INTERNAL

General Operations & Maintenance Rules & Regulation

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

1. Service Delivery Security Specifications

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 2

1.1 Physical and Environmental Security

1.

When entering or leaving the customer's equipment room, network management center, office areas, and sensitive areas (such as government and military areas), engineers must follow customer or organizations organization s management regulations. Engineers are prohibited to disclose the password of the access control system of the sites to other people or duplicate the key to the equipment room without permission. If the key is lost, the responsible employee should report the loss to the customer promptly for filing. In managed service projects, irrelevant personnel can only access the site by showing the customer's written consent. During the service, engineers are prohibited to operate the other vendors' equipment in the customer's customer s equipment room, except in the case of equipment swap, auxiliary equipment provided by Huawei, and managed service projects when other vendors equipment is within the scope of Huaweis operational responsibilities. In migration projects, the destruction and return of old equipment should comply with the customer's customer s requirements. Especially, the devices containing storage media must be checked to ensure that all sensitive data or authorized software have been removed or safely overridden before the destruction. The complete record of assets that are received from the customer should be available to ensure the assets integrity. The history record should be retained or maintenance according to the customer's requirement.

2.

3.

4.

5.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 3

1.2 Communications and Operation Security

1.

Engineers are prohibited to perform operations including inquiry, copy, and edit on the programs, configuration files, data, and logs on the customer equipment or modify network equipment connections without the customer customer's s permission. In managed service projects, the implementation of the actions described above should be in compliance with the process confirmed with the customer. Engineers are prohibited to install temporary software or tools on customer equipment without the customer's customer s permission. In necessary cases, customers must be informed of the risks of installing such software or tools. After on-site service, delete temporary software and tools that customer permitted to install, returning equipment to production environment. During site acquisition, RF survey, and microwave survey, if it is required to take photos of sensitive areas (government and military areas), the permission of government and military authorities must be obtained. It is prohibited to use digital or common cameras (including video cameras and cameras embedded in mobile phones) at customer's site without customer's permission. Engineers should ensure that all photos and moving pictures that are taken and captured in Huawei area do not contain any customer information. It is required to check whether any irrelevant software or document exists on the equipment before the commissioning.

2.

3.

4.

5.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 4

1.2 Communications and Operation Security

6.

The test account and balance information created in commissioning can be retained only if the customer requires retaining such information and signs as confirmation. Engineers E i should h ld operate t and d maintain i t i th the thi third-party d t equipment i t according di t to the th responsibility ibilit matrix. If it is required to operate the third-party equipment or make changes on the equipment, the responsible engineer should report the application according to the business process. Engineers E i should h ld not t use customers' t ' networks t k to t implement i l t activities ti iti that th t are irrelevant i l t to t their th i work, such as playing online games or visiting websites that are irrelevant to work. Before performing risky operations including software upgrade, important hardware replacement and net ork str network structure ct re change on c customer stomer eq equipment, ipment the engineer must m st communicate comm nicate the content of the operations to the customer in written form. The operations can be performed only after the customer's consent is obtained. Content of operations (MOP) should be based on factual data from lab network environment or test network.

7 7.

8 8.

9.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 5

1.2 Communications and Operation Security

12 Engineers are prohibited to connect personal portable devices or storage media (such as CD 12. CD-RW, RW UU

disk, and portable hard disk) to customer networks without prior written permission from the customer. In necessary cases, the devices and media to be connected must be checked against the ost recent ece t virus us library b a y to e ensure su e t that at t the e de devices ces o or t the e media ed a do not ot ca carry ya any y virus us o or Trojan oja most program.
13. Engineers are required to remind the customers to check whether the equipment logs are correctly

g basis, , periodically p y back up p the system y and data on the equipment, q p , and recorded on a regular properly store the backup data. In managed service projects, engineers should back up and save data according to the maintenance requirements.
14. Engineers g should avoid operating p g customer's network equipment q p during g sensitive communications

assurance periods (by default, the periods are important festivals, major meetings, and special periods required by the customer).
15. Regarding g g equipment q p and systems y that store customer information, , during g the modification or

upgrade process, engineers must ensure that the information is not deleted or corrupted.
16. Engineers are prohibited to modify the third-party security software during the usage without the

permission of the customer's security p y management g department. p

17. Engineers should avoid operating customer's network equipment during peak hour (0600 0000

hour)
18 If customer insist to operate the network during peak hour 18. hour, L1 engineer should inform CS manager /

Director HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 6

1.3 Access Control

1.

During equipment commissioning, the administrator passwords with appropriate complexity must be set promptly on the installed servers and terminal devices. Before B f engineering i i handover, h d th engineers the i should h ld change h th the passwords d used dd during i commissioning. The handover list should include the handover of passwords and should be signed by the customer for confirmation after the customer changes the passwords. Engineers E i should h ld remind i d th the customers t t to set t necessary operation ti and d access permission i i according to the principles of authorization and domain based on management. In addition, engineers should ensure that every relevant person has unique user ID and password that can be used only by that person. Customers should be reminded to update all the passwords of the equipment periodically, ensure the complexity of the passwords, and clear all the accounts of the equipment to delete inactive accounts on a regular basis. In managed service projects, Huawei is responsible for maintaining accounts and passwords according to the requirement in section 1.3.3 and 1.3.4 Engineers must use the designated IP address to access the customer network for maintenance operations to avoid the IP address conflict.

2 2.

3 3.

4.

5.

6 6.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 7

1.3 Access Control

7.

After on-site service, the temporary information (such as process data and login accounts) in the service process should be cleared. The retention of certain temporary information that is needed for future work must be approved by the customer in written form. Engineers can provide on-site service only with the customer's consent and presence on site, and must use the temporary account and password provided by the customer rather than the system's super user password. In addition, on-site on site engineers should not perform operations outside the scope approved by the customer in advance. The operations outside the scope, if necessary, must be performed after being approved by the customer. Remote service can be provided only after the remote service request is submitted to and approved by the customer. The customer should provide the access information (such as login name, login password, login address, and dialing number) through phone call or encrypted email. If it is necessary, Huawei engineers should use the terminal or remote maintenance software authorized by the customer to access the customer network. remote service environment and login information in time and notify the customer to close the remote service environment on the equipment side.

8.

9.

10. After remote commissioning or maintenance, the engineer must modify or delete the established

11. After the on-site or remote service, the customer should sign on the service report to confirm that the

login password has been changed.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 8

1.3 Access Control

12. The regulations and requirements specified in sections 1.3.8 to 1.3.11 are not applicable to Managed

Service projects. In a managed service project, the project team manages the on-site services and remote access provided by equipment vendors on behalf of the customer. Specifically, Huawei engineers should review the operation or service solution in advance and monitor the operation process (regarding critical operations, submit the solution to the customer for approval), never provide super user information to vendors' personnel, and promptly clear account information in the equipment and close the remote login environment after all operations are completed completed.
13. Engineers are prohibited to connect the equipment for maintaining customer's network to the

Internet. Before connecting the maintenance terminal to customer's network, engineers should perform a complete antivirus check on the terminal to prevent virus from affecting normal network running.
14. When operating customer equipment, engineers should not connect the servers or maintenance

terminals to the Internet Internet. If Internet access is mandatory mandatory, security and protective measures must be taken, such as installing firewalls and antivirus software, performing VLAN isolation, updating system patches, and reinforcing the system. Once infected by virus, the infected equipment must be , and re-connected to the networks after the virus is removed. isolated,
15. It is required to control the use of e-maps and marking of sensitive areas during the wireless network

optimization.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 9

1.4 Information System Development and Maintenance

1.

Engineers are prohibited to spread or disclose the customer property information obtained at the site survey stage in Network Integration projects. Engineers are prohibited to spread or disclose the information involved in the service delivery, including site location, site equipment configuration, networking scheme, IP addresses, equipment password, technical specifications, KPIs, frequency resources, interconnection parameters, business features, charging information, pipeline information, and subscriber information. Engineers are prohibited to spread or disclose the customer network information including BTS engineering parameter table, network parameter design report, network planning report, network optimization report, monitoring report, network evaluation report, acceptance report, and network performance improvement report. report The software used in equipment commissioning and software upgrade should be obtained from legitimate sources. Engineers are prohibited to install the software such as the operating system or database purchased by the customer on the equipment that is not owned by the customer. It is also prohibited to use the equipment serial number and software license purchased by the customer for purposes irrelevant to the current project. project Engineers are prohibited to disclose the customer's simulated upgrade data. If it is necessary to send the data to relevant personnel, the data must be encrypted before being sent. During upgrade, an owner of the data must be assigned assigned, who should delete the data after the upgrade in time time. All rights reserved Page 10

2.

3.

4.

5.

6.

HUAWEI TECHNOLOGIES CO., LTD.

1.4 Information System Development and Maintenance

7.

When creating or processing trouble tickets in IT systems, engineers should not enter the service account and password of the customer. During the delivery process of network optimization service, the customer personal information and tracking information for VIP experience tracking, VIP problem handling, and VIP regional network optimization must be used within specified scope and should not be spread or disclosed. In Network Integration projects, engineers are prohibited to copy, retain, or even spread the data at the business layer (mails, office documents, and personnel and wage information) in the data center for data migration and maintenance purpose without permission. network information documents must be strictly controlled. Authorities related to these documents should be assigned hierarchically.

8.

9.

10. In managed service projects, the recipient scope of customer's customer s documents including statements and

11. Engineers g are p prohibited to spread p or disclose customer's information including g remuneration

system, staff structure, and fringe benefits that Huawei engineers contacted during the personnel transfer in managed service projects.
12. The customer's p personal information including g name, ,p post, , contact information, , and training g

experience that Huawei engineers contacted during the training delivery should be used in an effective and secure manner and within the minimum scope. Any spread or disclosure is prohibited.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 11

1.4 Information System Development and Maintenance

13. The cases of one operation's network can be shared in only the trainings for that operator and the

information should not be disclosed to other accounts.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 12

1.5 Other Rules and Regulation

z

Employees (including third-party employees) need to be subject to the security training before implementing delivery works for accounts. The employees should proactively study relevant management regulations and security accident cases during project delivery to increase the service delivery security awareness. awareness The security vulnerabilities, risks, and violations of any employee, subcontractor, and supplier discovered during service delivery should be reported to relevant security organization in time and informed to the customer after the analysis and decision decision-making making by the organization organization. Note: The permission must be granted with traceable evidences (in one of these forms: fax, voice record, email, notice, on-site acknowledgment, and confirmed meeting minutes).

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 13

2. Responsibility and Chastisement

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 14

Chastisement Principle
z

The violations and chastisements are classified into three levels according to the consequences and natures t of f violations i l ti and d subjective bj ti elements l t of f violators. i l t For the violators who violate multiple regulations or requirements stated in this manual at the same time, chastisement is imposed based on the highest level of violation among the multiple violations. For the violators who violate the regulations or requirements in this manual two or more times within one year, chastisement is imposed based on one level higher than the level of the current violation. Information about the informants of violations is confidential and protected from public disclosure by Huawei.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 15

2.1 Levels of Violations

3.1.1 Level-3 violation: For violations of minor gravity and not causing security accidents or customer complaints. The violations include but are not limited to the following cases:
1.

Not requesting the customer to change the account or password, or not formally signing and confirming the change of account and password with the customer before the formal handover to the customer or after the technical service is completed. Not clearing test accounts, test data, or remote access configuration before the formal handover to the customer or after the technical service is completed. Establishing the remote access environment without the customer's formal permission, or not closing the remote access environment in time after the remote service is completed. Retaining the customer's important and confidential information (commercial, technical, contract, business plan, networking information, equipment account, password, and subscriber information) without the customer's formal permission. Recording and spreading the customer's equipment account or password in explicit form without permission. Violating the management regulations of the customer or relevant organizations and entering the working area without permission. Failing to well perform asset handover or recording as required by the customer.

2.

3.

4.

5.

6 6.

7.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 16

2.1 Level-3 violation: For violations of minor gravity and not causing security accidents or customer complaints. The violations include but are not limited to the following cases:
z

Performing operations including inquiry, copy, and edit on the programs, configuration files, data, and log files on the customer equipment without the customer's permission. Violating Vi l ti th the management t regulations l ti of f th the customer t or relevant l t organizations i ti and d entering t i th the working area without permission. Failing to well perform asset handover or recording as required by the customer. Performing operations including inquiry, copy, and edit on the programs, configuration files, data, and log files on the customer equipment without the customer's permission. Installing unnecessary software or tools on customer equipment without the customer's permission. Using customers' networks to implement activities that are irrelevant to work when operating and maintaining customer equipment.

z z

z z

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 17

2.2 Level-2 violation: In the cases of intentionally collecting the account and password information about customer equipment, or violations of major gravity and causing security accidents or customer complaints complaints. The violations include but are not limited to the following cases:
z

Setting account and password, or changing the account authority on the customer equipment without permission, i i which hi h d does not t cause security it accidents id t or customer t complaints. l i t Obtaining the accounts and passwords held by others, or extending the pre-assigned authority of the personal account without permission. Intentionally stealing the accounts and passwords of the customer or subscribers, which does not cause financial or reputation losses to the customer or subscribers. Disclosing the customer's important and confidential information (commercial, technical, contract, business plan, networking information, equipment account, password, and subscriber information), which causes financial or reputation losses to the customer. Spreading and modifying the personal information about subscribers without permission, which causes financial or reputation losses to subscribers. Editing the programs, configuration files, data, and log files on the customer equipment without the customer's permission.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 18

2.3 Level-1 violation: In the cases of stealing customer properties, intending to steal or disclose the confidential information about customers and subscribers, serious operation violation or intentionally damaging the communications equipment or computer systems of violation, customers, which cause huge losses to customers and Huawei. The cases of violating the laws in China or the local countries are handed over to appropriate judicial organizations. The violations include but are not limited to the following cases:
z

Setting information about recharge cards and account on the customer equipment to steal customer properties. Intentionally stealing the confidential information about the customer and subscribers, this causes huge financial or reputation losses to the customer or subscribers. Intentionally y damaging g g the hardware, , software, , or data configuration g of the customer's communications equipment and computer systems, this causes communications outage or faults. Performing risky operations including software upgrade, important hardware replacement, and g on customer equipment q p without p permission, which causes network outage g network structure change or data loss.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 19

Thank You
www.huawei.com