CSA CCM (CSA CAIQ v3.1) HUAWEI CLOUD Compliance with › content › dam › cloudbu...CSA STAR...

HUAWEI CLOUD Compliance withCSA CCM (CSA CAIQ v3.1)

Issue 01

Date 2020-09-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: https://www.huawei.com

Email: [email protected]

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. i

https://www.huawei.commailto:[email protected]

Contents

1 Overview....................................................................................................................................11.1 Scope of Application.............................................................................................................................................................. 11.2 Purpose of Publication...........................................................................................................................................................11.3 Basic Definitions...................................................................................................................................................................... 1

2 CSA CCM Introduction............................................................................................................ 42.1 CSA CCM Framework and Main Content........................................................................................................................42.2 CSA, CCM, CAIQ, and STAR Certification........................................................................................................................ 52.3 The Certification Status of HUAWEI CLOUD................................................................................................................. 5

3 HUAWEI CLOUD CSA CAIQ Consensus Assessment Initiative Questionnaire........... 83.1 AIS Application & Interface Security.................................................................................................................................83.2 AAC Audit Assurance & Compliance.............................................................................................................................. 123.3 BCR Business Continuity Management & Operational Resilience....................................................................... 143.4 CCC Change Control & Configuration Management................................................................................................213.5 DSI Data Security & Information Lifecycle Management....................................................................................... 253.6 DCS Datacenter Security.................................................................................................................................................... 303.7 EKM Encryption & Key Management.............................................................................................................................353.8 GRM Governance and Risk Management.................................................................................................................... 393.9 HRS Human Resource Security........................................................................................................................................ 463.10 IAM Identity & Access Management........................................................................................................................... 523.11 IVS Infrastructure & Virtualization Security...............................................................................................................663.12 IPY Interoperability & Portability...................................................................................................................................773.13 MOS Mobile Security........................................................................................................................................................ 793.14 SEF Security Incident Management, E-Discovery, & Cloud Forensics 82........................................................ 843.15 STA Supply Chain Management, Transparency, and Accountability.................................................................893.16 TVM Threat and Vulnerability Management 92......................................................................................................96

4 Conclusion............................................................................................................................... 99

5 Version History.................................................................................................................... 100

HUAWEI CLOUD Compliance with CSA CCM (CSACAIQ v3.1) Contents

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. ii

1 Overview1.1 Scope of Application

The information provided in this document applies to HUAWEI CLOUD and all itsproducts and services available in HUAWEI CLOUD International website.

1.2 Purpose of PublicationThe Cloud Security Alliance Cloud Control Matrix (CSA CCM) published by theCloud Security Alliance, as a controls framework for cloud security, integratesadvanced standards, regulations and best practices to assist cloud providers andcloud customers in improving cloud security.

HUAWEI CLOUD has already gained the cloud security certification —— CSA STARGold Certification, and hope through the CAIQ self-assessment questionnaire inthis material to show the customers that HUAWEI CLOUD's efforts to improve thesecurity of cloud environment, and to help customers understand:

● CSA CCM's main contents, related certification and the function of CAIQ;

● HUAWEI CLOUD's responses to questions in CAIQ self-assessmentquestionnaire.

1.3 Basic Definitions● Customer (Tenant)

Refers to the registered users who build business relationships with HUAWEICLOUD. In this whitepaper, customers has the same meaning of tenant whichindicates the user organization that use the services provided by HUAWEICLOUD.

● Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world's leading organizationdedicated to defining and raising awareness of best practices to help ensure asecure cloud computing environment.

HUAWEI CLOUD Compliance with CSA CCM (CSACAIQ v3.1) 1 Overview

Issue 01 (2020-09-30) Copyright © Huawei Technologies Co., Ltd. 1

● British Standards Institution (BSI)An internationally renowned standard certification organization providingstandard certification and training services for organizations and individualsworldwide.

● CSA CCMCloud Security Alliance Cloud Control Matrix is the world's only meta-framework of cloud-specific security controls mapped to leading standards,best practices and regulations.

● CSA CAIQThe Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 offers anindustry-accepted way to document what security controls exist in IaaS, PaaS,and SaaS services, providing security control transparency. It provides a set ofYes/No questions a cloud customer and cloud auditor may wish to ask of acloud provider to ascertain their compliance to the Cloud Controls Matrix(CCM).

● CSA STAR CertificationAn authoritative certification for cloud security level launched by the CSA andthe BSI together, where STAR is the abbreviation for Security, Trust, Assuranceand Risk. The certification is evaluated and audited based on therequirements of CSA CCM and ISO 27001.

● ISO27001 Information Security Management SystemISO 27001 is a widely accepted international standard that specifiesrequirements for management of information security systems. Centered onrisk management, this standard ensures continuous operation of such systemsby regularly assessing risks and applying appropriate controls. ISO 27002 isthe best practices based on ISO 27001.

● ISO 27017 Cloud Service Information Security Management SystemISO 27017 is the practical rules for cloud service information security controlbased on the ISO 27001 system framework and ISO 27002 best practices. It isan international implementation procedures standard for cloud serviceinformation security control.

● ISO 27701 Privacy Information Management SystemAs a privacy extension to ISO 27001 and ISO 27002, ISO 27701 is anauthoritative international standard of privacy management field. ISO 27701specifies requirements and guidance for establishing, implementing,maintaining and continually improving a privacy information managementsystem (PIMS) and its relevant content.

● ISO 22301 Business Continuity Management SystemISO 22301 is an international standard for business continuity managementsystems. ISO 22301 help organizations avoid potential incidents throughidentifying, analyzing and warning of risk, and formulate a complete businesscontinuity plan to effectively respond to quick recovery after interruption andmaintain normal running of core functions and minimize loss and recoverycosts.

● SOC Audit ReportsThe SOC audit reports are independent audit reports designed by a third-partyaudit institution based on relevant standards formulated by the American



Institute of Certified Public Accountants (AICPA) for the system and internalcontrol of outsourced service providers.

● PCI DSS CertificationPayment Card Industry Data Security Standard (PCI DSS) is a data securitystandard published by Payment Card Industry Security Standards Councilwhich established by the five main credit card organizations: JCB, AmericanExpress, Discover, MasterCard, and Visa. For the content of HUAWEI CLOUD'sPCI DSS certification, please refer to HUAWEI CLOUD Practical Guide for PCIDSS.

● PCI 3DS CertificationThe PCI 3DS standard is designed to protect 3DS environments that performspecific 3DS functions or store 3DS data and support 3DS implementation.The evaluation object of PCI 3DS is the 3D protocol execution environment,including the access control server, directory server, or 3DS server functions;And system components, such as firewalls, virtual servers, network devices,and applications, that are within and connected to the 3D executionenvironment; In addition, the process, process, and personnel management ofthe 3D protocol execution environment will be evaluated.

● NIST Cybersecurity FrameworkThe NIST cyber security framework consists of three parts: standards,guidelines, and best practices for managing cyber security risks. The corecontent of the framework can be summarized as the classic IPDRR capabilitymodel namely the five capabilities: Identify, Protect, Detect, Response andRecovery.

● M&O certificationUptime Institute is a globally recognized data center standardizationorganization and an authoritative professional certification organization.HUAWEI CLOUD data centers have obtained the M&O certification issued byUptime Institute. The M&O certification symbolizes that HUAWEI CLOUD datacenter O&M management has been leading in the world.



2 CSA CCM Introduction2.1 CSA CCM Framework and Main Content

CSA CCM is a cloud security guide issued by the Cloud Security Alliance, a leadinginternational cloud security organization. Cloud security Alliance was establishedin 2009, committed to the comprehensive development of international cloudcomputing security. At present, the Cloud Security Alliance has assisted thegovernments of the United States, the European Union, Japan, Australia,Singapore and other countries to carry out national network security strategy,national identity strategy, and national cloud computing strategy, national cloudsecurity standards, government cloud security framework, security technologyresearch and other work.

CCM includes Control Domains, Control Specification, Architectural Relevancecorresponding to each Control Specification, Corporate Governance Relevance, andtypes of Cloud Service Delivery Model, relevance to Service Provider andCustomers and mapping to 42 standards, regulations, and best practices. As shownin the figure below, CCM composed of 133 control specifications that arestructured in 16 domains covering common control measures related to cloudsecurity.

Control ID Control Domain

AIS 1. Application & Interface Security

AAC 2. Audit Assurance & Compliance

BCR 3. Business Continuity Management & OperationalResilience

CCC 4. Change Control & Configuration Management

DSI 5. Data Security & Information Lifecycle Management

DCS 6. Datacenter Security

EKM 7. Encryption & Key Management

GRM 8. Governance and Risk Management

HUAWEI CLOUD Compliance with CSA CCM (CSACAIQ v3.1) 2 CSA CCM Introduction


Control ID Control Domain

HRS 9. Human Resources

IAM 10. Identity & Access Management

IVS 11. Infrastructure & Virtualization Security

IPY 12. Interoperability & Portability

MOS 13. Mobile Security

SEF 14. Security Incident Management, E-Discovery, & CloudForensics

STA 15. Supply Chain Management, Transparency, andAccountability

TVM 16. Threat and Vulnerability Management

2.2 CSA, CCM, CAIQ, and STAR CertificationThe cloud security control consists of independent assessment of external thirdparties and internal continuous management of cloud service providers.

Based on CCM and ISO 27001, the Cloud Security Alliance (CSA) and the BritishStandards Institute (BSI) have jointly developed the CSA STAR Certification. Byevaluating cloud service providers, and certifying and rating the cloud serviceprovider into 3 grades of gold, silver or bronze by the implementation of controlmeasures required by CCM and ISO 27001, and the rating results have threegrades: gold, silver or bronze.

According to CSA CCM, the Cloud Security Alliance has launched CAIQ ConsensusAssessment Initiative Questionnaire for cloud service providers to assess theircontrol levels. The control domains and control specification of the questionnairewere consistent with CCM, but each control specification is subdivided intomultiple answerable questions, in total, 330 questions. Cloud service providers canuse CAIQ for self-assessment and use CAIQ to continuously manage their owncontrol levels.

Presenting HUAWEI CLOUD's response to CAIQ, Chapter 3 of this material willhelp customers understand HUAWEI CLOUD's efforts to strengthen its own cloudsecurity level and improve security in the cloud. The CAIQ used in this material isthe latest version 3.1 released in 2020.

2.3 The Certification Status of HUAWEI CLOUDWith its own information security system and security control management,HUAWEI CLOUD has obtained the highest level of CSA STAR certification - CSASTAR Gold Certification. The assessment scope includes dozens of products andservices released by HUAWEI CLOUD on its official website, as well as data centersaround the world.



HUAWEI CLOUD products and services covered by the 2020 STAR certification areas follows (refer to HUAWEI CLOUD official website for specific online areas), andHUAWEI CLOUD's CSA STAR certificate can be download from the HUAWEICLOUD Trust Center for reference.

Categories Products

Compute Elastic Cloud Server (ECS), Bare Metal Server (BMS), CloudPhone(CPH), Dedicated Host (DeH), Auto Scaling (AS), ImageManagement Service (IMS), GPU Accelerated Cloud Server(GACS), and FPGA Accelerated Cloud Server (FACS)

Storage Object Storage Service (OBS), Elastic Volume Service (EVS),Cloud Backup and Recovery (CBR), Dedicated Enterprise StorageService (DESS), Dedicated Distributed Storage Service (DSS),Volume Backup Service (VBS), Cloud Server Backup Service(CSBS), Storage Disaster Recovery Service (SDRS), Scalable FileService (SFS), Data Express Service (DES), and Cloud StorageGateway (CSG)

Networking Virtual Private Cloud (VPC), Elastic Load Balance (ELB), NATGateway (NAT), Elastic IP (EIP), Direct Connect (DC), VirtualPrivate Network (VPN), Cloud Connect (CC), and VPC Endpoint(VPCEP)

Database Document Database Service (DDS), Distributed DatabaseMiddleware (DDM), Data Admin Service (DAS), DistributedDatabase Middleware (DRS), RDS for MySQL (MySQL), RDS forPostgreSQL (PostgreSQL), RDS for SQL Server (SQL Server), RDSfor GaussDB (for MySQL) (GaussDB for MySQL), and RDS forGeminiDB (GeminiDB)

ContainerService

Cloud Container Engine (CCE) and Cloud Container Instance(CCI)

Video Live (Live), Video on Demand (VOD), Media Processing Center(MPC), and Short Video (SVideo)

ApplicationMiddleware

Distributed Cache Service Redis (DCS), Distributed Cache ServiceMemcached (DCSMEM), Distributed Message Service DMS(DMS), Distributed Message Service (Kafka), DistributedMessage Service RabbitMQ (RabbitMQ), API Gateway (APIG),and application management and O&M platform (ServiceStage)

Management Tools

Application Operations Management (AOM), ApplicationPerformance Management (APM), Log Tank Service (LTS),Identity and Access Management (IAM), Cloud Eye (CES), SimpleMessage Notification (SMN), and Cloud Trace Service (CTS)

DomainsandWebsites

Domain Name (Domains), Cloudsite, and Domain Name Service(DNS)

Migration Object Storage Migration Service (OMS) and Cloud DataMigration (CDM)



Categories Products

IntelligentCloudAcceleration

Content Delivery Network (CDN)

SoftwareDevelopment Platform

CodeHub, CodeCheck , CloudBuild, ProjectMan, and CloudIDE

Security Host Security Service (HSS), Container Guard Service (CGS), WebApplication Firewall (WAF), Vulnerability Scan Service (VSS),Anti-DDos (Anti-DDos), Advanced Anti-DDoS (AAD), DatabaseSecurity Service (DBSS), Data Encryption Workshop (DEW),Situational Awareness (SA), SSL Certificate Manager (SCM),Security Expert Service (SES), and Cloud Bastion Host (CBH)

EnterpriseApplications

Blockchain Service (BCS), ForeCloud Stack (FCS), VoiceCall, andPrivateNumberMessage&SMS (MSG&SMS), ROMA Connect (ROMA), SD-WANService (SD-WAN), Cloud Managed Network (CMN),HUAWEI CLOUD Welink (Welink), Meeting, and DedicatedComputing Cluster (DCC)

Internet ofThings

IoT Device Access (IoTDA), IoTDP (IoTDP), Global SIM Link(GSL), IoT Analytics (IoTA), IoT Edge (IoTEdge), IoV Platform(IoV), IoT Campus Service (IoTC), and OceanConnectV2X (RPS)

EnterpriseIntelligence

Image Search (ImageSearch), ModelArts (ModelArts), HUAWEIHiLens (HiLens), Graph Engine Service (GES), Video IngestionService (VIS), Cloud Search Service (CSS), Natural LanguageProcessing Fundamentals (NLPF), Language Understanding(Language Understanding), Language Generation (LanguageGeneration), Natural Language Processing Customization(NLPC), Machine Translation (MT), Map Reduce Service (MRS),Cloud Stream Service (CS), Data Lake Insight (DLI), DataWarehouse Service (DWS), CloudTable Service (CloudTable),Data Ingestion Service (DIS), One-stop Data GovernancePlatform (DAYU), Data Lake Visualization (DLV), RecommenderSystem (RES), Optical Character Recognition (OCR), ContentModeration (Moderation), Moderation (Text) (Moderation(Text)), Moderation (Image) (Moderation (Image)), VideoContent Moderation (VCM), Face Recognition (FRS), ImageTagging (Image Tagging), Celebrity Recognition (ROC), QuestionAnswering Bot (QABot), Task Bot (TaskBot), Speech Analytics(CBSSA), CBS Customization (CBSC), Real-time ASR (Real-timeASR), Audio Speech Recognition (ASR), Text to Speech (TTS),Audio Speech Recognition Customization (ASRC), Video ContentRecognition (VCR), Video Content Processing (VCP), VideoContent Tags (VCT), Video Fingerprinting (VEP), TrafficGo(TrafficGo), CampusGo (CampusGo), HeatingGo (HeatingGo),EIHealth (EIHealth), EI_Industrial (EI_Industrial), and Network AIEngine (NAIE)



3 HUAWEI CLOUD CSA CAIQ ConsensusAssessment Initiative Questionnaire

3.1 AIS Application & Interface SecurityQuestion ID

ConsensusAssessmentQuestions

ConsensusAssessment Answers

HUAWEI CLOUD's response

Yes

No

N/A

AIS-01.1

Do you use industrystandards (i.e.OWASP SoftwareAssurance MaturityModel, ISO 27034) tobuild in security foryour Systems/SoftwareDevelopmentLifecycle (SDLC)?

X HUAWEI CLOUD has pursued thenew DevOps process, whichfeatures rapid and continuousiteration capabilities, and integratedthe Huawei security developmentlifecycle (SDL). In addition,gradually taking shape as a highlyautomated new security lifecyclemanagement methodology andprocess, called DevSecOps,alongside cloud securityengineering capabilities and toolchain that together ensure thesmooth and flexibleimplementation of DevSecOps.

HUAWEI CLOUD Compliance with CSA CCM (CSACAIQ v3.1)

3 HUAWEI CLOUD CSA CAIQ Consensus AssessmentInitiative Questionnaire


AIS-01.2

Do you use anautomated sourcecode analysis tool todetect securitydefects in code priorto production?

X HUAWEI CLOUD introduced a dailycheck of the static code scanningtool, with the resulting data beingfed into the cloud serviceContinuous Integration/ContinuousDeployment (CI/CD) tool chain forcontrol and cloud service productquality assessment through the useof quality thresholds.For more details, please refer to theHUAWEI CLOUD Security WhitePaper.

AIS-01.3

Do you use manualsource-code analysisto detect securitydefects in code priorto production?

X HUAWEI CLOUD does not usemanual source-code analysis.Automatic code analysis tools runas part of the HUAWEI CLOUDsoftware development life cycle.

AIS-01.4

Do you verify that allof your softwaresuppliers adhere toindustry standardsfor Systems/SoftwareDevelopmentLifecycle (SDLC)security?

X HUAWEI CLOUD has formulatedclear security requirements andcomplete process control solutionsfor introduced open source andthird-party software, and strictlycontrols the selection analysis,security test, code security, riskscanning, legal review, softwareapplication, and software exit. Forexample, cybersecurity assessmentrequirements are added to opensource software selection in theselection analysis phase to strictlycontrol the selection. During the useof third-party software, carry outrelated activities by taking thethird-party software as part ofservices or solutions, and focus onthe assessment of the integration ofopen source, third-party, andHuawei-developed software, orwhether new security issues areintroduced when independent third-party software is used in solutions.

AIS-01.5

(SaaS only) Do youreview yourapplications forsecurityvulnerabilities andaddress any issuesprior to deploymentto production?

X Before HUAWEI CLOUD products orservices are released, static codescanning alarm clearing must becompleted, effectively reducing thecode-related issues that can extendrollout time coding.




AIS-02.1

Are all identifiedsecurity, contractual,and regulatoryrequirements forcustomer accesscontractuallyaddressed andremediated prior togranting customersaccess to data,assets, andinformation systems?

X HUAWEI CLOUD would sign theHUAWEI CLOUD CustomerAgreement, Privacy Statement,Acceptable Use Policy, ServiceStatement and Service LevelStatement with customers beforeproviding services. Theseagreements outline the servicerequirements and theresponsibilities of both parties.

AIS-02.2

Are all requirementsand trust levels forcustomers' accessdefined anddocumented?

X HUAWEI CLOUD would sign theHUAWEI CLOUD CustomerAgreement, Privacy Statement,Acceptable Use Policy, ServiceStatement and Service LevelStatement with customers beforeproviding services. Theseagreements outline the servicerequirements and theresponsibilities of both parties.

AIS-03.1

Does your datamanagement policiesand proceduresrequire audits toverify data input andoutput integrityroutines?

X According to integrity controldescribed in the SOC report,HUAWEI CLOUD has formulatedpolicies and procedures formaintaining data integrity controlin all stages of the data life cycle(including transmission, storage,and processing), and regularly relieson internal and external audits toverify their effectiveness.For the integrity verification of thecontent data, the customer isresponsible for the implementationof input and output verificationcontrol in the application interfacesand databases used in the HUAWEICLOUD environment.




AIS-03.2

Are data input andoutput integrityroutines (i.e.MD5/SHAchecksums)implemented forapplication interfacesand databases toprevent manual orsystematic processingerrors or corruptionof data?

X According to integrity control asdescribed in the SOC report,HUAWEI CLOUD has formulatedpolicies and procedures formaintaining data integrity controlin all stages of the data life cycle(including transmission, storage,and processing), such as verifyingthe consistency of data checked byhash algorithm before and afterstorage to ensure that the storeddata is uploaded data, and regularlyrelies on internal and externalaudits to verify Its effectiveness.For the integrity verification of thecontent data, the customer isresponsible for the implementationof input and output verificationcontrol in the application interfacesand databases used in the HUAWEICLOUD environment.

AIS-04.1

Is your Data SecurityArchitecture designedusing an industrystandard (e.g., CDSA,MULITSAFE, CSATrusted CloudArchitecturalStandard, FedRAMP,CAESARS)?

X HUAWEI CLOUD will continue toembrace industry leading standardsfor data security lifecyclemanagement and adopt best-of-breed security technologies,practices, and processes across avariety of aspects, including identityauthentication, privilegemanagement, access control, dataisolation, transmission, storage,deletion, and physical destruction ofstorage media. In short, HUAWEICLOUD will always strive towardthe most practical and effectivedata protection possible in order tobest safeguard the privacy,ownership, and control of ourtenants' data against data breachesand impacts on their business.For further information, please referto the HUAWEI CLOUD SecurityWhite Paper.




3.2 AAC Audit Assurance & ComplianceQuestion ID



HUAWEI CLOUD's response

Yes

No

N/A

AAC-01.1

Do you develop andmaintain an agreedupon audit plan (e.g.,scope, objective,frequency, resources,etc.) for reviewingthe efficiency andeffectiveness ofimplemented securitycontrols?

X HUAWEI CLOUD has established aformal and regular audit plan,including continuous andindependent internal and externalevaluation. Internal evaluationcontinuously track the effectivenessof security control measures, andexternal evaluation is audited as anindependent auditor for reviewingthe efficiency and effectiveness ofimplemented security controls.

AAC-01.2

Does your auditprogram take intoaccount effectivenessof implementation ofsecurity operations?

X The effectiveness ofimplementation of securityoperations is included in HUAWEICLOUD's formal and regular auditplan. Regularly reviewed standardssuch as ISO 27001, CSA STARcertification, PCI DSS certification,SOC report, etc. would also reviewthe security implementation ofHUAWEI CLOUD.

AAC-02.1

Do you allow tenantsto view yourSOC2/ISO 27001 orsimilar third-partyaudit or certificationreports?

X Customers can apply to downloadthe latest compliance certificatesand reports including ISO27001 andSOC from the HUAWEI CLOUDTrust Center. Tenants who agree toHUAWEI CLOUD ConfidentialityCommitment Letter can downloadsuch resources.

AAC-02.2

Do you conductnetwork penetrationtests of your cloudservice infrastructureat least annually?

X HUAWEI CLOUD organizesinternally or external third partieswith certain qualifications toconduct penetration tests on allHUAWEI CLOUD systems andapplications every six months, andfollow up and rectify the results ofpenetration tests.




AAC-02.3

Do you conductapplicationpenetration tests ofyour cloudinfrastructureregularly asprescribed byindustry bestpractices andguidance?

X According to the best practice ofPCI DSS, HUAWEI CLOUD organizesinternally or external third partieswith certain qualifications toconduct penetration tests on allHUAWEI CLOUD systems andapplications every six months, andfollow up and rectify the results ofpenetration tests.

AAC-02.4

Do you conductinternal audits atleast annually?

X HUAWEI CLOUD has established aformal and regular audit plan,including continuous andindependent internal and externalevaluation, internal evaluationcontinuously track the effectivenessof security control measures, andexternal evaluation is audited as anindependent auditor for reviewingthe efficiency and effectiveness ofimplemented security controls.At the same time, HUAWEI CLOUDhas obtained ISO27001 certification,which meets the requirements ofinternal audit every year, and thecompliance is confirmed by a thirdparty every year.

AAC-02.5

Do you conductindependent auditsat least annually?

X HUAWEI CLOUD has established aformal and regular audit plan,including continuous andindependent internal and externalevaluation, internal evaluationcontinuously track the effectivenessof security control measures, andexternal evaluation is audited as anindependent auditor for reviewingthe efficiency and effectiveness ofimplemented security controls.HUAWEI CLOUD conducts auditsbased on the standards of AICPAevery year and releases related SOCreports, as well as annual review ofa number of standards.




AAC-02.6

Are the results of thepenetration testsavailable to tenantsat their request?

X Although HUAWEI CLOUD conductspenetration tests on a regular basis,and has a dedicated team to followup the test results. The penetrationtest report and follow-up would beverified by internal audits andexternal certification agencies, butthe report is not provided totenants.

AAC-02.7

Are the results ofinternal and externalaudits available totenants at theirrequest?

X HUAWEI CLOUD provides tenantswith SOC audit reports issued bythird-party audit institutions inaccordance with the relevantstandards of the American Instituteof Certified Public Accountants(AICPA). Tenants who agree toHUAWEI CLOUD ConfidentialityCommitment Letter can downloadthe SOC audit report from theHUAWEI CLOUD Trust Center.

AAC-03.1

Do you have aprogram in place thatincludes the ability tomonitor changes tothe regulatoryrequirements inrelevant jurisdictions,adjust your securityprogram for changesto legalrequirements, andensure compliancewith relevantregulatoryrequirements?

X HUAWEI CLOUD has set upprofessional positions to maintaincontact with external parties tomonitor relevant laws andregulations. When new laws andregulations related to HUAWEICLOUD services are released,HUAWEI CLOUD would promptlyadjust internal securityrequirements and security controls,and follow up the compliance oflaws and regulations.

3.3 BCR Business Continuity Management &Operational Resilience

Question ID



HUAWEI CLOUD's Response

Yes

No

N/A




BCR-01.1

Does yourorganization have aplan or frameworkfor businesscontinuitymanagement ordisaster recoverymanagement?

X At present, HUAWEI CLOUD hasobtained the certification of theISO22301 business continuitymanagement system standard,establishing a business continuitymanagement system internally, andformulating a business continuityplan, which contains the strategiesand processes of natural disasters,accident disasters, informationtechnology risks and otheremergencies.

BCR-01.2

Do you have morethan one provider foreach service youdepend on?

X In the disaster recovery strategy ofHUAWEI CLOUD, it is stipulatedthat multiple suppliers should beused for the same service to copewith emergencies, so as to retaincertain redundancy to maintainservice continuity.

BCR-01.3

Do you provide adisaster recoverycapability?

X HUAWEI CLOUD providescustomers with the Storage DisasterRecovery Service (SDRS), which canhelp customers quickly restorebusiness at the disaster recoverysite and shorten the businessinterruption time. This service helpsprotect business applications,replicates data and configurationinformation of the Elastic CloudServer to the disaster recovery site,and allows the servers where thebusiness applications run onstartedfrom another location and operatenormally during the downtime,thereby improving businesscontinuity.

BCR-01.4

Do you monitorservice continuitywith upstreamproviders in the eventof provider failure?

X In the disaster recovery strategy ofHUAWEI CLOUD, it is stipulatedthat multiple suppliers should beused for the same service. When aprogram failure is detected, theservice continuity of the upstreamprovider would be estimated. If theupstream provider's service isinterrupted, it would be switched toanother service provider in time.




BCR-01.5

Do you provideaccess to operationalredundancy reports,including the servicesyou rely on?

X HUAWEI CLOUD would not providetenants with operationalredundancy reports. However,HUAWEI CLOUD regularly conductsexternal third-party audits such asISO 22301 and ISO 27001certification to check the controls ofdisaster redundancy, andperiodically tests the effectivenessof the redundancy mechanisminternally.

BCR-01.6

Do you provide atenant-triggeredfailover option?

X The Storage Disaster RecoveryService (SDRS) provided byHUAWEI CLOUD provides one-clickdisaster recovery switching. Whenan event occurs or is needed, thebusiness will be switched to thedisaster recovery site to avoidbusiness interruption caused by theevent.

BCR-01.7

Do you share yourbusiness continuityand redundancyplans with yourtenants?

X HUAWEI CLOUD would not providetenants with business continuityreports. However, HUAWEI CLOUDregularly conducts external third-party audits such as ISO 27001certification every year to evaluatethe business continuity plan, andinternally tests the businesscontinuity to maintain itseffectiveness.

BCR-02.1

Are businesscontinuity planssubject to testing atplanned intervals orupon significantorganizational orenvironmentalchanges to ensurecontinuingeffectiveness?

X The HUAWEI CLOUD securityexercise team regularly developsexercises for different product types(including basic services, operationcenters, data centers, and overallorganization, etc.) and differentscenarios to maintain theeffectiveness of the continuousplan. When significant changes takeplace in the organization andenvironment of HUAWEI CLOUD,the effectiveness of businesscontinuity level would also betested.




BCR-03.1

Does yourorganization adhereto any internationalor industry standardswhen it comes tosecuring, monitoring,maintaining andtesting of datacenterutilities services andenvironmentalconditions?

X HUAWEI CLOUD strictly follows therequirements of clause A11.2related to equipment of ISO 27001information security managementsystem, adopts control measures toprevent the loss, damage, theft orendangering of assets and theinterruption of organizationalactivities, and conducts annualaudit on the implementation of thisrequirement every year.

BCR-03.2

Has yourorganizationimplementedenvironmentalcontrols, fail-overmechanisms or otherredundancies tosecure utility servicesand mitigateenvironmentalconditions?

X HUAWEI CLOUD has implementeda backup and redundancy strategy,including position mutualpreparation of internal, internal &external, and external, multipleoffices in the same city or otherplaces, redundant equipment andspare parts, and the use of multiplemanpower, equipment, serviceproviders, and development andtesting environments, codedocument version management,tool software, safety equipment,backup and redundancy ofproduction systems.

BCR-04.1

Are informationsystem documents(e.g., administratorand user guides,architecturediagrams, etc.) madeavailable toauthorized personnelto ensureconfiguration,installation andoperation of theinformation system?

X HUAWEI CLOUD has establishedinformation system relateddocuments in accordance withinternational standards such asISO27001 Information SecurityManagement System, ISO27017Cloud Computing InformationSecurity Management System,ISO27701 Privacy InformationManagement System, andauthorized employees can accessthe corresponding documents.

BCR-05.1

Is physical damageanticipated and arecountermeasuresincluded in thedesign of physicalprotections?

X In terms of physical protection,HUAWEI CLOUD has establishedzone protection. To reduce risks, alocation selection strategy has beenformulated for possible naturaldisasters. For risks such as intrusionand authorization a monitoring andresponse mechanism has beenestablished as well.




BCR-06.1

Are any of your datacenters located inplaces that have ahigh probability/occurrence of high-impactenvironmental risks(floods, tornadoes,earthquakes,hurricanes, etc.)?

X HUAWEI CLOUD data center willconsider selecting locations withstable politics, low crime rate andfriendly environment, away fromareas with hidden dangers ofnatural disasters such as floods,hurricanes, earthquakes, etc.,avoiding strong electromagneticfield interference, and setting theminimum distance for the hiddendangers area around the technicalrequirements.

BCR-07.1

Do you havedocumented policies,procedures andsupporting businessprocesses forequipment anddatacentermaintenance?

X For the maintenance of the datacenter, HUAWEI CLOUD hasestablished system and processdocuments related to data centeroperation and maintenancemanagement, including specificequipment management andcontrol measures, routinemaintenance plans, etc.

BCR-07.2

Do you have anequipment anddatacentermaintenance routineor plan?

X For the maintenance of the datacenter, HUAWEI CLOUD hasestablished system and processdocuments related to data centeroperation and maintenancemanagement, including specificequipment management andcontrol measures, routinemaintenance plans, etc.

BCR-08.1

Are securitymechanisms andredundanciesimplemented toprotect equipmentfrom utility serviceoutages (e.g., powerfailures, networkdisruptions, etc.)?

X HUAWEI CLOUD complies withAppendix A.17.2 of ISO 27001,which indicates that theinformation processing equipmentshould meet the availabilityrequirements, and to avoid serviceinterruption through equipment,network, supplier redundancy, andaudits the implementation of thisrequirement every year to maintainISO 27001 certification.




BCR-09.1

Do you use industrystandards andframeworks todetermine the impactof any disruption toyour organization(i.e. criticality ofservices and recoverypriorities, disruptiontolerance, RPO andRTO etc) ?

X Referring to the requirements ofISO22301, HUAWEI CLOUD usesindicators such as RPO, RTO,success rate of disaster recovery,success rate of backup and successrate of recovery to measure theachievement of disaster recoverygoals. Service recovery priority anddisaster importance are rated in theprocess of assessing the impact ofthe business interruption.

BCR-09.2

Does yourorganization conductimpact analysispertaining to possibledisruptions to thecloud service?

X HUAWEI CLOUD uses RPO, RTO,success rate of disaster recovery,success rate of backup and successrate of recovery to measure theachievement of disaster recoverygoals. Service recovery priority anddisaster importance are rated in theprocess of assessing the impact ofthe business interruption.

BCR-10.1

Are policies andproceduresestablished andmade available forall personnel toadequately supportservices operations'roles?

X According to the requirements ofISO 27001, HUAWEI CLOUD hasformulated business continuitymanagement regulations, incidentresponse strategy and process. Allthese documents are provided forall relevant employees to read, andkey positions in the responseprocess need to be trained andregular drills.

BCR-11.1

Do you havetechnical capabilitiesto enforce tenantdata retentionpolicies?

X HUAWEI CLOUD CustomerAgreement and Privacy Statementinform customers of their personaldata retention policies. HUAWEICLOUD has the technicalcapabilities to implement theretention policies in the aboveagreements.For customers' content data, theycan configure their own contentdata retention policies, andHUAWEI CLOUD strictly followscustomer instructions to processtheir content data.




BCR-11.2

Do you havedocumented policiesand proceduresdemonstratingadherence to dataretention periods asper legal, statutory orregulatorycompliancerequirements?

X HUAWEI CLOUD has establishedmanagement policies for the dataretention mechanism, in whichHUAWEI CLOUD needs tocompliance with the minimum ormaximum retention period requiredby law and applies differentdisposal methods for different typesof personal data.

BCR-11.3

Have youimplemented backupor recoverymechanisms toensure compliancewith regulatory,statutory, contractualor businessrequirements?

X Except for Identity and AccessManagement (IAM)/ Object StorageService (OBS,) the managementdata (including operation logs, etc.)of all launched services andcomponents on HUAWEI CLOUDwould be backed up to OBS. At thesame time, the management dataof IAM/OBS needs to be backed upto non-OBS storage.Customers can use Cloud Backupand Recovery (CBR) service tobackup servers, cloud hard drives,and virtualized environments in thecloud.

BCR-11.4

If using virtualinfrastructure, doesyour cloud solutioninclude independenthardware restore andrecovery capabilities?

X Customers can use the Cloud EyeService (CES) to monitor therunning status of the server and theresources on the cloud in real time.When a hardware failure occurs,CES will notify the customer viaemail, SMS, and HTTP/S. At thesame time, customers can use thesnapshot function in the ElasticVolume Service (EVS) to fullyrestore the data to the snapshottime point in case of data losing.

BCR-11.5

If using virtualinfrastructure, do youprovide tenants witha capability torestore a virtualmachine to apreviousconfiguration?

X HUAWEI CLOUD provides ImageManagement Service (IMS) whichcan be used to backup the instanceof cloud server for customers. Whenthe software environment of theinstance fails, the backup image canbe used to restore.




BCR-11.6

Does your cloudsolution includesoftware/providerindependent restoreand recoverycapabilities?

X HUAWEI CLOUD providescustomers with the Storage DisasterRecovery Service (SDRS), which canhelp customers quickly restorebusiness at the disaster recoverysite and shorten the businessinterruption time.

BCR-11.7

Do you test yourbackup orredundancymechanisms at leastannually?

X HUAWEI CLOUD would regularlytest the validity of the user'smanagement data backup.For customers' content data,customers need to develop theirown backup and redundancymechanisms according to businessneeds, and test the effectiveness ofthe mechanism.

3.4 CCC Change Control & Configuration ManagementQuestion ID




Yes

No

N/A

CCC-01.1

Are policies andproceduresestablished formanagementauthorization fordevelopment oracquisition of newapplications, systems,databases,infrastructure,services, operationsand facilities?

X HUAWEI CLOUD uses DevOps andDevSecOps models fordevelopment, and has formulatedcorresponding managementsystems and procedures to controldevelopment and change activities.For further information, please referto the HUAWEI CLOUD SecurityWhite Paper.




CCC-02.1

Are policies andprocedures forchangemanagement,release, and testingadequatelycommunicated toexternal businesspartners?

X HUAWEI CLOUD has establishedthe system change managementand service launch process, andcommunicated its requirements toall relevant developers (includinginternal employees and externalpartners). The newly launched orchanged services shall follow theregulations of HUAWEI CLOUDrelease and change managementprocess.

CCC-02.2

Are policies andproceduresadequately enforcedto ensure externalbusiness partnerscomply with changemanagementrequirements?

X HUAWEI CLOUD has establishedsystematic change managementand service launch process,communicating its requirements toall relevant developers (includinginternal employees and externalpartners). The newly launched orchanged services shall follow theregulations of HUAWEI CLOUDrelease and change managementprocess. In the external audits, suchas ISO 27001, PCI DSS certificationand SOC reports, the compliance ofthese controls has been reviewed.

CCC-03.1

Do you have adefined qualitychange control andtesting process inplace based onsystem availability,confidentiality, andintegrity?

X HUAWEI CLOUD and related cloudservices comply with security andprivacy design principles andspecifications as well as legal andregulation requirements. HUAWEICLOUD runs threat analysis basedon the service scenarios, data flowdiagrams, and networking modelsduring the security requirementanalysis and design phases, andspecifies threat reduction plans. Atthe same time, all cloud servicesshall pass multiple rounds ofsecurity testing and code reviewsbefore they are released.For the security of HUAWEI CLOUDdevelopment activities, please referto the HUAWEI CLOUD SecurityWhite Paper.




CCC-03.2

Is documentationdescribing knownissues with certainproducts/servicesavailable?

X HUAWEI CLOUD announces thevulnerabilities of products orservices that have been discoveredon its official website and forewarns customers. Customers cancheck the Security Notice to beaware of the scope of thevulnerabilities, how to deal withthem, and the threat level.

CCC-03.3

Are there policies andprocedures in placeto triage and remedyreported bugs andsecurityvulnerabilities forproduct and serviceofferings?

X HUAWEI CLOUD has established adedicated vulnerability responseteam to timely evaluate andanalyze the causes and threats ofvulnerabilities and to formulateremedial measures, to evaluate thefeasibility and effectiveness ofremedial measures, and to disclosesecurity vulnerabilities in theSecurity Notice on the officialwebsite of HUAWEI CLOUD.

CCC-03.4

Do you have controlsin place to ensurethat standards ofquality are being metfor all softwaredevelopment?

X Before HUAWEI CLOUD servicedevelopment and test personnel areon boarded, they are all required tolearn corresponding specificationsand prove they have learned theseby passing examinations on them.HUAWEI CLOUD introduced a dailycheck of the static code scanningtool, with the resulting data beingfed into the cloud serviceContinuous Integration/ContinuousDeployment (CI/CD) tool chain forcontrol and cloud service productquality assessment through the useof quality thresholds.Before any cloud product or cloudservice is released, static codescanning alarm clearing must becompleted, effectively reducing thecode-related issues that can extendrollout time coding, including butnot limited to micro service-levelfunctions and interface securitytests such as authentication,authorization, and session securityin the alpha phase; API andprotocol fuzzing type of testingincorporated in the beta phase; anddatabase security validation testingin the gamma phase.




https://www.huaweicloud.com/intl/en-us/notice.securecenter.htmlhttps://www.huaweicloud.com/intl/en-us/notice.securecenter.html

CCC-03.5

Do you have controlsin place to detectsource code securitydefects for anyoutsourced softwaredevelopmentactivities?

X HUAWEI CLOUD ensures the secureintroduction and use of open sourceand third-party software based onthe principle of strict entry andwide use. HUAWEI CLOUD hasformulated clear securityrequirements and complete processcontrol solutions for introducedopen source and third-partysoftware, and strictly controls theselection analysis, security test,code security, risk scanning, legalreview, software application, andsoftware exit. For example,cybersecurity assessmentrequirements are added to opensource software selection in theselection analysis phase to strictlycontrol the selection.

CCC-03.6

Are mechanisms inplace to ensure thatall debugging andtest code elementsare removed fromreleased softwareversions?

X HUAWEI CLOUD clearly stipulatesthat all authentication, credentialdata and business data in the testprocess shall be deleted before dataand code enter the productionenvironment, and the test codeshall be deleted.

CCC-04.1

Do you have controlsin place to restrictand monitor theinstallation ofunauthorizedsoftware onto yoursystems?

X All computers needs to install thesafe-defense software designatedby HUAWEI CLOUD to monitor, andonly software in the securitysoftware list specified by thecompany can be installed.

CCC-05.1

Do you providetenants withdocumentation thatdescribes yourproduction changemanagementprocedures and theirroles/rights/responsibilities withinit?

X HUAWEI CLOUD does not providethis type of document to customers.While providing services andproducts to customers, HUAWEICLOUD would continually optimizeproducts. Major product changeswould be notified to customers inaccordance with the methodsspecified in the HUAWEI CLOUDCustomer Agreement.




CCC-05.2

Do you have policiesand proceduresestablished formanaging risks withrespect to changemanagement inproductionenvironments?

X HUAWEI CLOUD has formulatedmanagement regulations andchange procedures for changemanagement, before submitting achange request, the change mustundergo a testing process thatincludes production-likeenvironment testing, pilot release,and/or blue/green deployment. Thisensures that the change committeeclearly understands the changeactivities involved, duration, failurerollback procedure, and all potentialimpacts. Changes can be releasedonly after achieving the approval ofHUAWEI CLOUD ChangeCommittee.

CCC-05.3

Do you havetechnical measures inplace to ensure thatchanges inproductionenvironments areregistered, authorizedand in adherencewith existing SLAs?

X HUAWEI CLOUD has formulatedmanagement regulations andchange procedures for changemanagement, before submitting achange request, the change mustundergo a testing process thatincludes production-likeenvironment testing, pilot release,and/or blue/green deployment. Thisensures that the change committeeclearly understands the changeactivities involved, duration, failurerollback procedure, and all potentialimpacts. Changes can be releasedonly after achieving the approval ofHUAWEI CLOUD ChangeCommittee. The change strategy ofthe production environmentcomplies with the existing cloudservice level agreement.

3.5 DSI Data Security & Information LifecycleManagement

Question ID




Yes

No

N/A




DSI-01.1

Do you provide acapability to identifydata and virtualmachines via policytags/metadata (e.g.,tags can be used tolimit guest operatingsystems frombooting/instantiating/transporting data inthe wrong country)?

X The Elastic Cloud Server (ECS)products provided by HUAWEICLOUD include the function ofadding tags. Tags are used to markcloud resources such as instances,images, and disks. If there aremultiple cloud resources under thecustomer's account, and there aremultiple associations betweendifferent cloud resources, they canadd tags to the cloud resources torealize the classification and unifiedmanagement of cloud resources.

DSI-01.2

Do you provide acapability to identifydata and hardwarevia policy tags/metadata/hardwaretags (e.g., TXT/TPM,VN-Tag, etc.)?

X HUAWEI CLOUD only providescustomers with virtual machinesinstead of hardware for delivery asa service, and does not supportmarking functions for hardware anddata flow.

DSI-02.1

Do you inventory,document, andmaintain data flowsfor data that isresident (permanentor temporary) withinthe services'applications andinfrastructurenetwork andsystems?

X HUAWEI CLOUD providesoperational documents required forservices, and customers decide theprocessing and use of data basedon their service functions, relevantnetworks, system components andtheir own business needs.

DSI-02.2

Can you ensure thatdata does notmigrate beyond adefined geographicalresidency?

X The customer decides the availablezones geographically where thecontent data store.HUAWEI CLOUD would not migratecustomer content from selectedareas without notifying customers,unless it's necessary to meet legalcompliance or governmentrequirements.




DSI-03.1

Do you providestandardized (e.g.ISO/IEC) non-proprietaryencryptionalgorithms (3DES,AES, etc.) to tenantsin order for them toprotect their data if itis required to movethrough publicnetworks (e.g., theInternet)?

X HUAWEI CLOUD supports datatransmission in REST and Highwaymodes:● In REST mode, a service is

published to the public as aRESTful service and the initiatingparty directly uses an HTTPclient to initiate the RESTful APIfor data transmission.

● In Highway mode, acommunication channel isestablished using a high-performing Huawei-proprietaryprotocol, which is best suited forscenarios requiring especiallyhigh performance.

Both REST and Highway modessupport TLS 1.2 for data in transitencryption and X.509 certificate-based identity authentication ofdestination websites.The SSL Certificate ManagementService is a one-stop-shop type ofX.509 certificate full lifecyclemanagement service provided toour tenants by HUAWEI CLOUDtogether with world-renownedpublic Certificate Authorities (CA). Itensures the identity authenticationof destination websites and securedata transmission.

DSI-03.2

Do you utilize openencryptionmethodologies anytime yourinfrastructurecomponents need tocommunicate witheach other via publicnetworks (e.g.,Internet-basedreplication of datafrom oneenvironment toanother)?

X API needs to use TLS encryption toensure the confidentiality oftransmission. At present, all APIs ofthe API gateway to the externalnetwork use TLS1.2 versionencryption protocol, and supportPFS (Perfect Forward Secrecy)security feature.




DSI-04.1

Are policies andproceduresestablished for datalabeling andhandling in order toensure the security ofdata and objects thatcontain data?

X For content data, customers shouldestablish correspondingmanagement and control strategiesfor the labeling and processing oftheir content data to ensure datasecurity. Customers can use the TagManagement Service (TMS) tomanage tags that identify resourcesin services such as Elastic CloudServer (ECS), Virtual Private Cloud(VPC), Elastic Volume Service (EVS),etc., so as to achieve unifiedmanagement of resource tags onthe cloud.

DSI-04.2

Do you follow astructured data-labeling standard(e.g., ISO 15489,Oasis XML CatalogSpecification, CSAdata type guidance)?

X For content data, customers shouldestablish and follow structureddata-labeling standard based onbusiness requirements. HUAWEICLOUD only processes data inaccordance with customerinstructions.

DSI-04.3

Are mechanisms forlabel inheritanceimplemented forobjects that act asaggregate containersfor data?

X For content data, customers shouldestablish a label inheritancemechanism suitable for their data.




DSI-05.1

Do you haveprocedures in placeto ensure productiondata shall not bereplicated or used innon-productionenvironments?

X In order to prevent the productiondata from being moved orreplicated to the non-productionenvironment, HUAWEI CLOUDcontrols as follows:● Physical and logical network

boundaries and strictly enforcedchange control policies;

● Separation of responsibilities ofemployees in production andnon-production environments;

● Highly restrict physical andlogical access to the cloudenvironment;

● Continuous security, privacy andsecurity coding practiceawareness and training;

● Continuously record and auditsystem access;

● Conduct regular complianceaudits to ensure controleffectiveness.

DSI-06.1

Are theresponsibilitiesregarding datastewardship defined,assigned,documented, andcommunicated?

X HUAWEI CLOUD has establishedsystem requirements for datasecurity management, in whichdata management responsibilitiesare defined and assigned, andemployees with correspondingpermissions can access the specificcontent of the system. Whenemployees enter the company, theywould conduct training andcommunication on their datamanagement responsibilities, andconfirm their understanding beforethey are on boarded.

DSI-07.1

Do you support thesecure deletion (e.g.,degaussing/cryptographicwiping) of archivedand backed-up data?

X HUAWEI CLOUD supports thesecure deletion according tocustomer requirements. The securedeletion methods include deletingthe encrypted storage encryptionkey, recycling and overwriting theunderlying storage, and degaussing/bending/shredding the scrappedphysical medium.




DSI-07.2

Can you provide apublished procedurefor exiting the servicearrangement,including assuranceto sanitize allcomputing resourcesof tenant data once acustomer has exitedyour environment orhas vacated aresource?

X After confirming data deletion byusers, HUAWEI CLOUD deletes theuser data permanently to preventdata leakage, including memorydeletion, data leakage preventionthrough encryption, deletion ofstored data, disk data deletion andphysical disk destruction.For further information, please referto the HUAWEI CLOUD SecurityWhite Paper.

3.6 DCS Datacenter SecurityQuestion ID




Yes

No

N/A

DCS-01.1

Do you classify yourassets in terms ofbusiness criticality,service-levelexpectations, andoperationalcontinuityrequirements?

X According to the ISO27001standard, HUAWEI CLOUD'sinformation asset classification ismonitored and managed by specialtools to form an asset list, and eachasset is assigned an owner. HUAWEICLOUD has obtained ISO27001certification, and the certificationcan be downloaded from the TrustCenter.

DCS-01.2

Do you maintain acomplete inventoryof all of your criticalassets located at allsites/ or geographicallocations and theirassigned ownership?

X According to the ISO27001standard, HUAWEI CLOUD'sinformation asset classification ismonitored and managed by specialtools to form an asset list, and eachasset is assigned an owner. HUAWEICLOUD has obtained ISO27001certification, and the certificationcan be downloaded from the TrustCenter.




DCS-02.1

Are physical securityperimeters (e.g.,fences, walls,barriers, guards,gates, electronicsurveillance, physicalauthenticationmechanisms,reception desks, andsecurity patrols)implemented for allareas housingsensitive data andinformation systems?

X HUAWEI CLOUD has establishedcomprehensive physical security andenvironmental safety protectionmeasures, strategies, andprocedures that comply with ClassA standard of GB 50174 Code forDesign of Electronic InformationSystem Room and T3+ standard ofTIA - 942 TelecommunicationsInfrastructure Standard for DataCenters. HUAWEI CLOUD enforcesstringent data center access controlfor both personnel and equipment.Security guards, stationed 24/7 atevery entrance to each HUAWEICLOUD data center site as well asat the entrance of each building onsite, are responsible for registeringand monitoring visitors and staff,managing their access scope on anas-needed basis. Different securitystrategies are applied to thephysical access control systems atdifferent zones of the data centersite for optimal physical security.HUAWEI CLOUD data centersemploy industry standard datacenter physical securitytechnologies to monitor andeliminate physical hazards andphysical security concerns. CCTVmonitoring is enabled 24/7 for datacenters' physical perimeters,entrances, exits, hallways, elevators,and computer cage areas. CCTV isalso integrated with infraredsensors and physical access controlsystems. Security guards routinelypatrol data centers and set uponline electronic patrol systemssuch that unauthorized access andother physical security incidentspromptly trigger sound and lightalarms.

DCS-03.1

Do you have acapability to usesystem geographiclocation as anauthenticationfactor?

X HUAWEI CLOUD supports IPaddress-based access control. Userscan choose whether to use IPaddresses as authenticationconditions in the Identity andAccess Management (IAM)configuration.




DCS-03.2

Is automatedequipmentidentification used asa method to validateconnectionauthenticationintegrity based onknown equipmentlocation?

HUAWEI CLOUD conductsequipment identification andmanagement in accordance withISO27001 requirements. HUAWEICLOUD has obtained ISO27001certification, and the certificationcan be downloaded from the TrustCenter.Customers can use multi-factorauthentication through IAM, whichsupport methods include mobilephones, mailboxes, and virtual MFAetc.

DCS-04.1

Is authorizationobtained prior torelocation or transferof hardware,software, or data toan offsite premises?

X The infrastructure undertaking theservice operation is managed byauthorized personnel in HUAWEICLOUD's data center. Theinfrastructure of the data center,including the access and processingof storage medium, is managed inaccordance with relevant mediummanagement requirements.

DCS-05.1

Can you providetenants with yourasset managementpolicies andprocedures?

X Confidential policies and proceduresof HUAWEI CLOUD are not directlyprovided to customers. HUAWEICLOUD works with externalcertification agencies andindependent auditors to review andverify its compliance with thepolicies.

DCS-06.1

Can you provideevidence thatpolicies, standards,and procedures havebeen established formaintaining a safeand secure workingenvironment inoffices, rooms,facilities, and secureareas?

X The ISO27001 standard requiresorganizations to establish standardsand procedures to maintain a safeand secure working environment inoffices, rooms, facilities, and secureareas. HUAWEI CLOUD hasobtained ISO27001 certification,and the certification can bedownloaded from the Trust Center.




DCS-06.2

Can you provideevidence that yourpersonnel andinvolved third partieshave been trainedregarding yourdocumented policies,standards, andprocedures?

X The ISO27001 standard requiresemployees and third-partypersonnel to complete informationsecurity training. HUAWEI CLOUDhas obtained ISO27001 certification,and the certification can bedownloaded from the Trust Center.

DCS-07.1

Are physical accesscontrol mechanisms(e.g. CCTV cameras,ID cards,checkpoints) in placeto secure, constrainand monitor egressand ingress points?

X HUAWEI CLOUD enforces stringentdata center access control for bothpersonnel and equipment. Securityguards, stationed 24/7 at everyentrance to each HUAWEI CLOUDdata center site as well as at theentrance of each building on site,are responsible for registering andmonitoring visitors and staff,managing their access scope on anas-needed basis. Different securitystrategies are applied to thephysical access control systems atdifferent zones of the data centersite for optimal physical security.HUAWEI CLOUD data centersemploy industry standard datacenter physical securitytechnologies to monitor andeliminate physical hazards andphysical security concerns. CCTVmonitoring is enabled 24/7 for datacenters' physical perimeters,entrances, exits, hallways, elevators,and computer cage areas. CCTV isalso integrated with infraredsensors and physical access controlsystems. Security guards routinelypatrol data centers and set uponline electronic patrol systemssuch that unauthorized access andother physical security incidentspromptly trigger sound and lightalarms.




DCS-08.1

Are ingress andegress points, such asservice areas andother points whereunauthorizedpersonnel may enterthe premises,monitored, controlledand isolated fromdata storage andprocess?

X HUAWEI CLOUD enforces stringentdata center access control for bothpersonnel and equipment. Securityguards, stationed 24/7 at everyentrance to each HUAWEI CLOUDdata center site as well as at theentrance of each building on site,are responsible for registering andmonitoring visitors and staff,managing their access scope on anas-needed basis. Different securitystrategies are applied to thephysical access control systems atdifferent zones of the data centersite for optimal physical security.HUAWEI CLOUD data centersemploy industry standard datacenter physical securitytechnologies to monitor andeliminate physical hazards andphysical security concerns. CCTVmonitoring is enabled 24/7 for datacenters' physical perimeters,entrances, exits, hallways, elevators,and computer cage areas. CCTV isalso integrated with infraredsensors and physical access controlsystems. Security guards routinelypatrol data centers and set uponline electronic patrol systemssuch that unauthorized access andother physical security incidentspromptly trigger sound and lightalarms.




DCS-09.1

Do you restrictphysical access toinformation assetsand functions byusers and supportpersonnel?

X HUAWEI CLOUD through accesscontrol systems, strictly review andregularly audit user accessprivileges. Important physicalcomponents of a data center arestored in designated safes withcrypto-based electronic access codeprotection in the data centerstorage warehouses. Onlyauthorized personnel can accessand operate the safes. Work ordersmust be filled out before anyphysical components within thedata center can be carried out ofthe data center. Personnel removingany data center components mustbe registered in the warehousemanagement system (WMS).Designated personnel performperiodic inventories on all physicalequipment and warehousematerials. Data centeradministrators not only performroutine safety checks but also auditdata center visitor logs on an as-needed basis to ensure thatunauthorized personnel have noaccess to data centers.

3.7 EKM Encryption & Key ManagementQuestion ID




Yes

No

N/A

EKM-01.1

Do you have keymanagement policiesbinding keys toidentifiable owners?

X According to HUAWEI CLOUD KeyManagement Policy, each user hasa unique ID that identifies them.Customers can use KeyManagement Service (KMS) of IAMto bind keys to identifiable owners.




EKM-02.1

Do you have acapability to allowcreation of uniqueencryption keys pertenant?

X Customers can use HUAWEI CLOUDData Encryption Workshop (DEW)for exclusive encryption, keymanagement, and key pairmanagement, which supports keycreation, authorization, automaticrotation, and key hardwareprotection. Customers can choosetheir own key managementmechanism according to theirneeds.

EKM-02.2

Do you have acapability to manageencryption keys onbehalf of tenants?

X Data Encryption Workshop (DEW)supports customers to authorizeHUAWEI CLOUD to host privatekeys.

EKM-02.3

Do you maintain keymanagementprocedures?

X HUAWEI CLOUD providescustomers with Data EncryptionWorkshop (DEW) supports keyescrow, which can help customerseasily create and manage keys.Based on DEW, customers canrealize the full life cyclemanagement of keys.

EKM-02.4

Do you havedocumentedownership for eachstage of the lifecycleof encryption keys?

X Data Encryption Workshop (DEW)provided by HUAWEI CLOUDsupports key escrow, which can helpcustomers easily create andmanage keys. Based on DEW,customers can realize the full lifecycle management of keys andrecord the ownership of keys.

EKM-02.5

Do you utilize anythird party/opensource/proprietaryframeworks tomanage encryptionkeys?

X To protect tenants' crypto keys andmitigate the risks of crypto keyleakage to the public, HUAWEICLOUD provides cloud HSM serviceusing different HSM vendors indifferent specifications (such asindustry standard encryptionalgorithms, and country-specificencryption algorithms) and ciphersuite strengths, which allowstenants to select the optionssuitable for their real-worldrequirements, for example, third-party HSM certified by FIPS140-2.




EKM-03.1

Do you encrypttenant data at rest(on disk/storage)within yourenvironment?

X The customer is responsible for theencrypted storage of its contentdata. HUAWEI CLOUD's DataEncryption Workshop (DEW) canprovide customers with encryptedstorage functions in Elastic VolumeService (EVS), Object StorageService (OBS), Volume BackupService (VBS) and other services.

EKM-03.2

Do you leverageencryption to protectdata and virtualmachine imagesduring transportacross and betweennetworks andhypervisor instances?

X In the scenario where data istransmitted between clients andservers and between servers of theHUAWEI CLOUD via commoninformation channels, data intransit is protected as follows:1. VPN: The Virtual Private

Network (VPN) service is used toestablish a secure encryptedcommunication channel thatcomplies with industry standardsbetween a remote network anda tenant VPC such that atenant's existing traditional datacenter seamlessly extends toHUAWEI CLOUD. Currently,HUAWEI CLOUD uses IPSec VPNtogether with Internet KeyExchange (IKE) to encrypt thedata transport channel andensure transport security.

2. Application-layer security: TLSand certificate management:HUAWEI CLOUD supports datatransmission in REST andHighway modes.

Both REST and Highway modessupport TLS 1.2 for data in transitencryption and X.509 certificate-based identity authentication ofdestination websites.

EKM-03.3

Do you havedocumentationestablishing anddefining yourencryptionmanagementpolicies, procedures,and guidelines?

X HUAWEI CLOUD has established anencryption strategy and keymanagement mechanism to protectdata on technical equipment,including the assignment ofpersonnel rights and responsibilities,encryption levels, and encryptionmethods.




EKM-04.1

Do you haveplatform and dataappropriateencryption that usesopen/validatedformats and standardalgorithms?

X HUAWEI CLOUD itself uses the AESstrong encryption method widelyused in the industry to encrypt datain the platform, and uses a high-level TLS encryption protocol toensure data security duringtransmission.Customers can use Data EncryptionServices to encrypt data. HUAWEICLOUD provides cloud HSMs ofdifferent vendors, specifications(standard encryption algorithms,national encryption algorithms,etc.), and different strengths fortenants to choose to meet theneeds of different tenants.

EKM-04.2

Are your encryptionkeys maintained bythe cloud consumeror a trusted keymanagementprovider?

X HUAWEI CLOUD supports keymanagement methods selected bycustomers. HUAWEI CLOUDprovides HSMs of different vendors,specifications (standard encryptionalgorithms, national secretalgorithms, etc.), and differentstrengths for tenants to choose tomeet the needs of different tenants.

EKM-04.3

Do you storeencryption keys inthe cloud?

X KMS enables users to manage theirkeys conveniently and ensures thesecurity of critical business data bysupporting data encryption using adata encryption key (DEK) at anytime. The DEK is encrypted usingthe customer master key (CMK)that is stored in KMS.Key disclosure is prevented bystoring the root key of the KMS inthe HSM. The root key at no timeappears outside the HSM. Inaddition, at least two HSM devicesare deployed as a pair to ensurereliability and availability. The CMKsare encrypted using the root keyand saved as ciphertext on the keystorage nodes.

EKM-04.4

Do you have separatekey managementand key usageduties?

X Customers are responsible for theirkey management responsibilitiesassignment, and records of the usepermission and control rights of thekeys.




3.8 GRM Governance and Risk ManagementNo. Consensus

AssessmentQuestions



Y N N/A

GRM-01.1

Do you havedocumentedinformationsecurity baselinesfor everycomponent of yourinfrastructure (e.g.,hypervisors,operating systems,routers, DNSservers, etc.)?

X HUAWEI CLOUD leverages theMinimum Security Baselines set outby the Center of Internet Security(CIS) and has integrated them intothe HUAWEI CLOUD DevSecOpsprocess. CIS security baselines are aset of industry best practices forcyber and system securityconfigurations and operations,which cover people (behavior ofboth end users and administrationpersonnel), processes (network andsystem management) andtechnologies (software andhardware). HUAWEI CLOUDestablishes an internal technicalstandard specification library, whichcontains the information securitybaselines for every component inthe infrastructure.

GRM-01.2

Do you have thecapability tocontinuouslymonitor and reportthe compliance ofyour infrastructureagainst yourinformationsecurity baselines?

X HUAWEI CLOUD requires that allservices must pass the basic securityrequirements verification ahead ofthe release to ensure compliancewith the infrastructure.




GRM-02.1

Does yourorganization's riskassessments takeinto accountawareness of dataresidency, legal andstatutoryrequirements forretention periodsand data protectionand classification?

X According to the ISO27001standard, HUAWEI CLOUD conductsinformation security riskmanagement, and regularlyperforms information security riskassessments. Risk assessments coverall aspects of information security,including data protection andclassification, data retention andtransmission locations, and dataretention time in compliance withlaws and regulations.HUAWEI CLOUD has passedISO27001 certification, and relatedcertificates can be obtained fromthe Trust Center.

GRM-02.2

Do you conduct riskassessmentsassociated withdata governancerequirements atleast once a year?

X According to the ISO27001standard, HUAWEI CLOUD conductsinformation security riskmanagement, and performsinformation security riskassessments at least once a year.Risk assessments cover all aspectsof information security, includingdata protection and classification,data retention and transmissionlocations, and data retention timein compliance with laws andregulations.HUAWEI CLOUD has passedISO27001 certification, and relatedcertificates can be obtained fromthe Trust Center.




GRM-03.1

Are your technical,business, andexecutive managersresponsible formaintainingawareness of andcompliance withsecurity policies,procedures, andstandards for boththemselves andtheir employees asthey pertain to themanager andemployees' area ofresponsibility?

X Huawei regards cyber security asone of the company's importantstrategies, which is achievedthrough a top-down governancestructure. In terms of organization,HUAWEI CLOUD establishes acybersecurity managementorganization to decide and approvethe company's overall cybersecuritystrategy. At the same time, cybersecurity is included in theemployee's business code ofconduct, and the company'srequirements for all employees inthe field of cybersecurity areconveyed through annual employeebusiness code of conduct learning,examinations, and signing activities,so as to improve employee cybersecurity awareness and sign acybersecurity commitment letter,and promise to abide by thecompany's various network securitypolicies and system requirements.

GRM-04.1

Do you providetenants withdocumentationdescribing yourInformationSecurityManagementProgram (ISMP)?

X HUAWEI CLOUD does not directlyprovide customers with confidentialinformation security managementprocedures. HUAWEI CLOUD invitesthird-party organizations toevaluate the information securitymanagement procedures ofHUAWEI CLOUD and confirm thatits operation complies withISO27001 standards. HUAWEICLOUD has passed ISO27001certification, and related certificatescan be obtained from the TrustCenter.

GRM-04.2

Do you review yourInformationSecurityManagementProgram (ISMP) atleast once a year?

X According to the requirements ofthe ISO27001 standard, HUAWEICLOUD invites third-partyorganizations to review theinformation security managementplan ISMP every year. HUAWEICLOUD has passed ISO27001certification, and related certificatescan be obtained from the TrustCenter.




GRM-05.1

Do executive andline managementtake formal actionto supportinformationsecurity throughclearly-documenteddirection andcommitment, andensure the actionhas been assigned?

X According to the requirements ofISO27001, HUAWEI CLOUD hasclarified its own informationsecurity goals, formulatedcorresponding information securityplans, and allocated the resourcesrequired to perform informationsecurity activities. HUAWEI CLOUDhas passed ISO27001 certification,and related certificates can beobtained from the Trust Center.

GRM-06.1

Are yourinformationsecurity policiesand proceduresmade available toall impactedpersonnel andbusiness partners,authorized byaccountablebusiness role/function andsupported by theinformationsecuritymanagementprogram as perindustry bestpractices (e.g. ISO27001, SOC 2)?

X According to the requirements ofISO27001 and SOC2, HUAWEICLOUD implements documentedinformation security policies andprocedures to provide guidance forHUAWEI CLOUD's operations andinformation security. Employees canview the published informationsecurity policies and proceduresunder authorization. ISO 27001 andSOC related certificates and reportscan be obtained from the TrustCenter.




GRM-06.2

Are informationsecurity policiesauthorized by theorganization'sbusiness leadership(or otheraccountablebusiness role orfunction) andsupported by astrategic businessplan and aninformationsecuritymanagementprogram inclusiveof definedinformationsecurity roles andresponsibilities forbusinessleadership?

X According to ISO27001requirements, the leadership ofHUAWEI CLOUD establishesinformation security goals,formulates correspondinginformation security plans, andallocates resources required toperform information securityactivities. The information securityplan meets the requirements ofcustomers and HUAWEI CLOUDitself. HUAWEI CLOUD has passedISO27001 certification, and relatedcertificates can be obtained fromthe Trust Center.

GRM-06.3

Do you haveagreements toensure yourproviders adhere toyour informationsecurity and privacypolicies?

X When HUAWEI CLOUD introducessuppliers, all suppliers will signconfidentiality and service levelagreements with HUAWEI CLOUD.The agreement containsrequirements for the supplier'ssecurity and privacy dataprocessing.

GRM-06.4

Can you provideevidence of duediligence mappingof your controls,architecture, andprocesses toregulations and/orstandards?

X HUAWEI CLOUD displays theobtained certifications in the trustcenter, and published a number ofwhite papers related to regulationsand standards. The white paperintroduced the mapping andcompliance between HUAWEICLOUD's control and regulatoryrequiremen

Date post:	30-Jan-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

CSA CCM (CSA CAIQ v3.1) HUAWEI CLOUD Compliance with › content › dam › cloudbu...CSA STAR...

Documents