires that whenthe cooperation isterminated, theinterface departmentshall dispose of theinformationgenerated in thecooperation projectcontained in theequipment broughtby external personnelin accordance withthe cooperationagreement. If thecompany's sensitiveinformation isinvolved, it shall berecycled or destroyed.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-12.4


Requirethirdpartyworkersto bebondedandinsuredwhereappropriate (e.g.,courierservice).

HUAWEI CLOUDmanages thesupplier's compliancewith HUAWEICLOUD's specificrequirements andcontract obligationsthrough due diligencebefore contractsigning and regularevaluation aftercontract signing.

MS-12.5


Restrictthirdpartyaccess tocontent /production areasunlessrequiredfor theirjobfunction.

HUAWEI CLOUDmanages third-partysuppliers inaccordance withISO27001requirements, andsigns confidentialityand service levelagreements withthird-party suppliers.The agreementcontains requirementsfor security andprivacy dataprocessing, andmanagement of theiraccess permissionsshould not exceedthose necessary fortheir services. At thesame time, throughthe access controlsystem, HUAWEICLOUD strictly checksthe access rights ofpersonnel includingthe third party.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-12.5.1


Controlaccess ofthirdparty ITserviceprovidersto thecomputingenvironment.

HUAWEI CLOUDprovides separateaccounts for third-party personnel.Before entering thecompany, and basedon the principle ofminimizingpermissions, they willbe authorized withpermissions accordingto their jobresponsibilities andwork content,including access todata, applications,infrastructure, andnetwork componentswithin the scope ofpermissions. .




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

MS-12.6


Notifyclients ifthirdpartiesare usedto handleor storecontent,or work isoffloadedtoanothercompany.Performduediligenceof thirdparties.Thirdpartiesalsoincludeprovidersof ITservices.Obtainclientapprovalfor use ofthirdpartieswhohandle,store, orhaveaccess tocontent.

HUAWEI CLOUDestablishes a supplierselection andsupervision system tomanage suppliers'compliance withspecific requirementsand contractualobligations ofHUAWEI CLOUDthrough due diligencebefore contractsigning and regularevaluation aftercontract signing.




3.2 PS Physical SecurityNO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-1.0

Entry/ExitPoint

Secure allentry/exitpoints ofthefacility atall times,includingloadingdockdoors andwindows.

HUAWEI CLOUD hasestablishedcomprehensivephysical security andenvironmental safetyprotection measures,strategies, andprocedures thatcomply with Class Astandard of GB50174 Code forDesign of ElectronicInformation SystemRoom and T3+standard of TIA-942TelecommunicationsInfrastructureStandard for DataCenters.HUAWEI CLOUDdata centers arelocated on suitablephysical sites, asdetermined fromsolid site surveys.HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitors

11.1

SOC15.1SOC15.6

DCS-02DCS-06DCS-07DCS-09

9.1

PE-1PE-2PE-3PE-6




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

and staff, managingtheir access scope onan as-needed basis.Different securitystrategies are appliedto the physical accesscontrol systems atdifferent zones of thedata center site foroptimal physicalsecurity.HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-1.1

Entry/ExitPoints

Controlaccess toareaswherecontent ishandledbysegregating thecontentarea fromotherfacilityareas(e.g.,administrativeoffices,waitingrooms,loadingdocks,courierpickupand drop-off areas,replication andmastering).

HUAWEI CLOUDdata centers arelocated on suitablephysical sites, asdetermined fromsolid site surveys.During the design,construction, andoperation stages, thedata centers haveproper physicalzoning and well-organized placementof informationsystems andcomponents, whichhelps preventpotential physicaland environmentalrisk scenarios.HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-1.2

Entry/ExitPoints

Controlaccesswherethere arecollocatedbusinesses in afacility,whichincludesbut is notlimited tothefollowing:Segregating workareasImplementingaccess-controlledentrancesand exitsthat canbesegmented perbusinessunitLoggingandmonitoring of allentrancesand exitswithinfacilityAlltenantswithinthefacilitymust bereported

HUAWEI CLOUDsigns a managementcontract with thedata centeroperators, requiringthem to beresponsible for thedaily operation andmanagement of thedata center.HUAWEI CLOUDstrictly manages datacenter access controlfor both personneland equipment.Security guards,stationed 24/7 atevery entrance toeach HUAWEICLOUD data centersite as well as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.HUAWEI CLOUDagrees securitypolicies withoperators throughcontracts, and




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

to clientprior toengagement

operators physicallyisolate differenttenants to preventunauthorized access.

PS-2.0

VisitorEntry/Exit

Maintaina detailedvisitors’log andincludethefollowing:NameCompanyTime in/time outReasonfor visitPerson/peoplevisitedSignatureof visitorBadgenumberassigned

Visitors need toapply before enteringthe data center, andthey need to registerwhen they enter thedata center. Thevisitor log includesthe name, company,time and signature,etc.

11.1

SOC15.1SOC15.4

IAM-04DCS-09

9.19.29.4

PE-2PE-3PE-7

PS-2.1

VisitorEntry/Exit

Assign anidentification badgeor stickerwhichmust bevisible atall times,to eachvisitorandcollectbadgesupon exit.

Visitors are requiredto obtain and wearvisitors' cards whenentering the datacenter, and visitorsreturn the visitors'cards when leaving.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-2.2

VisitorEntry/Exit

Do notprovidevisitorswith keycardaccess tocontent /production areas.

According toHUAWEI CLOUDpersonnel accesssecuritymanagementregulations, visitorsmust beaccompanied byauthorizedemployees in thedata center site orcontent / productionarea.

PS-2.3

VisitorEntry/Exit

Requirevisitors tobeescortedbyauthorizedemployees whileon-site,or incontent /production areas.

According toHUAWEI CLOUDpersonnel accesssecuritymanagementregulations, visitorsmust beaccompanied byauthorizedemployees in thedata center site orcontent / productionarea.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-2.3.1

VisitorEntry/Exit

Visitorsshould berequiredto sign anondisclosureagreement (NDA)and signa visitorlog priortoenteringa facility.

HUAWEI CLOUDrequires that theinternal personnel ofthe data centershould sign aconfidentialityagreement beforetaking up the post.The managementcontract signed withthe operator requiresthe data centeroperator to abide bythe confidentialityagreement. Thegeneral data centervisitors need to beaccompanied by thedata center internalpersonnelthroughout thewhole process, andcan only move in thegeneral restrictedarea.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-3.0

Identification

Fororganizations with25 ormoreemployees andthird-partyworkers,providecompanypersonneland long-termthirdpartyworkers(e.g.,janitorial)with aphotoidentification badgethat isrequiredto bevisible atall times.

HUAWEI CLOUDimplements identitymanagement fordata centerpersonnel and long-term third-partyemployees. Theaccess control systemof employees mustuse their ownidentity identificationbadge to distinguishaccess control rights.

11.1.2

SOC15.1

DCS-09

9.19.29.4

PE-3




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-4.0

PerimenterSecurity

Implementperimetersecuritycontrolsthataddressrisks thatthefacilitymay beexposedto asidentifiedby theorganization's riskassessment.

HUAWEI CLOUD hasestablishedcomprehensivephysical security andenvironmental safetyprotection measures,strategies, andprocedures thatcomply with Class Astandard of GB50174 Code forDesign of ElectronicInformation SystemRoom and T3+standard of TIA-942TelecommunicationsInfrastructureStandard for DataCenters.HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physical

11.1.1

SOC15.1SOC15.4

DCS-02

9.1

PE-3




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

hazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-4.1

PerimenterSecurity

Placesecurityguards atperimeterentrancesand non-emergency entry/exitpoints.

HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms. At thesame time, HUAWEICLOUD also set upsecurity guards atthe entrance aroundthe officeenvironment and keyentry-exit points.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-4.2

PerimenterSecurity

Implement a dailysecuritypatrolprocesswith arandomizedscheduleanddocumentthe patrolresults ina log.

HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.Different securitystrategies are appliedto the physical accesscontrol systems atdifferent zones of thedata center site foroptimal physicalsecurity.HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated with




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

infrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-4.3

PerimenterSecurity

LockPerimetergates atall times.

HUAWEI CLOUD hasestablishedcomprehensivephysical security andenvironmental safetyprotection measures,strategies, andprocedures thatcomply with Class Astandard of GB50174 Code forDesign of ElectronicInformation SystemRoom and T3+standard of TIA-942TelecommunicationsInfrastructureStandard for DataCenters.HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-5.0

Alert Install acentralized, audiblealarmsystemthatcovers allentry/exitpoints(includingemergency exits),windows,loadingdocks,fireescapes,andrestrictedareas(e.g.,vault,server/machineroom,etc.).

HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms.Automatic fire alarmand fireextinguishing systemis deployed in datacenter to quickly andaccurately detect andreport fires.Automatic alarmsystem links withpower supply,monitoring, andventilation systemssuch that the fireextinguishing system

11.1.1

SOC15.1SOC15.3SOC15.6SOC15.7

DCS-02DCS-07IAM-02IAM-04IAM-05IAM-10

9.1

AC-6PE-3PE-6PE-9PE-10PE-11PE-13




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

can activate itselfeven whenunattended,autonomouslykeeping fires undercontrol.

PS-5.1

Alarms

Installandeffectively positionmotiondetectorsinrestrictedareas(e.g.,vault,server/machineroom)andconfigurethem toalert theappropriatesecurityand otherpersonnel(e.g.projectmanagers,producer,head ofeditorial,incidentresponseteam,etc.).

HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-5.2

Alarms

Installdoor propalarms inrestrictedareas(e.g.vault,server,machinerooms) tonotifywhensensitiveentry/exitpoints areopen forlongerthan apre-determined periodof time(e.g., 60seconds).

HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer room.CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems. Thesecurity guardsroutinely patrol thesensitive entrancesand exits to timelyconfirm theabnormal opening ofthe entrances andexits.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-5.3

Alarms

Configurealarms toprovideescalationnotificationsdirectly tothepersonnelin chargeofsecurityand otherpersonnel(e.g.,projectmanagers,producer,head ofeditorial,incidentresponseteam,etc.).





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-5.4

Alarms

Assignuniquearm anddisarmcodes toeachpersonthatrequiresaccess tothe alarmsystemandrestrictaccess toall otherpersonnel.

HUAWEI CLOUD'sinternal IAM systemis responsible for themanagement of theentire life cycle ofemployees, storingand managing theiridentity information,positions, accessrights, and accounttypes.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-5.5

Alarms

Reviewthe list ofuserswho canarm anddisarmalarmsystemsquarterly,or uponchange ofpersonnel.

HUAWEI CLOUD hasestablished accesscontrol managementrequirements inaccordance with therequirements ofISO27001. It followsthe principle ofpermissionsminimization and theprinciple ofpermissionsseparation. Theemployees'permissions scopehas been regularlyreviewed to avoidpermissionsexceeding their workscope. When anemployee's on-the-job status changes,the permissions shallbe cleaned andmodified in time.Logs of employees'logins and operationswill be kept for therequired time torespond to auditrequirements.

PS-5.6

Alarms

Test thealarmsystemquarterly.

HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities everyquarter.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-5.7

Alarms

Implement firesafetymeasuresso that inthe eventof apoweroutage,fire doorsfail open,and allothers failshut topreventunauthorizedaccess.

HUAWEI CLOUDstrictly controls theelectrical and firesafety.HUAWEICLOUD data centersemploy a multi-levelsafety assurancesolution to make24/7 serviceavailability andcontinuity. Dailyelectricityconsumption at datacenters relies on dualpower supply fromdifferent powersubstations. Datacenters are equippedwith dieselgenerators, which arerun in the event ofpower outage, andalso UninterruptiblePower Supply (UPS),which providestemporary power asa backup. HUAWEICLOUD data centerscomply with Level-1design and use Class-A fireproof materialsfor their constructionin compliance withcountry-specific firecontrol regulations.Flame retardant andfire-resistant cablesare used in pipelinesand troughs,alongside powerleakage detectiondevices. Automaticfire alarm and fireextinguishing systemis deployed toquickly and




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

accurately detect andreportfires.Automaticalarm system linkswith power supply,monitoring, andventilation systemssuch that the fireextinguishing systemcan activate itselfeven whenunattended,autonomouslykeeping fires undercontrol.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-6.0

Authroization

Document andimplement aprocess tomanagefacilityaccessand keeprecords ofanychangesto accessrights.


11.1

SOC15.1SOC15.3

IAM-02IAM-05IAM-10IVS-08

9.19.29.4

PE-2PE-3




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-6.1

Authorization

Restrictaccess toproduction systemstoauthorizedpersonnelonly.

HUAWEI CLOUDenforces strict accesscontrol on HUAWEICLOUDadministrators whoaccess the hostoperating system,and implementscomprehensive logaudits of alloperations andmaintenanceoperationsperformed by them.HUAWEI CLOUDadministrators mustpass two-factorauthentication beforethey can access themanagement planethrough the bastionmachine. Alloperations will belogged and sent tothe centralized logaudit system in time.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-6.2

Authorization

Reviewaccess torestrictedareas(e.g.,vault,server/machineroom)quarterlyand whenthe rolesoremployment statusofcompanypersonneland/orthirdpartyworkersarechanged.

HUAWEI CLOUDprovides employeeswith the minimumpermissions based ontheir work needs,and reviews thepermissions regularly,so that system usersand administratorsalways follow theprinciple of minimumpermissions. Afterthe status changes,such as resignationor position change,employees and otherthird parties shallconduct a securityaccording to thetransfer andresignation safetyreview checklist,which includes theclearance ormodification of theresignation accountpermissions.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-7.0

ElectronicAccessControl

Implementelectronicaccessthroughout thefacility tocover allentry/exitpointsand allareaswherecontent isstored,transmitted, orprocessed.

HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.Different securitystrategies are appliedto the physical accesscontrol systems atdifferent zones of thedata center site foroptimal physicalsecurity.Customers can useIAM to restrict accesspermissions, and usethe Cloud LogService (CLS) torecord access andmodification recordsfor sensitiveinformation orsecurityconfigurations.

11.1

SOC15.1SOC15.3

DCS-02

9.19.29.4

PE-2PE-3




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-7.1


Restrictelectronicaccesssystemadministration toappropriatepersonnel.

IAM is responsiblefor the managementof the entire lifecycle of employees,storing andmanaging theiridentity information,positions, accessrights, and accounttypes.HUAWEI CLOUDlimits themanagement of thesystem to designatedpersonnel to achievethe separation ofresponsibilities.HUAWEI CLOUDperforms identityauthentication oneach API requestthrough HUAWEICLOUD’s IAMintegration. Onlyusers who passidentityauthentication areallowed to accessand manage cloudmonitoringinformation, and thedata transmissionchannel is encryptedusing TLS.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-7.2


Storecardstock andelectronicaccessdevices(e.g.,keycards,key fobs)in alockedcabinetandensureelectronicaccessdevicesremaindisabledprior tobeingassignedtopersonnel. Storeunassignedelectronicaccessdevices(e.g.,keycards,key fobs)in alockedcabinetandensuretheseremaindisabledprior tobeingassignedto

HUAWEI CLOUDenforces stringentdata center accesscontrolfor bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.Different securitystrategies are appliedto the physical accesscontrol systems atdifferent zones of thedata center site foroptimal physicalsecurity. Securityguards strictly reviewand regularly audituser accessprivileges.HUAWEI CLOUDallocates permissionsto employeesaccording to theminimum scoperequired by theirwork, and monitorsand records theirinformation securitymanagement system,access and




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

personnel.

modification ofsensitive information.

PS-7.3


Disablelostelectronicaccessdevices(e.g.,keycards,key fobs)in thesystembeforeissuing anewelectronicaccessdevice.

The internalmanagementregulations ofHUAWEI CLOUDrequire employees toregister with thesecurity post in timewhen confirming theloss of job cards.HUAWEI CLOUDregulates the cardhandling process,and manages theelectronic accessequipment ofemployees, includingactivation, issuance,recovery andrevocation ofauthority.

PS-7.4


Issuethirdpartyaccesselectronicaccessdeviceswith a setexpirationdate (e.g.90 days)based onanapprovedtimeframe.

The electronic accessequipment assignedto the third partyemployees will setthe expiration timeof the equipment,require the electronicaccess equipment tobe recycled when it isexpired, and performthe authorityrevocation operation.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-8.0

Keys Limit thedistribution ofmasterkeysand / orkeys torestrictedareas toauthorizedpersonnelonly (e.g.,owner,facilitiesmanagement).


9.2.611.1

SOC15.1

DCS-02HRS-01

9.1

PE-2PE-3CM-5CM-8




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-8.1

Keys Implement a check-in/check-outprocess totrack andmonitorthedistribution ofmasterkeysand / orkeys torestrictedareas.

The access control ofdata centercomputer room orrelevant key holdingauthority shall beapplied by thecomputer roomadministrator or datacenter access controladministrator to thedata center regionalmanager or hisauthorized datacenter site manager,and thecorresponding keycan be issued afterthe access controlauthority applicationprocess is passed.

PS-8.2

Keys Use keysthat canonly becopied bya specificlocksmithforexteriorentry/exitpoints.

The access control ofdata centercomputer room orrelevant key holdingauthority shall beapplied by thecomputer roomadministrator or datacenter access controladministrator to thedata center regionalmanager or hisauthorized datacenter site manager,and thecorresponding keycan be issued afterthe access controlauthority applicationprocess is passed.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-8.3

Keys Inventorymasterkeys andkeys torestrictedareas,includingfacilityentry/exitpoints,quarterly.

HUAWEI CLOUDprovides employeeswith the minimumpermissions requiredaccording to theirwork needs, andreviews thepermissions regularly,so that system usersand administratorsalways follow theprinciple of minimumpermissions.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-8.4

Keys Obtain allkeys fromterminatedemployees/third-parties orthosewho nolongerneed theaccess.

HUAWEI CLOUD hasformulated personnelsecurity relevantmanagementregulations, requiringemployees totransfer theirHUAWEI CLOUDassets to thecompany when theytransfer and resign.When the contract/business relationshipwith the partner isterminated, theinformationgenerated in thecooperation projectin the self-containeddevice should bedeleted according tothe cooperationagreement, and theassets provided byHUAWEI CLOUD willbe returned.HUAWEI CLOUD hasestablished anelectronic flow ofassets transfer whenpersonnel resign/termination ofcooperation, andimplement assetstransfer inaccordance with theelectronic process.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-8.5

Keys Implementelectronicaccesscontrol orrekeyentirefacilitywhenmaster orsub-masterkeys arelost ormissing.

The data centerregulates the useand management ofkeys, including keyclassification, keystorage requirementsand compensationmeasures after keyloss.For electronic accesscontrol, HUAWEICLOUD hasestablished accesscontrol managementrequirements inaccordance with therequirements ofISO27001. It followsthe principle ofpermissionsminimization and theprinciple ofpermissionsseparation. Theemployees'permissions scopehas been regularlyreviewed to avoidpermissionsexceeding their workscope. When anemployee's on-the-job status changes,the permissions shallbe cleaned andmodified in time.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-9.0

Cameras

Install asurveillancecamerasystem(analogCCTV orIPcameras)thatrecordsall facilityentry/exitpointsandrestrictedareas(e.g.server/machineroom,etc.).

HUAWEI CLOUD hasestablishedcomprehensivephysical security andenvironmental safetyprotection measures,strategies, andprocedures thatcomply with Class Astandard of GB50174 Code forDesign of ElectronicInformation SystemRoom and T3+standard of TIA-942TelecommunicationsInfrastructureStandard for DataCenters.HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorized

11.1

DCS-02BCR-05IAM-01IAM-04IAM-05

9.1

PE-2PE-3CM-5CM-8




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

access and otherphysical securityincidents promptlytrigger sound andlight alarms.

PS-9.1

Cameras

Reviewcamerapositioning andrecordings toensureadequatecoverage,function,imagequality,lightingconditions, andframerate ofsurveillancefootageat leastdaily.

HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer rooms.And there is a specialteam to manageCCTV and maintainthe normal operationof CCTV.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-9.2

Cameras

Restrictphysicaland/orlogicalaccess tothesurveillancecameraconsoleand tocameraequipment (e.g.,DVRs,NVRs) topersonnelresponsible foradministering/monitoring thesystem.

HUAWEI CLOUD hasestablished accesscontrol managementrequirements inaccordance with therequirements ofISO27001. It followsthe principle ofpermissionsminimization and theprinciple ofpermissionsseparation. Theemployees'permissions scopehas been regularlyreviewed to avoidpermissionsexceeding their workscope. When anemployee's on-the-job status changes,the permissions shallbe cleaned andmodified in time.Logs of employees'logins and operationswill be kept for therequired time torespond to auditrequirements.Designatedpersonnel performperiodic inventorieson all physicalequipment andwarehouse materials.Data centeradministrators notonly perform routinesafety checks butalso audit datacenter visitor logs onan as-needed basisto avoid thatunauthorized




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

personnel haveaccess to datacenters.

PS-9.3

Cameras

Ensurethatcamerafootageincludesanaccuratedate andtime-stampandretaincamerasurveillancefootageandelectronicaccesslogs forat least90 days,or themaximum timeallowedby law, ina securelocation.

HUAWEI CLOUD hasa centralized andcomplete logs bigdata analysis system.The system uniformlycollects managementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems, aswell as threatdetection alarm logsof various securityproducts andcomponents.HUAWEI CLOUD hasformulated a datacenter security code,which requires morethan 90 days ofsurveillance videos invarious regions.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-9.4

Cameras

Designateanemployeeor groupofemployees tomonitorsurveillancefootageduringoperatinghours andimmediatelyinvestigatedetectedsecurityincidents.

HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptlytrigger sound andlight alarms. At thesame time, thedesignated securitypersonnel shallmonitor the videosituation of eacharea and report thesafety incidentsfound in time.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-10.0

LoggingandMonitoring

Log andreviewelectronicaccess torestrictedareas forsuspiciousevents, atleastweekly.

HUAWEI CLOUDassigns permissionsto employeesaccording to theminimum scope ofworking needs. Theaccess andmodification of theinformation securitymanagement systemand sensitiveinformation areunder monitored andrecorded.

10.112.4

SOC15.1SOC15.4

BCR-05IVS-02SEF-05

9.1

AU-3AU-6AU-9AU-11

PS-10.1


Log andreviewelectronicaccess, atleastdaily, forthefollowingareas:Masters/stampersvaultPre-masteringServer/machineroomScraproomHigh-securitycages

HUAWEI CLOUDassigns permissionsto employeesaccording to theminimum scope ofworking needs. Theaccess andmodification of theinformation securitymanagement systemand sensitiveinformation areunder monitored andrecorded.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-10.2


Investigatesuspiciouselectronicaccessactivitiesthat aredetected.

HUAWEI CLOUDenables security logsfor network devicesand applicationsystems that provideservices. The logs willrecord all changes todevices and systems.HUAWEI CLOUDprovides customerswith various servicesto help them log andmonitor. Customerscan use cloud logservices to recordvirtual machineconfiguration andlogs changes, anduse cloud auditservices to monitorthe integrity ofconfigured logs.Customers can usethe Host SecurityService (HSS) tocheck the integrity ofthe mirrored file, anduse the comparisonmethod to in HSSdetermine whetherthe current file statusis different from thestate when the filewas scanned lasttime. Use thiscomparison todetermine whetherthe file has valid orsuspiciousmodifications. Whenpotential risks arediscovered, HUAWEICLOUD willreminded customersin time.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-10.3


Maintainanongoinglog of allconfirmedelectronicaccessincidentsandincludedocumentation ofanyfollow-upactivitiesthat weretaken.

HUAWEI CLOUD hasestablished anincidentmanagementplatform to recordand track theprogress, handlingmeasures andimplementation ofall informationsecurity incidents,and analyzed theimpacts after theincidents handling.HUAWEI CLOUDprovides multipletypes of securityservice products.After tenantsconfigure accordingto their own businessconditions, they canconduct relatedsecurity eventsmonitoring and datacollection throughsecurity serviceproducts.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-11.0

Searches

Establisha policy,aspermittedby locallaws,whichallowssecuritytorandomlysearchpersons,bags,packages,andpersonalitems forclientcontent.

HUAWEI CLOUD hasformulated physicalsecurity regulations,and strictlyimplementsinspection measureswhen allowed bylocal laws.

11.1

BCR-05STA-01IVS-08




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-11.1

Searches

Implement an exitsearchprocessthat isapplicable to allfacilitypersonnelandvisitors,including:Removalof alloutercoats,hats, andbelts forinspectionRemovalof allpocketcontentsPerformance of aself-pat-downwith thesupervision ofsecurityThoroughinspection of allbagsInspection oflaptops’CD/DVDtrayScanningofindividuals with a





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

handheldmetaldetectorusedwithinthreeinches oftheindividualsearched.

PS-11.2

Searches

Prohibitpersonnelfromentering/exitingthefacilitywithdigitalrecordingdevices(e.g., USBthumbdrives,digitalcameras,cellphones)andincludethesearch ofthesedevices aspart ofthe exitsearchprocedure.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-11.3

Searches

Enforcethe use oftransparent plasticbags andfoodcontainers for anyfoodbroughtintoproduction areas.


PS-11.4

Searches

Implement a dresscodepolicythatprohibitsthe use ofoversizedclothing(e.g.,baggypants,oversizedhoodedsweatshirts).


PS-11.5

Searches

Usenumbered tamper-evidentstickers/holograms toidentifyauthorized devicesthat canbe takenin andout of thefacility.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-11.6

Searches

Implement aprocess totest theexitsearchprocedure.

HUAWEI CLOUD hasestablished a formaland regular auditplan, includingcontinuous andindependent internaland externalassessment. Internalassessmentcontinuously trackthe effectiveness ofsecurity controlmeasures, andexternal assessmentis audited as anindependent auditorfor reviewing theefficiency andeffectiveness ofimplemented securitycontrols.

PS-11.7

Searches

Perform arandomvehiclesearchprocesswhenexitingthefacilityparkinglot.

In order tostandardize theaccess safetymanagement,HUAWEI CLOUDformulates relevantregulations onvehicle access andparking, and strictlycontrols the vehicleaccess specifiedareas.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-11.8

Searches

Segregatereplication linesthatprocesshighlysensitivecontentandperformsearchesuponexitingsegregated areas.

The data center notonly has a properlocation, but alsoreasonably dividesthe physical area ofthe computer room(including highlysensitive area) andreasonably arrangesthe components ofthe informationsystem in the design,construction andoperation, so as toprevent the potentialphysical andenvironmentalhazards.HUAWEI CLOUDrequires visitors to beaccompanied byinternal personnelthroughout the visit,and can only move ingeneral restrictedareas.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-11.9

Searches

Implementadditionalcontrolstomonitorsecurityguardsactivity.

HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems.Computer roomadministrators notonly carry outroutine securityinspection, but alsoaudit the data centeraccess recordsirregularly, so thatunauthorizedpersonnel can notaccess the datacenter.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-12.0

InventoryTracking

Implement acontentassetmanagementsystem toprovidedetailedtrackingofphysicalassets(i.e.,receivedfromclientcreated atthefacility).

HUAWEI CLOUDattaches greatimportance to thesecurity of users'data and informationassets, and itssecurity strategy andpolicy include astrong focus on dataprotection. HUAWEICLOUD will continueto embraceindustryleadingstandards for datasecurity lifecyclemanagement andadopt best-of-breedsecurity technologies,practices, andprocesses across avariety of aspects,including identityauthentication,privilegemanagement, accesscontrol, dataisolation,transmission,storage, deletion,and physicaldestruction ofstorage media. Inshort, HUAWEICLOUD will alwaysstrive toward themost practical andeffective dataprotection possible inorder to bestsafeguard theprivacy, ownership,and control of ourtenants' data againstdata breaches andimpacts on theirbusiness.

8.18.2.28.2.3

8.1.1

DSI-01BCR-05IVS-01

9.9

AU-1AU-3AU-6AU-9AU-11CM-8




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-12.1

InventoryTracking

Assignuniquetrackingidentifier(s) toclientassetsandcreatemedia(e.g.,tapes,harddrives)uponreceiptand storeassets inthe vaultwhen notin use.

According to theISO27001 standard,HUAWEI CLOUD'sinformation assetclassification ismonitored andmanaged by specialtools to form anasset list, and eachasset is assigned anowner.

PS-12.1.1

InventoryTracking

Develop adataclassificationschemetocategorize physicalassets ofdifferingsecurityrequirements.(Reordered andrenumbered,previouslyPS-12.1.2)





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-12.2

InventoryTracking

Retainassetmovementtransaction logs forat leastone year.

HUAWEI CLOUDestablishes an assetmanagement systemto manage themovement andtransaction of assets,and keepscorrespondingrecords. Theretention time of therecords meets therequirements of locallaws and regulations.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-12.3

InventoryTracking

Reviewlogs fromcontentassetmanagementsystem atleastweeklyandinvestigateanomalies.

HUAWEI CLOUD hasa centralized andcomplete logs bigdata analysis system.The system uniformlycollects managementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems, aswell as threatdetection alarm logsof various securityproducts andcomponents.HUAWEI CLOUD hasa dedicated internalaudit departmentthat regularly auditsvarious activity logsof the operation andmaintenance process.Access and reviewpermissions for logsare limited to specificemployees, and theapproval of theirpermissions needs toreceive the approvalof the superiormanagement, andreview themregularly.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-12.4

InventoryTracking

Usestudiofilm titlealiases onphysicalassetsand inassettrackingsystems.

According to theISO27001 standard,HUAWEI CLOUD'sinformation assetclassification ismonitored andmanaged by specialtools to form anasset list, and eachasset has a uniqueasset number.

PS-12.5

InventoryTracking

Implement andreview adailyagingreport toidentifyhighlysensitiveassetsthat arecheckedout fromthe vaultand notcheckedback in.

According to theISO27001 standard,HUAWEI CLOUD'sinformation assetclassification ismonitored andmanaged by specialtools to form anasset list, and eachasset has a uniqueasset number.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-12.5.1

InventoryTracking

Adocumentedprocessforcheckingoutcontentshould beestablished.

HUAWEI CLOUDstrictly follows therequirements ofclause A11.2 relatedto equipment of ISO27001 ISMS, adoptscontrol measures toprevent the loss,damage, theft orendangering ofassets and theinterruption oforganizationalactivities, andconducts annualaudit on theimplementation ofthis requirementevery year.

PS-12.6

InventoryTracking

Lock upand logassetsthat aredelayedorreturnedifshipments couldnot bedeliveredon time.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-13.0

InventoryCounts

Perform aquarterlyinventorycount ofeachclient'sasset(s),reconcileagainstassetmanagementrecords,andimmediatelycommunicatevariancesto clients.


6.1.28.1.1

DCS-01STA-01

AU-6AC-5CM-8

PS-13.1

InventoryCounts

Segregatedutiesbetweenthe vaultstaff andindividuals who areresponsible forperforminginventorycounts.

HUAWEI CLOUDformulates mediamanagementstandards to specifythe physicalprotection andinventory control ofstorage media, andrequires at least onestaff member notdirectly involved inthe media relatedwork to participatein the inventorycheck to follow theprinciple ofseparation of duties.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-14.0

BlankMedia/RawStockTracking

Tag (e.g.,barcode,assignuniqueidentifier)blankstock/rawstock perunit whenreceived.

According to theISO27001 standard,HUAWEI CLOUD'sinformation assetclassification ismonitored andmanaged by specialtools to form anasset list, and eachasset is assigned anowner. HUAWEICLOUD has obtainedISO27001certification, and thecertification can beobtained from theTrust Center.

8.1.18.2.2

STA-01

MP-4PE-2PE-3

PS-14.1


Establisha processto trackconsumption ofrawmaterials(e.g.,polycarbonate)monthly.

Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.At the same time,Cloud Eye Service(CES) provides userswith a three-dimensionalmonitoring platformfor elastic cloudservers, bandwidthand other resources.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-14.2


Storeblankmedia/raw stockin asecuredlocation.

HUAWEI CLOUDformulates mediamanagementregulations, requiringthat the storagemedia must be keptin the controlledaccess area, and allstorage media mustbe managed in themedia managementprocess.Important physicalcomponents of adata center arestored in designatedsafes with crypto-based electronicaccess codeprotection in thedata center storagewarehouses. Onlyauthorized personnelcan access andoperate the safes.Work orders must befilled out before anyphysical componentswithin the datacenter can be carriedout of the datacenter. Personnelremoving any datacenter componentsmust be registered inthe warehousemanagement system(WMS). Designatedpersonnel performperiodic inventorieson all physicalequipment andwarehouse materials.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-15.0

ClientAssets

Restrictaccess tofinishedclientassets topersonnelresponsible fortrackingandmanagingassets.

The data centerreasonably dividesthe physical area ofthe computer room,and the customer'sdata is stored in theproduction area ofthe data center.HUAWEI CLOUD hasestablished accesscontrol managementrequirements inaccordance with therequirements ofISO27001. It followsthe principle ofpermissionsminimization and theprinciple ofpermissionsseparation. Theemployees'permissions scopehas been regularlyreviewed to avoidpermissionsexceeding their workscope. When anemployee's on-the-job status changes,the permissions shallbe cleaned andmodified in time.Logs of employees'logins and operationswill be kept for therequired time torespond to auditrequirements.

8.2.3

SOC15.1SOC15.4

IAM-02STA-01BCR-05DCS-07

9.19.9

MP-2MP-4PE-2PE-3




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-15.1

ClientAssets

Storeclientassets inarestrictedandsecurearea (e.g.,vault,safe, orothersecurestoragelocation).





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-15.2

ClientAssets

Considerrequiringtwocompanypersonnelwithseparateaccesscards orkeys /pins tounlockhighlysensitiveareas(e.g.,safe,high-securitycage)after-hours.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-15.3

ClientAssets

Use alockedfireproofsafe tostoreundeliveredpackagesthat arekept atthefacilityovernight.

In terms of physicalprotection, HUAWEICLOUD hasestablished zoneprotection. To reducerisks, a locationselection strategy hasbeen formulated forpossible naturaldisasters. For riskssuch as intrusion andauthorization amonitoring andresponse mechanismhas been establishedas well.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-15.4

ClientAssets

Implement adedicated, securearea (e.g.,securitycage,secureroom) forthestorageofundeliveredscreenersthat islocked,access-controlled, andmonitored withsurveillancecamerasand/orsecurityguards.

When configuringHUAWEI CLOUDservices, customerscan choose adedicated datacenter autonomously.The data centerreasonably dividesthe physical area ofthe computer room,and the customer'sdata is stored in theproduction area ofthe data center.HUAWEI CLOUDdata centers employindustry standarddata center physicalsecurity technologiesto monitor andeliminate physicalhazards and physicalsecurity concerns.CCTV monitoring isenabled 24/7 fordata centers' physicalperimeters,entrances, exits,hallways, elevators,and computer cageareas. CCTV is alsointegrated withinfrared sensors andphysical accesscontrol systems.Security guardsroutinely patrol datacenters and set uponline electronicpatrol systems suchthat unauthorizedaccess and otherphysical securityincidents promptly




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

trigger sound andlight alarms.

PS-16.0

Disposals

Requirethatrejected,damaged,andobsoletestock(DVDs,tapes,and otherstoragemedia)containing clientassets areerased,degaussed,shredded,orphysicallydestroyedbeforedisposal.

When a physical diskneeds to bedecommissioned,HUAWEI CLOUDpermanently deletesthe data present onthe disk by means ofphysical diskdegaussing and/orshredding as neededto avoidunauthorized accessof user privacy anddata. In addition,HUAWEI CLOUDadheres industrystandard practicesand keeps acomplete datadeletion activity logfor chain of custodyand audit purposes.

8.3.2

11.2.7

A.9.3A.10.13

DCS-05DCS-07IAM-05

9.8

MP-6




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-16.0.1

Disposals

Finishedelements(e.g.,checkdiscs, testprints,mock-ups, ADRscripts)should bedestroyedimmediately afteruse,unlessotherwisespecifiedbycontentowners.Requirepapermaterialscontaining clientassets(scripts,artwork,storyboards, etc.)bephysicallydestroyedbeforedisposal.

HUAWEI CLOUDformulates relevantmedia managementregulations, in whichthe media arecleared and scrappedaccording to theclassification.HUAWEI CLOUDachieves datacleaning, diskdemagnetizationthrough a variety ofways, and recordsthe destructionoperation.When a physical diskneeds to bedecommissioned,HUAWEI CLOUDpermanently deletesthe data present onthe disk by physicalmethods to avoidunauthorized accessof user privacy anddata. In addition,HUAWEI CLOUDadheres industrystandard practicesand keeps acomplete datadeletion activity logfor chain of custodyand audit purposes.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-16.1

Disposals

Storeelementstargetedforrecycling/destruction in asecurelocation /containertopreventthecopyingand reuseof assetsprior todisposal.

HUAWEI CLOUDadopts the methodof local scrapping thewaste engineeringauxiliary materials.When physical disksneed to bedecommissioned,HUAWEI CLOUDpermanently deletesthe data present onthe disk by physicalmethods to avoidunauthorized accessof user privacy anddata. In addition,HUAWEI CLOUDadheres industrystandard practicesand keeps acomplete datadeletion activity logfor chain of custodyand audit purposes.

PS-16.2

Disposals

Maintaina log ofassetdisposalfor atleast 12months.

HUAWEI CLOUDestablishes an assetmanagement systemto manage themovement andtransaction of assets,and keepscorrespondingrecords. Theretention time of therecords meets therequirements of locallaws and regulations.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-16.3

Disposals

Destruction mustbeperformed on site.On sitedestruction must besupervised andsigned offby twocompanypersonnel. If a thirdpartydestructioncompanyisengaged,destruction must besupervised andsigned offby twocompanypersonnelandcertificates ofdestruction must beretained.

HUAWEI CLOUDstipulates thephysical protectionand inventory controlof storage media,requiring that thedemagnetizingoperation beperformed under thecover of the camera,or two people arepresent at the sametime, and one ofthem must be a datacenter manager or adesignated person.The media afterdemagnetizationshall be clearlymarked and thedemagnetizationrecord shall be kept.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-16.4

Disposals

Useautomation totransferrejecteddiscsfromreplicationmachinesdirectlyinto scrapbins (nomachineoperatorhandling).

The media inHUAWEI CLOUDservice does notinvolve optical disks.When a physical diskneeds to bedecommissioned,HUAWEI CLOUDpermanently deletesthe data present onthe disk by physicalmethods to avoidunauthorized accessof user privacy anddata. In addition,HUAWEI CLOUDadheres industrystandard practicesand keeps acomplete datadeletion activity logfor chain of custodyand audit purposes.

PS-17.0

Shipping

Requirethefacility togeneratea validwork/shippingorder toauthorizeclientassetshipments out ofthefacility.

Customers have theownership andcontrol of contentdata, and HUAWEICLOUD receives andmanages customerassets according tothe agreement withcustomers.

8.2.38.3.3

A.10.4

STA-01DCS-02DCS-04

9.9

AU-11MP-5PE-3PE-7PE-16




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-17.1

Shipping

Track andlog clientassetshippingdetails; ataminimum, includethefollowing:Time ofshipmentSendernameandsignatureRecipientnameAddressofdestinationTrackingnumberfromcourierReferenceto thecorresponding workorder

HUAWEI CLOUD willnot check the qualityof the content dataof customer.HUAWEI CLOUDmaintain the qualitymanagement controland risk controlmeasures ofcustomer personaldata. For details,please refer to theHUAWEI CLOUDData Security WhitePaper. Customershave ownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.

PS-17.2

Shipping

Secureclientassetsthat arewaitingto bepicked up.

HUAWEI CLOUDdata center dividesthe physical area ofthe computer room,in which delivery andloading areas are setto protect customerassets throughspecific control.




https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/DataSecurityWhitepaper_en.pdf



NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-17.3

Shipping

Validateclientassetsleavingthefacilityagainst avalidwork/shippingorder.


PS-17.4

Shipping

Prohibitcouriersanddeliverypersonnelfromenteringcontent /production areas ofthefacility.

HUAWEI CLOUDenforces stringentdata center accesscontrol for bothpersonnel andequipment. Securityguards, stationed24/7 at everyentrance to eachHUAWEI CLOUDdata center site aswell as at theentrance of eachbuilding on site, areresponsible forregistering andmonitoring visitorsand staff, managingtheir access scope onan as-needed basis.Different securitystrategies are appliedto the physical accesscontrol systems atdifferent zones of thedata center site foroptimal physicalsecurity.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-17.5

Shipping

Document andretain aseparatelog fortruckdriverinformation.

The gate post of thedata center shallregister and checkthe vehicles,personnel andarticles entering thepark and keeprelevant records.

PS-17.5.1

Shipping

Facilitiesshouldimplement andmaintaina recordof alldeliverypersonnelenteringandexitingthebuilding.


PS-17.6

Shipping

Observeandmonitorthe on-sitepackingandsealing oftrailersprior toshipping.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-17.7

Shipping

Record,monitorandreviewtraveltimes,routes,anddeliverytimes forshipmentsbetweenfacilities.

The HUAWEI CLOUDdata center conducts7*24 hours closed-circuit televisionmonitoring, andsigns atransportationcontract with a localthird-party couriercompany, and thethird-party couriercompany isresponsible for theloading of packages.

PS-17.8

Shipping

Prohibitthetransferof filmelementsoutside oftheshippingdepartment unlessapprovedby theclient.

HUAWEI CLOUD'sbusiness does notinvolve the transferof original film.

PS-17.9

Shipping

Shipprints forpre-theatricalscreenings insegments(e.g., oddversusevenreels).

HUAWEI CLOUD'sbusiness does notinvolve the provisionof printed materialsfor movie screenings.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-18.0

Shipping

Inspectdeliveredclientassetsuponreceiptandcomparetoshippingdocuments (e.g.,packingslip,manifestlog).


8.2.28.2.3

STA-01

9.9

MP-3MP-4MP-5PE-16

PS-18.1

Shipping

Maintainareceivinglog to befilled outbydesignatedpersonneluponreceipt ofdeliveries.

The gate post in thepark of the datacenter registers andchecks the vehicles,personnel andarticles entering thepark and keepsrelevant records.HUAWEI CLOUDmaintains thereceiving logaccording to theagreement withcustomers




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-18.2

Shipping

Performthefollowingactionsimmediately:Tag (e.g.,barcode,assignuniqueidentifier)receivedassetsInput theasset intothe assetmanagementsystemMove theasset totherestrictedarea (e.g.,vault,safe)

When HUAWEICLOUD receives theassets, it assigns aunique identifier tothe assets, inputs theassets into themanagement system,and stores the assetsto the designatedarea. For example,unused assets will beplaced in a specialwarehouse, theimportantaccessories of thedata center arestored in the specialelectronic encryptionsafe in the storagesystem, the off-shelfassets that store datawill be placed in thesafe.

PS-18.3

Shipping

Implement a securemethodforreceivingovernightdeliveries.

Not applicable toHUAWEI CLOUD.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-19.0

Labling

Prohibitthe use oftitleinformation,includingAKAs("aliases"), on theoutside ofpackagesunlessinstructedotherwiseby client.

According toISO27001 standard,the information assetclassification ofHUAWEI CLOUD ismonitored andmanaged by specialtools to form anasset list. Each assethas a unique assetnumber, which hasnothing to do withthe customer, and isused to maintain theasset managementlist.

8.2.2

8.2.2

DSI-04

9.9

MP-3

PS-20.0

Parking

Ship allclientassets inclosed/sealedcontainers, and uselockedcontainersdepending onassetvalue, orifinstructedby theclient.

Where applicable,the customer’s assetsare packaged inaccordance withcustomerrequirements.

8.3.3

MP-5




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-20.1

Parking

Implement at leastone ofthefollowingcontrols:Tamper-evidenttapeTamper-evidentpackagingTamper-evidentseals(e.g., inthe formofholograms)Securecontainers (e.g.,Pelicancase withacombination lock).





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-20.2

Parking

Applyshrinkwrappingto allshipments, andinspectpackaging beforefinalshipmentto ensurethat it isadequatelywrapped.


PS-21.0

TransportVehicles

Lockautomobiles andtrucks atall times,and donot placepackagesin clearview.

HUAWEI CLOUDsigns atransportationcontract with a localthird-party expresscompany, and thethird-party expresscompany isresponsible for theloading of packages.

STA-01

MP-5




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-21.1

TransportVehicles

Includethefollowingsecurityfeaturesintransportationvehicles(e.g.,trailers):Segregation fromdrivercabinAbility tolock andsealcargoareadoorsGPS forhigh-securityshipments


PS-21.2

TransportVehicles

Applynumbered seals oncargodoors forshipments ofhighlysensitivetitles.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-21.3

TransportVehicles

Requiresecurityescorts tobe usedwhendeliveringhighlysensitivecontentto high-risk areas.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

PS-22.0

Environment

Maintainoptimaltemperature andhumidityset-pointstofacilitateoptimalperformance ofequipment and toreducethelikelihoodofcatastrophichardwarefailuresfor areasthathouseservers,storagedevices,LANequipment,networkcommunicationsdevices,andstoragemedia.

HUAWEI CLOUDdata centers arefitted with highprecision airconditioning andautomaticadjustment ofcentralizedhumidifiers to ensurethat computersystems operateoptimally within theirspecified ranges oftemperature andhumidity. Hot andcold air channels forcomputer cabinetsare properlydesigned andpositioned. Cold airchannels are sealedto prevent isolatedhot spots. The spacebeneath the raisedfloor is used as astatic pressure box tosupply air tocomputer cabinets.

11 BCR-03




3.3 DS Data SecurityNO.

SecurityTopic

BestPractice

HUAWEI CLOUD'sReponses

ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.0

Firewall/WAN /PerimeterSecurity

Separateexternalnetwork(s)/WAN(s)from theinternalnetwork(s) by usinginspectionfirewall(s)withAccessControlLists thatpreventunauthorized accessto anyinternalnetworkand withthe abilityto keep upwithuploadanddownloadtraffic.

HUAWEI CLOUDdivides the securityregions of cloudplatform, andrealizes the internaland external networkisolation by usingAnti-DDoS, IPS, WAFand other multi-layerprotection.

9.19.410.112.212.312.412.613.113.216.117.1

9.4.110.1.112.4.412.6.113.1.3


IVS-03IVS-06IVS-07IVS-08IVS-11IVS-12AIS-01BCR-11TVM-02CCC-03GRM-01EKM-02

1.11.21.31.45.15.25.310.110.210.310.411.211.312.5

AC-3

AC-4

AC-6

AC-17

AC-20

CA-3

CM-6

CM-7

RA-5

SC-7

SC-12

SC-33

SI-2




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.1


Implementa processto reviewfirewallAccessControlLists(ACLs) toconfirmconfigurationsettingsareappropriate andrequiredby thebusinessevery 6months.

EKM-03

HUAWEI CLOUD hasa professionalnetwork securityteam who areresponsible forupdating thenetwork architecturediagram andchecking firewallrules betweenregions. In theannual review ofHUAWEI CLOUD PCIDSS certification, thiscontent will also beaudited by a third-party organization.All firewall controlsand change recordsare recorded in thesecurity log, and thefirewall configurationcan only be changedafter approval by aspecificadministrator.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.1.1


Firewallmanagementpoliciesandproceduresmust bedocumented, and ataminimum,cover:Provisioningrequirements (i.e.,based offtheconcept ofleast-privilege)Deploymentrequirements (e.g.,baselinerequirements)Changecontrolrequirements (e.g.,Patching,Upgrades,FirewallRulemanagement)

All firewall controlsand change recordsare recorded in thesecurity log, and thefirewall configurationcan only be changedafter approval by aspecificadministrator.Customers areresponsible fordeploying strategies,such as configuringfirewall gatewaysand advancedsecurity services fortheir virtualnetworks, set up thesecurityconfiguration andmanagement tasksnecessary for cloudservices such asvirtual networks,virtual hosts, andguest virtualmachines in thecustomer space(Including thecustomerconfiguration ofplatform servicessuch as updating andinstalling fullpatches, containersecuritymanagement, andbig data analysis, aswell as the internalsecurityconfiguration ofother rented cloudservices, etc. .




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.2


Deny allincomingandoutgoingnetworkrequestsby default.Enableonlyexplicitlydefinedincomingrequestsby specificprotocolanddestination. Enableonlyexplicitlydefinedoutgoingrequestsby specificprotocolandsource.

To improve thesecurity of cloudservices, HUAWEICLOUD applies avariety of advancedprotection functionsto protect theintranet area,including:DDoS scrubbingunder abnormaltraffic and/orextreme load: DDoSscrubbing underabnormal trafficand/or extreme load:Huawei in-housedevelopedenterprise-gradeanti-DDoSappliances, which aredeployed at theperimeter of eachcloud data centernetwork, detect andscrub abnormaltraffic and megaload attacks.Network intrusiondetection andprevention system(IDS/IPS): Based onnetwork traffic, IPScan also provideinformation neededto help locate andtroubleshootnetwork issues,assign direction-specific loadthrottling policies,and applycustomized detectionrules accordingly inorder to protectapplication and




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

infrastructuresecurity in theproductionenvironment.Web applicationsecurity: HUAWEICLOUD has deployedweb applicationfirewalls (WAFs) tofend off web attackssuch as layer 7DDoS, SQL injection,cross-site scripting(XSS), cross-siterequest forgery(CSRF), attackstargetingcomponentspecificvulnerabilities, andidentityimpersonation.

DS-1.2.1


Firewallsshould beconfiguredto activelyalertsecuritymembersof keysecurityevents

HUAWEI CLOUDformulates firewallmanagementregulations, putsforward firewalldocking designrequirements andconfigurationspecifications, andsets up the firewallbackup responsibleperson in the securityevent responseprocess.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.3


Placeexternallyaccessibleservers(e.g., webservers)within theDMZ.

DMZ zone mainlyhosts public-facingcloud servicefrontend components(for exampleinfrastructurecomponents such asload balancer andproxy server, servicecomponents such asthe service console,and the APIGateway).Customers' accessbehavior (throughthe Internet or theirown VMs on thepublic cloud) isuntrusted, hence theneed for a dedicatedDMZ zone to isolateexternal requests andkeep them fromreaching cloudservice backendcomponents.Components in theDMZ zone are facedwith more serioussecurity threats andrisks than otherzones. Therefore, inaddition to deployingfirewalls and anti-DDoS appliances,Huawei Cloud alsohas deployedtechnologies such asweb applicationfirewall (WAF) andintrusion detection/prevention system(IDS/IPS) in order tofurther bolsterinfrastructure,




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

platform, andapplication security.

DS-1.4


Implementa processto patchnetworkinfrastructuredevices(e.g.,firewalls,routers,switches,etc.),SAN/NAS(StorageAreaNetworksandNetworkAttachedStorage),andservers.

HUAWEI has areasonably maturevulnerabilityresponse program.The nature ofHUAWEI CLOUD'sself-service model tocontinuouslyoptimize the securityvulnerabilitymanagement processand technical means.It will ensure rapidpatching ofvulnerabilities foundon in-house-developed and thirdparty technologiesfor HUAWEI CLOUDinfrastructure,mitigating risks tocustomers' businessoperations.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.5


Hardennetworkinfrastructuredevices,SAN/NAS,andserversbased onsecurityconfigurationstandards.DisableSNMP(SimpleNetworkManagementProtocol)if it is notin use oruse onlySNMPv3or higherand selectSNMPcommunity stringsthat arestrongpasswords.

HUAWEI CLOUD hasset up a networkinfrastructureconfigurationstandard, which mustbe implemented inaccordance with thestandard andstandardize theinterface, VLAN,SNMP and otherconfiguration of eachnetwork device.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.6


Do notallowdirectmanagement of thefirewallfrom anyexternalinterfaces(i.e.Internet orWANfacing).





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.7


Store localbackups ofnetworkinfrastructure/SAN/NASdevicesandservers ona server ina secureinternalnetwork.

HUAWEI CLOUDCustomer Agreementand PrivacyStatement informcustomers of theirpersonal dataretention policies.HUAWEI CLOUD hasthe technicalcapabilities toimplement theretention policies inthe aboveagreements.Except for Identityand AccessManagement (IAM)/Object StorageService (OBS,) themanagement data(including operationlogs, etc.) of alllaunched servicesand components onHUAWEI CLOUDwould be backed upto OBS. At the sametime, themanagement data ofIAM/OBS needs to bebacked up to non-OBS storage.Customers can usethe Cloud Eye Service(CES) to monitor therunning status of theserver and theresources on thecloud in real time.When a hardwarefailure occurs, CESwill notify thecustomer via email,SMS, and HTTP/S. Atthe same time,customers can use




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

the snapshotfunction in theElastic VolumeService (EVS) to fullyrestore the data tothe snapshot timepoint in case of datalosing.HUAWEI CLOUDprovides ImageManagement Service(IMS) which can beused to backup theinstance of cloudserver for customers.When the softwareenvironment of theinstance fails, thebackup image can beused to restore.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.8


Performon at leasta monthlybasisnetworkvulnerability scans ofallexternal IPrangesand hostsandremediateissues. Ifapplicable,the scopeof externalscansshouldincludeany clouddeployments.

HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities in afixed period. Andhired an externalthird party toconduct penetrationtest of HUAWEICLOUD applicationand network.For all securityvulnerabilityinformation known,HUAWEI CLOUD willevaluate and analyzeeach vulnerability,formulate andimplementvulnerability fix plansor circumventionmeasures, and verifythe fix situation afterfixed, and continuetracking to confirmthat the risk iseliminated ormitigated.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.9


Performon at leastan annualbasis,penetration testingof allexternal IPrangesand hostsandremediateissues.

HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities in afixed period. Andhired an externalthird party toconduct penetrationtest of HUAWEICLOUD applicationand network.

DS-1.10


Secure anypoint topointconnections byusingdedicated,privateconnections and /orencryption.

In the scenario wheredata is transmittedbetween clients andservers and betweenservers of theHUAWEI CLOUD viacommon informationchannels, any point-to-point connectioncan be protectedthrough virtualprivate network(VPN), applicationlayer TSL, andcertificatemanagement.Customers can usethe HUAWEI CLOUDData EncryptionService DEW toexclusively encrypttransmitted data.For more informationon VPN, applicationlayer TSL andcertificatemanagement, DEW,you can refer to theHUAWEI CLOUDSecurity White Paper.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.11


Implementasynchronized timeserviceprotocol(e.g.,NetworkTimeProtocol)to ensureallsystemshave acommontimereference.

HUAWEI CLOUDuses the NTP4.2.8protocol tosynchronize the timein the system.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-1.12


Establish,documentandimplementbaselinesecurityrequirements forWANnetworkinfrastructuredevicesandservices.

HUAWEI CLOUDensures the secureintroduction and useof open source andthird-party softwarebased on theprinciple of strictentry and wide use.HUAWEI CLOUDproactively seeks outand adopts industrybest security practice.HUAWEI CLOUDestablishes aninternal technicalstandardspecification library,which contains theinformation securitybaselines for everycomponent in theinfrastructure.At the same time,HUAWEI CLOUDrequires that allservices must passthe basic securityrequirementsverification ahead ofthe release to ensurecompliance with theinfrastructure.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-2.0

Internet

Prohibitproductionnetworkand allsystemsthatprocess orstoredigitalcontentfromdirectlyaccessingtheinternet,includingemail. If abusinesscaserequiresinternetaccessfrom theproductionnetworkor fromsystemsthatprocess orstoredigitalcontent,onlyapprovedmethodsareallowedvia use ofa remotehostedapplication /desktopsession.

HUAWEI CLOUDBoundary Protectiondevice is configuredto reject all modes.Enforce informationflow betweennetwork structuresusing rule sets,access control lists(ACL), andconfigured boundaryprotectiondevices.These devicesreject all modeconfigurations andrequire an approvedfirewall to allowconnections.

12.113


IVS-08IAM-05

1.11.21.31.42.25.16.68.511.2

CA-3PL-4




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-2.1

Internet

Implementemailfilteringsoftwareorappliancesthat blockthefollowingfrom non-productionnetworks:PotentialphishingemailsProhibitedfileattachments (e.g.,VisualBasicscripts,executables, etc.)File sizerestrictionslimited to30 MBKnowndomainsthat aresources ofmalwareor viruses

HUAWEI CLOUDdeploys the DoS/DDoS preventioncleaning layer, next-generation firewall,intrusion preventionsystem layer, andwebsite applicationfirewall layer at thenetwork boundar, toprotect the internetboundary of HUAWEICLOUD.HUAWEI CLOUDrestricted the size ofmail received andsent, and trainedemployees on high-frequency awarenessof phishing e-mail.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-2.2

Internet

Implementwebfilteringsoftwareorappliancesthatrestrictaccess towebsitesknown forpeer-to-peer filetrading,viruses,hacking orothermalicioussites.

HUAWEI CLOUDdeploys Webapplication firewallsto deal with Webattacks, such asDDoS attacks, SQLinjection, XSS -Cross-Site Scripting,CSRF - Cross-SiteRequest Forgery,componentvulnerability attacks,identity forgery, etc.in the Webapplication layer toprotect Webapplication servicesand systemsdeployed in DMZzones and outboundnetworks.

DS-3.0

LAN/InternalNetwork

Isolate thecontent/productionnetworkfrom non-productionnetworks(e.g.,officenetwork,DMZ, theinternetetc.) bymeans ofphysical orlogicalnetworksegmentation.

Based on businessfunctions andnetwork securityrisks, HUAWEICLOUD dividesproduction networksinto DMZ zones,public service zones,POD –Point ofDelivery, OBS –Object-Based Storage(i.e., content/production networks)and OM –OperationsManagementthrough physical andlogical control.When accessing adata store from anexternal network, itmust be accessedthrough the DMZservice console orgateway.

6.2910.111.212.312.61316.117.1

12.3.112.6.113.1.3

IVS-06

IVS-07

IVS-08

IVS-11

IVS-12

IVS-13

TVM-02

AC-18SI-4




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.1

BCR-11IAM-02

LAN/InternalNetwork

Restrictaccess tothecontent /productionsystems toauthorizedcomputinghardware.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.2

LAN/InternalNetwork

Restrictremoteaccess tothecontent /productionnetworkto onlyapprovedpersonnelwhorequireaccess toperformtheir jobresponsibilities.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.3

LAN/InternalNetwork

Useswitches/layer 3devices tomanagenetworktraffic.Disable allunusedswitchports onthecontent /productionnetworkto preventaccessfromunauthorized devices.

HUAWEI CLOUDrequires all unusedports to be closedand then openedwhen they need tobe enabled.

DS-3.4

LAN/InternalNetwork

Restrictthe use ofnon-switcheddevicessuch ashubs andrepeaterson thecontent/productionnetwork.

On content/production networks,HUAWEI CLOUDuses switches insteadof hubs andrepeaters.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.5

LAN/InternalNetwork

Prohibitbridgingor dual-homednetworking (physicalnetworkbridging)oncomputersystemsbetweencontent /productionnetworksand non-content/productionnetworks.

HUAWEI CLOUDrequires thatcomputers not beconnected to two ormore networks withdifferent attributes atthe same timewithout approval.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.6

LAN/InternalNetwork

Implementa network-basedintrusiondetection /preventionsystem toprotectthecontent /productionnetwork.

In order to detectand intercept attacksfrom the Internet aswell as east-westattacks betweentenants'virtualnetworks, networkIPS appliances aredeployed onHUAWEI CLOUD'snetwork, includingbut not limited tothe public-facingnetwork perimeter,trust boundaries ofsecurity zones, andtenant spaceperimeter. IPS inHUAWEI CLOUD cananalyze real-timenetwork traffic andtrigger blocking onvarious intrusionssuch as protocolattacks, brute forceattacks, port andvulnerabilityscanning, virus andTrojan horse attacks,and attacks targetingspecificvulnerabilities. Basedon network traffic,IPS can also provideinformation neededto help locate andtroubleshootnetwork issues,assign direction-specific loadthrottling policies,and applycustomized detectionrules accordingly inorder to protectapplication and




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

infrastructuresecurity in theproductionenvironment.

DS-3.7

LAN/InternalNetwork

DisableSNMP(SimpleNetworkManagementProtocol)if it is notin use. UseSNMPv3or higherwithstrongpasswordsforcommunity strings.

HUAWEI CLOUDuses a secure SNMPprotocol to securepublic cloudnetworks.

DS-3.8

LAN/InternalNetwork

Hardensystemsprior toplacingthem inthe LAN /InternalNetwork.

Based on businessfunctions andnetwork securityrisks, HUAWEICLOUD dividesproduction networksinto DMZ zones,public service zones,POD –Point ofDelivery, OBS –Object-Based Storage(i.e., content/production networks)and OM –OperationsManagementthrough physical andlogical control.Details can be foundin the HUAWEICLOUD SecurityWhite Paper.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.9

LAN/InternalNetwork

Conductinternalnetworkvulnerability scansandremediateany issues,at leastannually.

HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities everyquarter. And hired anexternal third partyto conductpenetration test ofHUAWEI CLOUDapplication andnetwork every sixmonths.For all securityvulnerabilityinformation known,HUAWEI CLOUD willevaluate and analyzeeach vulnerability,formulate andimplementvulnerability fix plansor circumventionmeasures, and verifythe fix situation afterfixed, and continuetracking to confirmthat the risk iseliminated ormitigated.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.10

LAN/InternalNetwork

Store localbackups oflocal areanetwork,SAN/NAS,devices,serversandworkstations on aserver in asecureinternalnetwork.

Except for Identityand AccessManagement (IAM)/Object StorageService (OBS), themanagement data(including operationlogs, etc.) of alllaunched servicesand components onHUAWEI CLOUDwould be backed upto OBS. At the sametime, themanagement data ofIAM/OBS needs to bebacked up to non-OBS storage.Customers can useCloud Backup andRecovery (CBR)service to backupservers, cloud harddrives, andvirtualizedenvironments in thecloud.The customer isresponsible for theencrypted storage ofits content data.HUAWEI CLOUD'sData EncryptionWorkshop (DEW)can providecustomers withencrypted storagefunctions in ElasticVolume Service(EVS), ObjectStorage Service(OBS), VolumeBackup Service (VBS)and other services.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-3.11

LAN/InternalNetwork

DNSserversused intheproductionnetworkshould notallowconnections to andfrom theInternet.

DNS servers aredeployed in a publicservice area whereparts are restricted totenants based onbusiness needs andwhere tenants mustpass through theDMZ zone to accessparts and services.HUAWEI CLOUDAdministrators canaccess this area fromtheir intranet foroperation andmanagement.Formore details, refer tothe HUAWEI CLOUDSecurity White Paper.

DS-4.0

Wireless

Prohibitwirelessnetworking and theuse ofwirelessdevices onthecontent /productionnetwork.

HUAWEI CLOUDprohibits the use ofwireless networksand wireless deviceson content/production networks.

9.113.1

IVS-06IVS-08IVS-13EKM-03

11.1

AC-18SI-4




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-4.1

Wireless

Configurenon-productionwirelessnetworks(e.g.,administrative andguest)with thefollowingsecuritycontrols:DisableWEP /WPAEnableWPA2-PSK(AES)Segregate“guest”networksfrom thecompany’sothernetworksChangedefaultadministrator logoncredentialsChangedefaultnetworkname(SSID)

The office computersin HUAWEI CLOUDinternal officenetwork must beinstalled withsecurity softwarethat meets thecompany's unifiedrequirements toseparate theemployee networkfrom the guestnetwork. The identityof the employeeneeds to be verifiedwhen logging intothe employeenetwork.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-4.2

Wireless

Implementa processto scan forroguewirelessaccesspoints andremediateanyvalidatedissues.

HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities everyquarter. And hired anexternal third partyto conductpenetration test ofHUAWEI CLOUDapplication andnetwork every sixmonths.

DS-5.0

I/ODeviceSecurity

Designatespecificdata I/Osystems tobe usedforuploading/downloading contentfrom/ toexternalnetworks(Internet).

HUAWEI CLOUD hasstrict control overdata center accessand cannot bring incontent input/outputdevices withoutpermission.Persons whomanagement serversmust pass throughFortress, and allinputs and outputsare monitored.In addition, thevirtualizationplatform controls avirtual disk deviceassociated with amirror file that hasonly one virtualmachine.Virtualdevices andvirtualization used byvirtual machines areimplemented.

10.7.1

SOC12.1SOC15.1

IVS-08IVS-09

7.18.2

SC-7AC-19MP-2




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-5.0.1

I/ODeviceSecurity

Implementa multi-layerednetworkarchitecture foringestingcontentfromexternalnetworks(Internet)into theproductionnetwork,andmovingcontentfrom theproductionnetworkto externalnetworks.

HUAWEI CLOUD byreferencing andadopting the securityzoning principle ofITU E.408 andindustry bestpractices on networksecurity. Nodes in thesame security zoneare at the samesecurity level.HUAWEI CLOUDalways takes into fullconsideration a widevariety of networksecurity aspectsranging fromnetwork architecturedesign to deviceselection andconfiguration, as wellas O&M. As a result,HUAWEI CLOUD hasadopted a set ofnetwork securitymechanisms toenforce stringentcontrols and ensurecloud security. Somekey examples ofthese networksecurity mechanismsare multi-layeredsecurity isolation,access control, andperimeter protectionfor physical andvirtual networks,which will be coveredin more detailthroughout the restof this chapter andthe followingchapters of the whitepaper. Please refer toHUAWEI CLOUD




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

Security White Paperfor details.

DS-5.1

I/ODeviceSecurity

Blockinput/output(I/O),massstorage,externalstorage,andmobilestoragedevices(e.g., USB,FireWire,Thunderbolt, SATA,Bluetooth,SCSI, etc.)andopticalmediaburners(e.g., DVD,Blu-Ray,CD, etc.)on allsystemsthathandle orstorecontent,with theexceptionof systemsused forcontentI/O.Refer toDS-4.0 fordisconnectingwirelessNICs.

HUAWEI CLOUD hasstrict control overdata center accessand cannot bring incontent input/outputdevices withoutpermission.Persons whomanagement serversmust pass throughbastion machine, andall inputs andoutputs aremonitored.In addition, thevirtualizationplatform controls avirtual disk deviceassociated with amirror file that hasonly one virtualmachine.Virtualdevices andvirtualization used byvirtual machines areimplemented.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.0

SystemSecurity

Installanti-virusand anti-malwaresoftwareon allworkstations, servers,and onany devicethatconnectstoSAN/NASsystems.

HUAWEI CLOUDuses IPS intrusionprevention system,web applicationfirewall, anti-virussoftware, and HIDShost-based intrusiondetection system forvulnerabilitymanagement ofsystem componentsand networks. TheIPS intrusionprevention systemcan detect andprevent potentialnetwork intrusionactivities; Webapplication firewallsare deployed at thenetwork boundary toprotect the securityof applicationsoftware and protectit from external SQLinjection, CSS, CSRFand otherapplication-orientedattacks; Anti-virussoftware providesvirus protection andfirewall in Windowssystem; HIDS host-based intrusiondetection systemprotects the securityof cloud servers,reduces the risk ofaccount theft,provides weakpassword detection,malicious programdetection, two-factorauthentication,vulnerabilitymanagement, and

6.28.19.410.111.111.212.112.212.512.614.114.2

9.4.412.6.114.1.1

A10.5

IVS-01

IVS-06

IVS-07

IVS-13

BCR-04

BCR-11

TVM-02

IAM-02

MOS-18

EKM-03

CCC-04

GRM-01

SI-3SI-2RA-5AC-5SC-2PE-3PE-5MA-4CM-10CM-11SI-7AC-6CM-7CM-8




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

webpage preventionFunctions such astampering.

DCS-01

DS-6.1

SystemSecurity

Update allanti-virusand anti-malwaredefinitionsdaily, ormorefrequently.

HUAWEI CLOUD'santi-virus softwareregularly updates thepolicy base for anti-virus and antimalware software.

DS-6.2

SystemSecurity

Scan allcontentfor virusesandmalwareprior toingestonto thecontent /productionnetwork.

Before HUAWEICLOUD products orservices are released,static code scanningalarm clearing mustbe completed,effectively reducingthe code-relatedissues that canextend rollout timecoding.

DS-6.2.1

SystemSecurity

Localfirewallsshould beimplemented onworkstations torestrictunauthorized accessto theworkstation.

HUAWEI CLOUDallocates permissionsto employeesaccording to theminimum scope ofwork needs.Employees need touse personal accountpassword to log in tothe workstation,monitor and recordtheir informationsecuritymanagement system,access andmodification ofsensitive information.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.3

SystemSecurity

Performscans asfollows:Enableregularfull systemvirus andmalwarescans onallworkstationsEnable fullsystemvirus andmalwarescans forserversand forsystemsconnecting to aSAN/NAS

HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities everyquarter. And hired anexternal third partyto conductpenetration test ofHUAWEI CLOUDapplication andnetwork every sixmonths.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.4

SystemSecurity

Implementa processtoregularlyupdatesystems(e.g., filetransfersystems,operatingsystems,databases,applications,networkdevices)withpatches/updatesthatremediatesecurityvulnerabilities.

Consistent with therelevantrequirements of thePCI DSS standard,HUAWEI CLOUD willorganize internal andexternal qualifiedthird parties to scanall HUAWEI CLOUDsystems, applicationsand networks forvulnerabilities everyquarter. And hired anexternal third partyto conductpenetration test ofHUAWEI CLOUDapplication andnetwork every sixmonths.For all securityvulnerabilityinformation known,HUAWEI CLOUD willevaluate and analyzeeach vulnerability,formulate andimplementvulnerability fix plansor circumventionmeasures, and verifythe fix situation afterfixed, and continuetracking to confirmthat the risk iseliminated ormitigated.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.5

SystemSecurity

Prohibitusers frombeingAdministrators ontheir ownworkstations, unlessrequiredforsoftware(e.g.,ProTools,Clipsterandauthoringsoftwaresuch asBlu-Print,ScenaristandToshiba).Documentation fromthesoftwareprovidermustexplicitlystate thatadministrative rightsarerequired.

According to therequirements ofISO27001, HUAWEICLOUD hasestablished accesscontrol managementrequirements,followed theprinciple of minimumauthority andseparation ofauthority, andregularly reviewedthe scope ofemployees' authorityto avoid theauthority beyond thescope of their work.When the on-the-jobstatus of employee'schanges, theirauthority should becleared and modifiedin time.HUAWEI CLOUDadministrators whoaccess to the hostoperating systemshall be subject tostrict access control,and comprehensivelog audit shall becarried out for alloperation andmaintenanceoperations.HUAWEI CLOUDadministrators mustbe certified by twofactors before theycan access themanagement planethrough fortresscomputers. Alloperations willrecord logs and send




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

them to thecentralized log auditsystem in time.

DS-6.6

SystemSecurity

Use cablelocks ontransportablecomputingdevicesthathandlecontent(e.g.,laptops,tablets,desktops,towers)when theyare leftunattended.

HUAWEI CLOUD hasformulated securitymanagementregulations to strictlycontrol portablecomputing devices.In order to controlthe outflow ofinformation,HUAWEI CLOUDdoes not allocateportable computersto key posts.

DS-6.6.1

SystemSecurity

Applyseals ortamperevidentstickers oncases usedfor allworkstations andserversthatreceive,send,manipulate, or storecontent intheproductionnetwork.

HUAWEI CLOUD hasformulated securitymanagementregulations. Theperipheral devicesand USB of thecomputer have beenturned off, and cannot be openedwithout approval.The computer mustbe configured forsecurity when itenters the controlledarea.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.7

SystemSecurity

Implementadditionalsecuritycontrolsfor laptopsandportablecomputingstoragedevicesthatcontaincontent orsensitiveinformation relatingto clientprojects.Encrypt alllaptops.Usehardware-encryptedportablecomputingstoragedevices.Installremote-killsoftwareon alllaptops/mobiledevicesthathandlecontent toallowremotewiping ofharddrives andotherstoragedevices.

Mobile devices canaccess the enterpriseoffice environment ofHUAWEI CLOUDthrough the internalapplication requiredby work, such astimelycommunication,emails, forums,humanmanagement, etc.,for whichcorresponding rulesand regulations havebeen established.However, HUAWEICLOUD does notsupport mobiledevices such as IOSor Android phonesand tablets to accessthe productionenvironment,especially customercontent data.Thecustomer isresponsible for theencrypted storage ofits content data.HUAWEI CLOUDrequires thatportable computerscarrying a largenumber of keyinformation shouldbe installed with fulldisk encryptionsoftware to preventthe risk of dataleakage afterequipment loss.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.8

SystemSecurity

Restrictsoftwareinstallationprivilegesto ITmanagement.

All office computersof HUAWEI CLOUDneed to install thesecurity-defensesoftware specified bythe company, andonly software fromthe specifiedsoftware list can beinstalled.Only limitedstandard softwarecan be installed onHUAWEI CLOUDoffice computers.Programs thatexceed system,object, network,virtual machine, andapplication controlmeasures are notallowed to beinstalled, andsoftware installationis monitored.

DS-6.9

SystemSecurity

Implementsecuritybaselinesandstandardstoconfiguresystems(e.g.,laptops,workstations, servers,SAN/NAS)that areset upinternally.

HUAWEI CLOUD hasestablished a securitybaseline standard forthe internal system.Before the internalsystem is put intouse, it needs to referto the baseline tostandardize theinternal system.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.10

SystemSecurity

Unnecessary servicesandapplications shouldbeuninstalled fromcontenttransferservers.

Only limitedstandard softwarecan be installed onHUAWEI CLOUDoffice computers.Programs thatexceed system,object, network,virtual machine, andapplication controlmeasures are notallowed to beinstalled, andsoftware installationis monitored.

DS-6.11

SystemSecurity

Maintainaninventoryof systemsandsystemcomponents.

According to theISO27001 standard,HUAWEI CLOUD'sinformation assetclassification ismonitored andmanaged by specialtools to form anasset list, and eachasset is assigned anowner. HUAWEICLOUD has obtainedISO27001certification, and thecertification can bedownloaded fromthe Trust Center.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-6.12

SystemSecurity

Documentthenetworktopologyandupdatethediagramannuallyor whensignificantchangesare madeto theinfrastructure.

HUAWEI CLOUDmaintains andupdates its ownnetwork architecturediagram, and theteam responsible fornetwork securitytracks and confirmsthe compliance ofthe networkarchitecture.

DS-7.0

AccountManagement

Establishandimplementanaccountmanagementprocess foradministrator, user,andserviceaccountsfor allinformation systemsandapplications thathandlecontent.

HUAWEI CLOUDestablishes anaccount permissionmanagement processto reduce securityrisks through theeffectivemanagement andmonitoring of thewhole life cycle ofsystem account /authority andauthorizationprocess.

8.1912.112.418.2

9.2.19.2.29.2.3

A.10.8A.10.9A.10.10


IAM-02IAM-05IVS-08IAM-10IAM-12IVS-01

7.18.18.210.6

AC-2AC-6AU-2AU-3AU-6AU-12IA-4PS-4PS-5PE-2




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-7.1

AccountManagement

Maintaintraceableevidenceof theaccountmanagementactivities(e.g.,approvalemails,changerequestforms).

HUAWEI CLOUDadds the monitoringpolicy correspondingto the permissions ofthe opened accountand keeps themonitoring records,so that when theaccount is used, itcan automaticallyalarm if there is anyabnormality in theaccount orauthorization.

DS-7.2

AccountManagement

Assignuniquecredentialson a need-to-knowbasis usingtheprinciplesof leastprivilege.

HUAWEI CLOUDestablishes privilegeaccountmanagement tostipulate thatprivileged accountmust follow theprinciples of work-related, minimumauthorization, andapproval controlled.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-7.3

AccountManagement

Renamethedefaultadministratoraccountsand otherdefaultaccountsand limitthe use oftheseaccountsto specialsituationsthatrequirethesecredentials(e.g.,operatingsystemupdates,patchinstallations,softwareupdates).

HUAWEI CLOUDestablishes a baselineof privilegedaccounts to managethe creation, use andrecovery of privilegedaccounts. Theoperation ofprivileged accountsin all physicaldevices, networkdevices, operatingsystems anddatabases will bestrictly controlled.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-7.4

AccountManagement

Segregateduties toensurethatindividualsresponsible forassigningaccess toinformation systemsare notthemselves endusers ofthosesystems(i.e.,personnelshould notbe able toassignaccess tothemselves).

Based on differentbusiness roles andresponsibilities,access permissionsmanagement appliesRBAC and includesthe followingbasicroles: core network,access network,security devices,service systems,database systems,hardwaremaintenance, andmonitoringmaintenance. AnyO&M personnel isrestricted to accessonly devices withinthe administrativescope of his/her roleand is not grantedpermissions to accessother devices.

DS-7.5

AccountManagement

Monitorand auditadministrator andserviceaccountactivities.

HUAWEI CLOUDuses the log systemto monitoradministrator-levelaccess and controlthat non-administratoremployees do nothave more than theirdue permissions,such as privilegedaccess.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-7.6

AccountManagement

Implementa processto reviewuseraccess forallinformation systemsthathandlecontentandremoveany useraccountsthat nolongerrequireaccessquarterly.

Consistent with therelevantrequirements of theISO27001 standard,HUAWEI CLOUDprovides employeeswith the minimumpermissions based ontheir work needs,and reviews thepermissions everyyear, so that systemusers andadministratorsalways follow theprinciple of minimumpermissions.

DS-7.7

AccountManagement

Restrictuseraccess tocontent ona per-projectbasis.

Based on differentbusiness roles andresponsibilities,access permissionsmanagement appliesRBAC and includesthe followingbasicroles: core network,access network,securitydevices,service systems,database systems,hardwaremaintenance, andmonitoringmaintenance. AnyO&M personnel isrestricted to accessonly devices withinthe administrativescope of his/her roleand is not grantedpermissions to accessother devices.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-7.8

AccountManagement

Disable orremovelocalaccountsonsystemsthathandlecontentwheretechnicallyfeasible.

HUAWEI CLOUDlocal accounts aremanaged by thebastion machine, andemployees willmonitor theoperation behaviorwhen they log in tothe system.

DS-8.0

Authentication

Enforcethe use ofuniqueusernamesandpasswordsto accessinformation systems.

HUAWEI CLOUDprovides eachemployee with aunique identity andsetting permissionsbased on jobresponsibilities.Employees' identitywill be verified everytime they log in, sothat HUAWEI CLOUDcan trace the logs intime foraccountability in anaccident. HUAWEICLOUD IAM can helpcustomersimplement AAA rulesand support thecloud platform'sidentity verification,authorization, andaccountabilitymechanisms.

910.1

9.2.4

A.10.8

SOC12.5

IAM-02IAM-12MOS-14MOS-16

10.110.210.3

SI-4AU-1AU-2AU-3AU-6AU-9AU-11




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-8.1

Authentication

Enforce astrongpasswordpolicy forgainingaccess toinformation systems.Passwordpolicyshouldincludeguidancefor serviceaccounts.

Administrators andend users areassigned uniqueidentifiers, which arelinked to allauditable events.Allusers must beauthenticated usinga password thatmeets predefinedcomplexityrequirements (suchas password lengthor types ofcharacters included).




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-8.2

Authentication

Considerthe use ofaPrivilegedAccountManagement (PAM)tool.

To maintain HUAWEICLOUD platformsecurity, HUAWEICLOUD has taken aminimalist approachin building anextremely stripped-down host OS andalso performssecurity hardeningon all its services. Inaddition, HUAWEICLOUD enforcesstringent privilegeaccess management(PAM) on HUAWEICLOUDadministrators whohave host OS accessand enablescomprehensivelogging andcentralized logmanagement of alladministrator-levelO&M activities.HUAWEI CLOUDadministrators mustpass two-factorauthentication inorder to access themanagement planethrough bastionhosts.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-8.2.1

Authentication

Implementtwo-factorauthentication (e.g.,username/ passwordand hardtoken /verification codetextmessage)for accessto webbased e-mail(Google,Microsoft,etc.) fromdesktopsor mobilecomputingdevices.

HUAWEI CLOUD'sIAM Service supportsthe use of multi-factor authenticationfor login verificationand operationprotection.After the loginverification functionis enabled, when theuser logs in to theconsole, in additionto the user nameand password, theverification codemust be entered onthe login verificationpage; after theoperation protectionis enabled, the userneeds to enter theverification code toconfirm theoperation whenperforming sensitiveoperations. Multi-factor authenticationdevices supportmobile phones,mailboxes and virtualMFA devices.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-8.3

Authentication

Implementpassword-protectedscreensavers orscreen-locksoftwarefor serversandworkstations.

According to therequirements of SOC,PCI DSS, ISO27001and other standards,HUAWEI CLOUD hasestablishedregulations on theresponsibilities andbehaviors ofemployees, andthird-party auditagencies will reviewwhether employeesare notified of theirwork responsibilitiesto ensure equipmentsecurity.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-8.4

Authentication

Considerimplementingadditionalauthenticationmechanisms toprovide alayeredauthenticationstrategyfor WANand LAN /InternalNetworkaccess.

HUAWEI CLOUD'sIAM Service supportsthe use of multi-factor authenticationfor login verificationand operationprotection.After the loginverification functionis enabled, when theuser logs in to theconsole, in additionto the user nameand password, theverification codemust be entered onthe login verificationpage; after theoperation protectionis enabled, the userneeds to enter theverification code toconfirm theoperation whenperforming sensitiveoperations. Multi-factor authenticationdevices supportmobile phones,mailboxes and virtualMFA devices.HUAWEI CLOUDsupports single sign-on based on theSAML2.0 protocol.Customers can usethe identity providerfunction of HUAWEICLOUD to enableusers to log in toHUAWEI CLOUDusing an enterpriseidentity provideraccount.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

Currently, HUAWEICLOUD supports twoforms of federalidentityauthentication:Webpage single sign-on (WebSSO): Thebrowser is used as acommunicationmedium and issuitable for ordinaryusers to accessHUAWEI CLOUDthrough the browser.Calling API interface:Development tools/applications are usedas communicationmedia, such asOpenStackClient andShibboleth ECPClient,suitable forenterprises or usersto access HUAWEICLOUD through APIcalls.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.0


Implementreal-timeloggingandreportingsystems torecord andreportsecurityevents;gather thefollowinginformation at aminimum:When(timestamp)Where(source)Who (username)What(content)

HUAWEI CLOUD hasa centralized andcomplete logs bigdata analysis system.The system uniformlycollects managementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems, aswell as threatdetection alarm logsof various securityproducts andcomponents.The log containsresource ID (such assource IP, host ID,user ID, etc.), eventtype, date and time,ID of affected datacomponent resource(such as destinationIP, host ID, serviceID), success orfailure, etc., to ensurethe support ofnetwork securityevent backtrackingand compliance.

10.112.4

12.4.112.4.3

IVS-02EKM-02IVS-06IVS-13SEF-05SEF-02IAM-02

10.110.210.3

AU-1AU-2AU-3AU-6AU-8AU-9AU-11SI-4




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.01


Implementloggingmechanisms on allsystemsused forthefollowing:KeygenerationKeymanagementVendorcertificatemanagement

HUAWEI CLOUD hasestablished anencryption strategyand keymanagementmechanism toprotect data ontechnical equipment,including theassignment ofpersonnel rights andresponsibilities,encryption levels,and encryptionmethods.Logs are generatedfor all majoroperations (such ascreating a CMK orencrypting a DEK)and recorded to CTSso that CMKoperations can beaudited.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.1


Implementa server tomanagethe logs ina centralrepository(e.g.,syslog/logmanagement server,SecurityInformation andEventManagement (SIEM)tool).

HUAWEI CLOUD hasa centralized andcomplete logs bigdata analysis system.The system uniformlycollects managementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems, aswell as threatdetection alarm logsof various securityproducts andcomponents.HUAWEI CLOUDenables security logsfor network devicesand applicationsystems that provideservices. The logs willrecord all changes todevices and systems.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.2


Configureloggingsystems tosendautomaticnotifications whensecurityevents aredetectedin order tofacilitateactiveresponsetoincidents.

HUAWEI CLOUD hasa centralized andcomplete logs bigdata analysis system.The system uniformlycollects managementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems, aswell as threatdetection alarm logsof various securityproducts andcomponents.To ensure theprofessionalism,urgency, andtraceability ofsecurity eventhandling, HUAWEICLOUD hascomprehensivesecurity logmanagementrequirements,security event ratingand handlingprocesses, a 24/7professional securityevent response team,and a correspondingsecurity expertresource pool.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.3


Investigateanyunusualactivityreportedby theloggingandreportingsystems.

HUAWEI CLOUDreleased the HUAWEICLOUD SecurityWhite Paper, whichintroduced thatHUAWEI CLOUD ismainly responsiblefor the response tosecurity incidents. Inview of theprofessionalism,urgency, andtraceability ofsecurity eventhandling, HUAWEICLOUD hascomprehensivesecurity logmanagementrequirements,security event ratingand handlingprocesses, a 24/7professional securityevent response team,and a correspondingsecurity expertresource pool.HUAWEI CLOUDstrives to achieverapid securityincident response interms of incidentdetection, impactscoping, damageisolation, and servicerecovery. At the sametime, HUAWEICLOUD keepssecurity event ratingcriteria, time toresponse, and timeto resolution up todate by taking intoaccount the impactof a security event or




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

incident on ourentire network andcustomers.

DS-9.4


Review alllogsweekly,andreview allcriticaland highdaily.

HUAWEI CLOUD hasa centralized andcomplete logs bigdata analysis system.The system uniformlycollects managementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems, aswell as threatdetection alarm logsof various securityproducts andcomponents.HUAWEI CLOUDenables security logsfor network devicesand applicationsystems that provideservices. The logs willrecord all changes todevices and systems.Besides, HUAWEICLOUD has adedicated internalaudit departmentthat regularly auditsvarious activity logsof the operation andmaintenance process.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.5


Enablelogging ofinternalandexternalcontentmovementandtransfersandincludethefollowinginformation at aminimum:UsernameTimestampFile nameSource IPaddressDestination IPaddressEvent(e.g.,download,view)

HUAWEI CLOUDuses a centralizedand comprehensivelog system based onbig data analytics.The system collectsmanagementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems aswell as threatdetection logs ofsecurity products andcomponents. Thelogs support forcybersecurity eventbacktracking andcompliance andinclude the followinginformation: resourceIDs (such as sourceIP addresses, hostIDs, and user IDs),event types, date andtime, IDs of theaffected data/components/resources (such asdestination IPaddresses, host IDs,and service IDs), andsuccess or failureinformation.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.6


Retainlogs for atleast oneyear.

HUAWEI CLOUD logbig data analysissystem has strongdata storage andquery capabilities,and all logs arerequired to be keptlong enough tosupport the specificinternal auditdepartment to auditthe operation andmaintenance processactivities regularly.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-9.7


Restrictlog accesstoappropriatepersonnel.

HUAWEI CLOUDassigns employees'access permissions inaccordance with theprinciple ofminimizingpermissions, andemployees can onlyaccess authorizedcontent. Access andreview permissionsfor logs are limitedto specificemployees, and theapproval of theirpermissions needs toreceive the approvalof the superiormanagement, andreview themregularly.HUAWEI CLOUDprovides customerswith Cloud AuditServices. Customerscan use cloud logservices to recordvirtual machineconfiguration andlogs changes, anduse cloud auditservices to monitorthe integrity ofconfigured logs.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.0

MobileSecurity

Definesecuritycontrolsandstandardsfor mobilecomputingdevices.Refer toMS-4.0.2for mobilecomputingdevicepolicies.

HUAWEI CLOUDformulates mobilesecuritymanagementregulations toimplement unifiedmanagement ofmobile computingdevices.

6.211.2

MOS-02MOS-04MOS-08MOS-9MOS-10MOS-11MOS-12MOS-14MOS-16MOS-17MOS-18

SCCAIA-2

DS-10.1

MobileSecurity

Develop alist ofapprovedapplications,application stores,andapplication plugins/extensionsfor mobiledevicesaccessingor storingcontent.

Mobile devices canaccess the enterpriseoffice environment ofHUAWEI CLOUDthrough the internalapplication requiredby work, such astimelycommunication,emails, forums,humanmanagement, etc.,for whichcorresponding rulesand regulations havebeen established.Customers retain thecontrol andresponsibility of thescheduled data andrelated media assets,and are responsiblefor managing mobilesecurity devices andaccess to customercontent.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.2

MobileSecurity

MOS-19

Maintainaninventoryof allmobiledevicesthataccess orstorecontent.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.3

MobileSecurity

Requireencryptioneither forthe entiredevice orfor areasof thedevicewherecontentwill behandled orstored.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.4

MobileSecurity

Preventthecircumvention ofsecuritycontrols.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.5

MobileSecurity

Implementa systemto performa remotewipe of amobiledevice,should itbe lost/stolen/compromised orotherwisenecessary.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.6

MobileSecurity

Implementautomaticlocking ofthe deviceafter 10minutes ofnon-use.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.7

MobileSecurity

Manageall mobiledeviceoperatingsystempatchesandapplication updates.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.8

MobileSecurity

Enforcepasswordpolicies.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-10.9

MobileSecurity

Considerimplementing asystem toperformbackupandrestorationof mobiledevices.





NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.0

SecurityTechniques

Ensurethatsecuritytechniques(e.g.,spoiling,invisible/visiblewatermarking) areavailablefor useand areappliedwheninstructed.

When customersneed to protect datacopyright,authenticate data, ortrace data, they canchoose the digitalwatermarkingtechnology. HUAWEICLOUD ObjectStorage Service(OBS) is able to addtext or imagewatermarks toimages. Users can setwatermarks forimages on the OBSConsole or throughcode editing orinterface invoking,and quickly obtainthe processedimages.

8.210.1

12.3.1

SOC14.3SOC14.4SOC14.5SOC14.6SOC14.7SOC14.8

EKM-01EKM-03EKM-04HRS-05

3.43.53.64.1

IA-5SC-8SC-9SC-12SC-13




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.1

SecurityTechniques

Encryptcontent onharddrives orencryptentireharddrivesusing aminimumofAES-256encryptionby either:File-basedencryption: (i.e.,encryptingthecontentitself)Drive-basedencryption: (i.e.,encryptingthe harddrive)

HUAWEI CLOUDuses data expressservice (DES) tosolve the problemsof massive datatransmission, such ashigh network cost,long transmissiontime, etc.DES supports client-side encryption by adesignated third-party encryptionutility that uses theindustry-standardAES-256 algorithm.The utility can createvirtual drives on harddisks withoutgenerating any files.Users can accesstheir data by driveletter. All files on thevirtual drives areautomaticallyencrypted andrequire a proper keyfor access.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.2

SecurityTechniques

Senddecryptionkeys,keypadpins, orpasswordsusing anout-of-bandcommunicationprotocol(i.e., noton thesamestoragemedia asthecontentitself).

HUAWEI CLOUDitself uses the AESstrong encryptionmethod widely usedin the industry toencrypt data in theplatform, and uses ahigh-level TLSencryption protocolto ensure datasecurity duringtransmission.Customers can useData EncryptionServices to encryptdata. HUAWEICLOUD providescloud HSMs ofdifferent vendors,specifications(standard encryptionalgorithms, nationalencryptionalgorithms, etc.), anddifferent strengthsfor tenants to chooseto meet the needs ofdifferent customers.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.3

SecurityTechniques

Implementanddocumentkeymanagementpoliciesandprocedures:Use ofencryptionprotocolsfor theprotectionofsensitivecontent ordata,regardlessof itslocation(e.g.,servers,databases,workstations,laptops,mobiledevices,data intransit,email)Approvalandrevocationof trusteddevicesGeneration,renewal,andrevocationof contentkeys

According toHUAWEI CLOUD KeyManagement Policy,each user has aunique ID thatidentifies them.Customers can useKey ManagementService (KMS) of IAMto bind keys toidentifiable owners.HUAWEI CLOUDprovides customerswith Data EncryptionWorkshop (DEW)supports key escrow,which can helpcustomers easilycreate and managekeys. Based on DEW,customers can realizethe full life cyclemanagement of keys.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

Internalandexternaldistribution ofcontentkeysBindencryptionkeys toidentifiable ownersSegregateduties toseparatekeymanagement fromkey usageKeystorageproceduresKeybackupprocedures




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.4

SecurityTechniques

Encryptcontentusing aminimumofAES-256encryption.

HUAWEI CLOUDitself uses the AESstrong encryptionmethod widely usedin the industry toencrypt data in theplatform, and uses ahigh-level TLSencryption protocolto ensure datasecurity duringtransmission.Customers can useData EncryptionServices to encryptdata. HUAWEICLOUD providescloud HSMs ofdifferent vendors,specifications(standard encryptionalgorithms, nationalencryptionalgorithms, etc.), anddifferent strengthsfor tenants to chooseto meet the needs ofdifferent customers.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.5

SecurityTechniques

Storesecret andprivatekeys (notpublickeys) usedto encryptdata/content inone ormore ofthefollowingforms atall times:Encryptedwith akey-encryptingkey that isat least asstrong asthe data-encryptingkey, andthat isstoredseparatelyfrom thedata-encryptingkeyWithin asecurecryptographic device(e.g., HostSecurityModule(HSM) ora PinTransaction Security(PTS)point-of-interaction

Key ManagementService (KMS)enables users tomanage their keysconveniently andensures the securityof critical businessdata by supportingdata encryptionusing a DataEncryption Key (DEK)at any time.Key disclosure isprevented by storingthe root key of theKMS in the HSM. Theroot key at no timeappears outside theHSM. In addition, atleast two HSMdevices are deployedas a pair to ensurereliability andavailability. TheCMKs are encryptedusing the root keyand saved asciphertext on the keystorage nodes. Inaddition, HUAWEICLOUD uses the keymanagement systemto encrypt andmanage theencryption key. Thestrength of DEK andKey Encryption Key(KEK) are AES strongencryptionalgorithms.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

device),having atleast twofull-lengthkeycomponents or keyshares, inaccordance with asecurityindustryacceptedmethod




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.6

SecurityTechniques

Confirmthatdevices ontheTrustedDevicesList (TDL)areappropriate basedon rightsowners’approval.

Mobile devices canaccess the enterpriseoffice environment ofHUAWEI CLOUDthrough the internalapplication requiredby work, such astimelycommunication,emails, forums,humanmanagement, etc.,for whichcorresponding rulesand regulations havebeen established.However, HUAWEICLOUD does notsupport mobiledevices such as IOSor Android phonesand tablets to accessthe productionenvironment,especially customercontent data.All office computersof HUAWEI CLOUDneed to install thesafe-defensesoftware specified bythe company, andonly software fromthe specifiedsoftware list can beinstalled. For IT basicsystems andcomponents, theyare protected by IDS/IPS. And they alsoneed to installcompany-designatedsafe-defensesoftware, Anti-virussoftware and othersecurity software




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

need to be installedon infrastructurecomponents. And theconfigurationmodification rightsof security softwareand requiremandatory updatesare restricted.All office computersof HUAWEI CLOUDneed to install thesafe-defensesoftware specified bythe company. Onlysoftware from thespecified software listcan be installed, andMobile code is notsupported.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.6.1

SecurityTechniques

Access toKDMsmust berestrictedto theKDMcreatorandexhibitoronly.

HUAWEI CLOUDprovides customerswith data encryptionworkshop (DEW),which can providekey managementservice (KMS)functions.KMS performscentralized RBACbased on IAM roles.Operations on theCMKs stored in KMScan be performedonly by users whohave beenauthenticated byIAM and KMS andhave the appropriatepermissions. Userswith read-onlypermissions canquery informationabout CMKs butcannot performother operations. Inaddition, KMSisolates the CMKs ofdifferent customersso that customerscan access andmanage their ownCMKs only. Althoughsystemadministrators havepermissions tomanage devices, theycannot access CMKs.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-11.6.2

SecurityTechniques

KDMcreationandhandlingmust bephysicallyanddigitallysegregated fromDCPhandlingandreplicationwherefeasible.

Key disclosure isprevented by storingthe root key of theKMS in the HSM. Theroot key at no timeappears outside theHSM.To ensure thesecurity of KMS data,KMS hosts use astandard encryptedtransmission modeto establish securecommunication withthe KMS servicenode.

DS-11.7

SecurityTechniques

Confirmthevalidity ofcontentkeys andensurethatexpirationdatesconformto clientinstructions.

Customers can useHUAWEI CLOUDData EncryptionWorkshop (DEW) forexclusive encryption,key management,and key pairmanagement, whichsupports keycreation,authorization,automatic rotation,and key hardwareprotection.Customers canchoose their own keymanagementmechanismaccording to theirneeds.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-12.0

ContentTracking

Implementa digitalcontentmanagement systemto providedetailedtracking ofdigitalcontent.

HUAWEI CLOUDprovides customerswith services in dataaccess control,security protection,and auditing to helpthem control datausage and transfer ina fine-grainedmanner, also posesdata leakage andlaw violation risks. Toavoid poses dataleakage and lawviolation risks.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-12.1

ContentTracking

Retaindigitalcontentmovementtransaction logs forone year.

HUAWEI CLOUDuses a centralizedand comprehensivelog system based onbig data analytics.The system collectsmanagementbehavior logs of allphysical devices,networks, platforms,applications,databases, andsecurity systems aswell as threatdetection logs ofsecurity products andcomponents.HUAWEI CLOUD willnot check the qualityof the content dataof customers. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.For obejectivestorage, file storageand other services,customers can useCloud Trace Service(CTS) to record useroperations on data.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-12.2

ContentTracking

Reviewlogs fromdigitalcontentmanagement systemperiodically andinvestigateanomalies.

HUAWEI CLOUD willnot check the qualityof the content dataof customers. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-12.3

ContentTracking

Use clientAKAs(“aliases”)in assettrackingsystems,unlessotherwiseas directedby theclient.

According to theISO27001 standard,HUAWEI CLOUD'sinformation assetclassification ismonitored andmanaged by specifictools to form anasset list, and eachasset is assigned aunique asset number.HUAWEI CLOUD willnot check the qualityof the content dataof customers. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.HUAWEI CLOUDprovides customerswith services in dataaccess control,security protection,and auditing to helpthem control datausage and transfer ina fine-grainedmanner, also posesdata leakage andlaw violation risks. Toavoid poses data




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

leakage and lawviolation risks.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-12.4

ContentTracking

Useenterprise(notpersonal)versions ofonline orweb basedcollaboration services(e.g.,GoogleDocs, etc.)fortrackingcontent,managinginventory,orworkflowmanagement, Utilizemulti-factorauthentication andcentrallymanageduseraccountsand accessto data.

HUAWEI CLOUD willnot check thecontent data qualityof customers. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.IAM is a useraccountmanagement servicedesigned forenterprises thatallocates resourcesand operationpermissions toenterprise users inadifferentiatedmanner. Once IAMhas authenticatedand authorized theseusers, they can usean access key toaccess HUAWEICLOUD resourcesthrough APIs.IAM supportshierarchical fine-grainedauthorization toensure that thevarious users who




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

are part of anenterprise customeruse cloud resourcesas authorized. Thisauthorizationscheme preventsusers from exceedingthe scope of theirpermissions andensures thecontinuity ofcustomer services.

DS-13.0

TransferSystem

Use onlyclient-approvedtransfersystemsthat utilizeaccesscontrols, aminimumofAES-256encryptionforcontent atrest andforcontent inmotionand usestrongauthentication forcontenttransfersessions.

HUAWEI CLOUDitself uses the AESstrong encryptionmethod widely usedin the industry toencrypt data in theplatform, and uses ahigh-level TLSencryption protocolto ensure datasecurity duringtransmission.Customer canconfigure an IPaddress-based ACL toensure thatenterprise users canaccess HUAWEICLOUD resourcesonly from a securenetworkenvironment, greatlymitigating the risk ofdata leakage thatwould be rampantotherwise.

10.113.2

A.10.6

SOC14.3SOC14.4SOC14.5SOC14.6SOC14.7SOC14.8

3.43.53.64.1

IA-5SC-13




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-13.1

TransferSystem

Implementanexceptionprocess,whereprior clientapprovalmust beobtainedin writing,to addresssituationswhereencryptedtransfertools arenot used.

HUAWEI CLOUDsupports datatransfer in REST andHighway modes,both methodssupport TLS 1.2 fordata in transitencryption and X.509certificate-basedidentityauthentication ofdestination websites.

DS-14.0

TransferDeviceMethodology

Implementand usededicatedsystemsforcontenttransfers.

HUAWEI CLOUDprovides service tosupport client-sideencryption by adesignated third-party encryptionutility that uses theindustry-standardAES-256 algorithm,and runs onWindows, Mac OS X,and Linux.

12.413.113.2

A.4.1

AC-4AC-20SC-7MP-6

DS-14.1


Separatecontenttransfersystemsfromadministrative andproductionnetworks.

Customer log in tothe managementconsole to create aservice ticket afteropening the datatransmission service,and the disk can bemailed to theHUAWEI CLOUDdata center bycourier after the datais encrypted andstored in the disk tobe mailed asrequired.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-14.2


Placecontenttransfersystems inaDemilitarized Zone(DMZ)and not inthecontent /productionnetwork.Implementwhitelisting oncontenttransferservers toonly allowtransfersto andfromauthorizedexternaltransferservers.

DMZ zone mainlyhosts public-facingcloud servicefrontendcomponents, and itisolates externalrequests and keepthem from reachingcloud servicebackendcomponents. Whentenants'accessrequests from theInternet tothissecurity zone mustgo through theservice console orthe ApplicationGateway in the DMZzone due to thehigher security risksinvolved. For moreinformation, pleaserefer to HUAWEICLOUD SecurityWhite Paper.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-14.3


Removecontentfromcontenttransferdevices/systemsimmediately aftersuccessfultransmission/receipt.

DMZ zone mainlyhosts public-facingcloud servicefrontendcomponents, and itisolates externalrequests and keepthem from reachingcloud servicebackendcomponents. Whentenants'accessrequests from theInternet tothissecurity zone mustgo through theservice console orthe ApplicationGateway in the DMZzone due to thehigher security risksinvolved. For moreinformation, pleaserefer to HUAWEICLOUD SecurityWhite Paper.

DS-14.4


Sendautomaticnotifications to theproductioncoordinator(s) uponoutboundcontenttransmission.

HUAWEI CLOUDprovides customerCloud Trace Service,which allows allmanagement consoleoperations and APIcalls are recordedsystematically and inreal time to helpusers query, analyze,and locate issuescloser toreal time orafter fact.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.0

ClientPortal

Restrictaccess towebportalswhich areused fortransferring content,streamingcontentand keydistribution toauthorizedusers.

Customers shouldtake responsibility fortheir own dataaccess control toensure that theiraccess rights are seteffectively to avoidimproper access.Customers can referto the best practicesin the HUAWEICLOUD IAM productdocumentation toformulate their ownduties separationstrategy and safeusage of IAM.

9.29.410.112.112.613.113.2

A.10.8

AC-2AC-3AC-4AC-6AC-20IA-5SC-3SC-8SI-7

DS-15.1

ClientPortal

Assignuniquecredentials(e.g.,usernameandpassword)to portalusers anddistributecredentialsto clientssecurely.

HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers areresponsible for theaccess control oftheir own data andensure that theiraccess permissionsare set effectively toavoid improperaccess.Customers can referto the best practicesin the HUAWEICLOUD IAM productdocumentation toformulate their ownduties separationstrategy and safeusage of IAM.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.2

ClientPortal

Ensureusers onlyhaveaccess totheir owndigitalassets (i.e.,client Amust nothaveaccess toclient B’scontent).

HUAWEI CLOUD'sisolation of clouddata is implementedthrough a virtualprivate cloud VPC,which uses networkisolation technologyto achieve completeisolation betweendifferent tenants onthe three-layernetwork.

DS-15.3

ClientPortal

Place theweb portalon adedicatedserver inthe DMZand limitaccess to/fromspecific IPsandprotocols.

HUAWEI CLOUDdedicated DMZ zoneto isolate externalrequests and keepthem from reachingcloud servicebackendcomponents.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.4

ClientPortal

Prohibitthe use ofthird-partyproductionsoftware/systems/servicesthat arehosted onaninternetweb serverunlessapprovedby clientinadvance.

HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.HUAWEI CLOUD willnot check the qualityof the content dataof customers.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.5

ClientPortal

UseHTTPSandenforceuse of astrongciphersuite (e.g.,TLS v1.3)for theinternal/externalwebportal.Acquire anHTTPSpublic keycertificatesigned byacertificateauthoritytrusted bya majorityof webbrowsers.

HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.HUAWEI CLOUDprovides SSLcertificate service fortenants, andcooperates with well-known digitalcertificationinstitutions in theworld to carry outone-stop whole lifecycle managementof X.509 certificate,so as to realize thetrusted identityauthentication andsecure datatransmission of thetarget website.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.6

ClientPortal

Do notusepersistentcookies orcookiesthat storecredentialsinplaintext.

HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper. Customershave ownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.HUAWEI CLOUDWAF can identifyusers based on IPaddress, cookie, andReferer informationand mit their accessrates based on aflexibly configuredthreshold to preventservices from beingoverloaded. CloudWAF can alsoemploy a verificationcode-basedchallenge/responsemechanism to verifythat the requester isa real user ratherthan a bot. Thismechanism can moreaccurately identifyattackers and stoptheir attacks.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.7

ClientPortal

Set accessto contentoninternal orexternalportals toexpireautomatically atpredefinedintervals,whereconfigurable.

Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.And customers areresponsible for theaccess control oftheir own data andensure that theiraccess permissionsare set effectively toavoid improperaccess.Customers can referto the best practicesin the HUAWEICLOUD IAM productdocumentation toformulate their ownduties separationstrategy and safeusage of IAM.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.8

ClientPortal

Test forwebapplicationvulnerabilitiesquarterlyandremediateanyvalidatedissues.

HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.HUAWEI CLOUDprovides vulnerabilityscan service, whichintegrates three corefunctions of Webvulnerabilityscanning, assetcontent compliancedetection and weakpassword detection.It can automaticallydiscover the securityrisks of websites orservers in thenetwork, and providemulti-dimensionalsecurity inspectionservices for cloudbusinesses.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.9

ClientPortal

Performannualpenetration testingof webapplications andremediateanyvalidatedissues.

HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.HUAWEI CLOUD hasjointly launched hostintrusion detection,web applicationfirewall, hostvulnerabilitydetection, webpagetamper preventionservice andpenetration test withits partners, whichhas improved thesecurity detection,perception anddefense capabilitiesof HUAWEI CLOUD.See HUAWEI CLOUDSecurity White Paperfor details.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.10

ClientPortal

Allow onlyauthorizedpersonnelto requesttheestablishment of aconnection with thetelecomserviceprovider.

Customers can referto the best practicesin the HUAWEICLOUD IAM productdocumentation toformulate their ownduties separationstrategy and safeusage of IAM.HUAWEI CLOUD willnot check the qualityof customer'scontent data. For thedata quality and riskcontrol measures ofHUAWEI CLOUDcontrol, please referto HUAWEI CLOUDData Security WhitePaper. Customershave ownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.11

ClientPortal

Prohibittransmission ofcontentusingemail(includingwebmail).

HUAWEI CLOUD willnot check the qualityof the content dataof customers.Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.For details, pleaserefer to the HUAWEICLOUD Data SecurityWhite Paper.Customers canconsider using securee-mail device serversto encrypt e-mailand attachments.HUAWEI CLOUDprovides DataEncryption Workshop(DEW), whichprovides exclusiveencryption, keymanagement, keypair managementand other functions.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.12

ClientPortal

Reviewaccess tothe clientweb portalat leastquarterly.

Customers haveownership andcontrol over thecontent data, areresponsible for thequality of thecontent data andbear the risksassociated with thequality of the data.HUAWEI CLOUD willnot check the qualityof the content dataof customers. Fordetails, please referto the HUAWEICLOUD Data SecurityWhite Paper.




NO.

SecurityTopic

BestPractice


ISO27002

ISO27017

ISO27018

SOC

CSACCM

PCIDSS

NIST800-53

DS-15.13

ClientPortal

Implementa processto reviewthefacility'spublicinformationalwebsiteand otheronlineindustryresourcesforsensitiveinformation thatcould beleveragedby anattacker(e.g.mentionsof internalinfrastructure andtechnologies, contenttransferservers, IPaddresses,photos ofsensitiveareas,currentcontentbeingworkedon, etc.)

Customers areresponsible for theaccess control oftheir own data andensure that theiraccess permissionsare set effectively toavoid improperaccess.HUAWEI CLOUDprovides customerswith CloudMonitoring Servicesto help customerscontinuously monitorcloud services,capacity, andnetwork usage. Itsupports thereporting of customindicators throughOpenAPI, SDK, andAgent, andcustomers will benotified in time whenwarnings aretriggered.




4 Conclusion

HUAWEI CLOUD always adheres to HUAWEI's "customer-centric" core values andactively implement information security practices resulting in the establishment ofan information security management system, certification and audit of a third-party organization to check the effective implementation of security controls andthe deployment of the most common data security protection technologies in theindustry to protect customers data security.

Simultaneously, in order to help customers cope with the increasingly opennessand complexity of network environments and the development of newinformation security technologies, HUAWEI CLOUD continuously develops variousproducts, services and solutions in the field of data protection to supportcustomers in improving their data protection ability and reducing their risks.

This white paper is for customers' reference only and does not have any legaleffect or constitutes legal advice, nor does it serve as a basis for certaincompliance of customers' cloud environment when using HUAWEI CLOUD.Customers should evaluate their own operation and security requirements,selecting appropriate cloud products and services.

HUAWEI CLOUD Compliance with MPA CommonGuidelines 4 Conclusion


5 Version History

Date Version Description

2021-01 1.0 First Publication

HUAWEI CLOUD Compliance with MPA CommonGuidelines 5 Version History


Documents

Guidelines HUAWEI CLOUD Compliance with MPA Common