Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
0
1.True or False
According to cyber security redlines, do not reserve or use an admin account or other
unauthorized accounts after the product has been deployed for commercial use or has been
transferred to the maintenance phase. Instead, the network account password must be handed
over to the customer who is required to modify the initial password and sign for confirmation.
True False
2.True or False
The software obtained through official corporate channels means the software obtained after
application and approval, or the software delivered with the device.
True False
3.True or False
When carrying out risky operations on customer devices (such as software upgrade,
replacement of important hardware, and network restructuring), you must inform customers in
advance and obtain their consent before conducting the operations. The operations must be
based on the laboratory or simulated network data.
True False
4.True or False
When working together at customer sites, team members can share an account to avoid
disturbing customers on the premise that the account and password are not disclosed.
True False
5.True or False
Employees must remove viruses regularly on computers/terminals. The computer or storage
media with discovered or suspected viruses must not access the customer network.
True False
6.True or False
All the change operations on the live network must get "three approvals" (customer approval,
approval of the project team, and technical approval).
True False
7.True or False
When the employee completes his/her missions on the business trip and is ready to leave,
relevant departments must require him/her to delete the customer network information in the
portable devices or other storage media, and to hand over relevant account information. The
departments must also revoke the employee's access right to relevant customer systems or sites
and check again. If necessary, inform customers that the employee is about to leave.
True False
True False
9.True or False
After the field service is finished, clean up all temporary content related to the customer in the
process of the service (for example, delete the process data and cancel the login account). If
certain temporary content needs to be reserved for the follow-up work, you must obtain the
written approval from the customer.
True False
10.True or False
In training services, to quote customer information, you must edit out the sensitive information
in advance or obtain written authorization from the customer.
True False
a.Computers at work have already installed antivirus software and are updated and
optimized by the IT, so there is no need to scan virus before connecting to customer network.
b.The computer or storage media with discovered or suspected viruses can access the
customer network with the permission of the customer.
c.Employees need to scan virus in Full scan mode regularly. The computer or storage
media with discovered or suspected viruses must not access the customer network.
a.E-mail
b.Meeting minutes
c.Fax
d.Verbal commitment
e.Service application
a.When an employee on a business trip gets to the destination, the destination department
should require the employee to study the training materials of cyber security, and keep the
records that the employee participated in cyber security training, passed the cyber security test,
and signed the related commitment of cyber security.
b.During the employee's business trip, the destination department should regard the
employee as its own staff and implement regular cyber security management.
c.If an employee violates cyber security requirements during the business trip, the
supervisor of the destination department should bear the management liability if the supervisor
did not perform due duties in management or failed to take any measures after knowing the
violation.
d.An employee on business trips still complies with the cyber security management
requirements of his/her own original department. He/she does not have to obey the cyber
security management requirements of the frontline project team, for example, attend trainings
and sign the commitment.
a.Cyber security feedback is the duty of cyber security teams and not related to normal
employees.
c.You can give feedback or seek help from local lawyers and cyber security contacts.
d.If you find that external forums and third party individuals/organizations discovered any
security vulnerabilities, send them to the related cyber security office.
a.Ask for permission of the carrier and perform the essential procedure according to local
laws.
b.When data is transferred to the headquarters, adopt proper organizational and technical
measurements to ensure data security.
c.Problem solving is the top priority, so transfer the data as fast as possible.
d.Ask for advice from the manager and cyber security department if you do not know how
to deal with it.
a.When offering the on-site service, the customer must agree and accompany, and the
engineer must use the temporary account and password offered by the customer and must not
share with others.
b.Any operation that is of no risk but out of the operation scope approved by the customer
can state to the customer after implementation.
c.After the on-site service ends, clean up all temporary work content during the service(for
example, delete the process data and cancel the login account). If certain temporary content
needs to be reserved for the follow-up work, you must obtain the written approval from the
customer.
d.After the on-site service ends, the customer needs to sign in the service report to confirm
whether the login password has been changed.
a.In the process of service delivery, engineers are prohibited from operating the devices of
other vendors in the customer's equipment room (except that Huawei is responsible for the
operation UI of other vendors' devices such as a device in a migration project or a management
service project, or a supporting devices provided by Huawei).
b.Based on the responsibility matrix, you cannot operate or modify the third-party devices
casually.
c.If necessary, the third-party security software can be modified to meet business needs.
d.When migrating the devices of the third-party vendors, you have to handle the devices
containing storage media based on the customer's requirements.
Answers of examinees:c Correct answer
a.Implant malicious codes, malicious software, and backdoor in the provided product or
service, and reserve any undisclosed interface and account.
b.Access the customer system without the customer's written authorization and collect,
possess, handle, and modify any data and information of the customer network.
c.Delete and destroy the customer network data after the customer authorization expires.
d.Spread and use the shared account and password without the customer's written
authorization.
b.Periodically clear expired customer permissions and remind customers to cancel the
expired authorization.
c.Customers rather than Huawei should take the responsibility of management
vulnerabilities in access control of the customer network.
d.Discuss with the customer for a solution and authorize login permissions again.
Accounts and passwords can be used only by the authorized person and should be expired after
the validity period, so that if an issue occurs, the issue can be traced and located.
a.Huawei adopts the ITR process and iCare system that serves global customers to handle
the entire process of all customer events.
b.In case of a major security incident, customers are immediately informed through
emails, SMSs, telephone, or face-to-face communication. We also notify management at
different levels based on the incident level to muster their support.
d.Huawei PSIRT (a role in the IPD process) reports severe security incidents to product
line managers and includes the security incident into the enterprise crisis management process.
The crisis management workgroup takes part in the process and ensures timely resolution,
during which senior managers may review reports on crisis handling and management
improvement.
a.Strictly follow the customer authorized purpose for customer network data transfer
operations.
b.Without the customers' consent, do not transfer customers' network data (including
personal data) out of the customers' network.
c.In case of an emergency, customer network data (including personal data) of sensitive
countries can be transferred back to China to avoid service delay.
d.Transfer of personal data from the European Economic Area (EEA) and other sensitive
countries should comply with local laws and regulations.
a.End users' rights and freedom in processing personal data, especially privacy rights, are
protected by laws.
b.Avoid and reduce the use of personal data, anonymize the data or use pseudonyms as
much as possible according to local laws.
c.Take appropriate technical and organizational measures to protect personal data and
prevent illegal processing of the data in any form.
d.If a person has no intention but violates personal data or privacy, the personal is not
legally liable.
a.Providing account and password information to several customer engineers does not
involve cyber security violation.
c.The R&D engineer accidentally spreads the account and password information, which
does not involve cyber security violation.
d.The R&D engineer should carefully confirm the customer authorization scope.
b.The Support website and the product catalog are legal publication and download
platform. All the tools (including the frontline custom tools) must be released on the legal
platform. Employees can download software from only the Support website, product catalogs,
and use software tools within the specified scope.
c.Employees are forbidden to download/use tool software from other illegal channels, for
example download a third-party software from the Internet, or obtain or use R&D tool
software from illegal channels.
a.Sell user materials, such as user names and phone numbers, obtained from work to
others.
b.To locate issues in maintenance, access a user's communication line and eavesdrop the
user's voice call.
a.Judiciously manage paper documents and storage media or devices that contain customer
network data to prevent unauthorized access or data loss.
b.Strictly control access permissions to the customer network data, and maintain
permissions regularly.
d.Before a staff leaves the sensitive area, the equipment or storage media containing
customer data network must be removed or transferred to the local server or other storage
media that have management measures.
a.Before remote access, you must get customer written authorization to specify the
authorization scope and time limitation. The operation scheme of remote access should be
approved by the project team and experts.
c.The software, versions, patches, and licenses installed on the customer network in
remote access must be from the official channel of our company, including the support
website, formal email, and 3MS case library.
d.After the remote service ends, you should inform the customer to close remote service
environment on the device side, including cutting off the remote service connection through
the network and terminating the remote service software. You should also remind the customer
to change the password used during the remote service.
e.After remote service ends, you should delete the data and information obtained from the
customer network in time. If you need to reserve the data, the customer written authorization
must be obtained.
f.There must be strict recording of the server use. Every user should record the use
information in a written document or IT system.
a.Without written authorization from the customer, access the customer's network; collect,
keep, process, and modify any data and information in the customer's network.
b.Develop, replicate, and spread computer viruses or attack customers’ infrastructure, such
as the network, in other ways.
c.Use networks to carry out any activities that harm national security and the public
interest, steal or destroy others' information and violate others' legal rights.
a.When an employee on a business trip gets to the destination, the destination department
should require the employee to study the training materials of cyber security, participate in
cyber security training, pass the cyber security test, and sign the commitment of cyber security
redlines. The destination department should keep a record of the employee's study, test, and
commitment.
b.During the employee's business trip, the destination department should regard the
employee as its own staff and implement regular cyber security management.
c.If an employee violates cyber security requirements during the business trip, the
supervisor of the destination department should bear the management liability if the supervisor
did not perform due duties in management or failed to take any measures after knowing the
violation.
d.If an employee on business trips supports a project, the department with management
responsibilities is the project team; if the employee does not enter the project, the department
with management responsibilities is the corresponding platform department.
a.Huawei established the Global Cyber Security Committee (GCSC), consisting of the
board members and Global Process Owners (GPOs). The Global Cyber Security Officer
(GCSO) and subordinate security organizations support the GCSC to implement the cyber
security strategies.
b.Huawei incorporates security goals into the company business processes and implements
the company's programmatic documents such as strategies through more specific policies,
organization, and process documents.
c.Huawei auditors use the Key Control Points (KCPs) and the global process control
manual to ensure that processes are effective and executed.
d.Huawei governance, organization design, policies, and procedures ensure that cyber
security requirements are effectively implemented rather than remain on paper.
a.Remind the customer to conduct necessary limitation to the assess rights and comply
with principles of right- and domain-based control and least privilege.
b.Ensure that every employee has a unique user identification and password for his/her use
only.
c.Remind the customer to update all the passwords of the device regularly and ensure the
complexity of the passwords.
a.Obtain written authorization from the customer in advance and keep the consent or
authorization record.
b.Disclose the function to the customer using product materials and describe the following
items explicitly: type of collected and handled data, purpose, handling method, deadline, the
next data receiver (if any).
c.The collection should comply with the purpose correlation, necessity, minimum, and
real-time update principles. Anonyms or pseudonyms shall be used wherever possible.
d.According to laws, personal data from cyber security sensitive countries should not be
transferred to other countries or areas including China.
a.Do not mention technologies and solutions which may lead to misunderstanding
regarding user privacy protection, such as DPI(Deep Packet Inspection), location-based
service, lawful interception, remote access, and data transfer.
b.Never excerpt users' personal information or customers' network data without customers'
written authorization (except public information).
d.Do not spread cyber security cases, which may easily cause any misunderstanding about
Huawei, such as security baselines and security alarms.
True False
2.True or False
When handling or modifying customers' network data, you must apply to customers for written
authorization in advance. However, if the operation does not affect customer network running,
there is no need to apply to customers.
True False
3.True or False
After the field service is finished, clean up all temporary content related to the customer in the
process of the service (for example, delete the process data and cancel the login account). If
certain temporary content needs to be reserved for the follow-up work, you must obtain the
written approval from the customer.
True False
4.True or False
In training services, to quote customer information, you must edit out the sensitive information
in advance or obtain written authorization from the customer.
True False
5.True or False
The software obtained through official corporate channels means the software obtained after
application and approval, or the software delivered with the device.
True False
6.True or False
When working together at customer sites, team members can share an account to avoid
disturbing customers on the premise that the account and password are not disclosed.
True False
7.True or False
Employees must remove viruses regularly on computers/terminals. The computer or storage
media with discovered or suspected viruses must not access the customer network.
True False
8.True or False
You must first get written authorization from customers before installing any tool or software
on the customer network. In case of an emergency such as the customer being not within
contact, the temporary software installed on the customer device must be removed the moment
you complete the task.
True False
9.True or False
The grading standard for cyber security violation accountability mainly depends on the
consequences caused by violations.
True False
10.True or False
When carrying out risky operations on customer devices (such as software upgrade,
replacement of important hardware, and network restructuring), you must inform customers in
advance and obtain their consent before conducting the operations. The operations must be
based on the laboratory or simulated network data.
True False
a.In the process of service delivery, engineers are prohibited from operating the devices of
other vendors in the customer's equipment room (except that Huawei is responsible for the
operation UI of other vendors' devices such as a device in a migration project or a management
service project, or a supporting devices provided by Huawei).
b.Based on the responsibility matrix, you cannot operate or modify the third-party devices
casually.
c.If necessary, the third-party security software can be modified to meet business needs.
d.When migrating the devices of the third-party vendors, you have to handle the devices
containing storage media based on the customer's requirements.
b.Periodically clear expired customer permissions and remind customers to cancel the
expired authorization.
d.Discuss with the customer for a solution and authorize login permissions again.
Accounts and passwords can be used only by the authorized person and should be expired after
the validity period, so that if an issue occurs, the issue can be traced and located.
a.Cyber security feedback is the duty of cyber security teams and not related to normal
employees.
c.You can give feedback or seek help from local lawyers and cyber security contacts.
d.If you find that external forums and third party individuals/organizations discovered any
security vulnerabilities, send them to the related cyber security office.
b.If changing positions, the employee should recycle or conduct unrecoverable deletion of
the customer network data and cancel the corresponding information system assess right.
d.If devices and storage media are returned from sensitive areas, the contained customer
network data must be erased unless the customer asks for reserving.
b.Attack and destroy the customers' networks; crack the password of customers' accounts.
c.Disclose and disseminate the accounts and passwords of the customers' network.
d.products and services customers' or users' communication content, personal data, and
privacy
a.When an employee on a business trip gets to the destination, the destination department
should require the employee to study the training materials of cyber security, and keep the
records that the employee participated in cyber security training, passed the cyber security test,
and signed the related commitment of cyber security.
b.During the employee's business trip, the destination department should regard the
employee as its own staff and implement regular cyber security management.
c.If an employee violates cyber security requirements during the business trip, the
supervisor of the destination department should bear the management liability if the supervisor
did not perform due duties in management or failed to take any measures after knowing the
violation.
d.An employee on business trips still complies with the cyber security management
requirements of his/her own original department. He/she does not have to obey the cyber
security management requirements of the frontline project team, for example, attend trainings
and sign the commitment.
Answers of examinees:d Correct answer
a.Use the customer network data within the scope of authorization. Do not use or publish
the customer network data in any form for any unauthorized purpose.
b.If customers do not put forward clear requirements after the project ends, you can
reserve some customer network data on the work computer for external communication and
discussion in future.
d.If case study or knowledge sharing involves customer network data, you must edit out
sensitive information instead of direct use.
a.Without written authorization from the customer, access the customer's network; collect,
keep, process, and modify any data and information in the customer's network.
b.Develop, replicate, and spread computer viruses or attack customers’ infrastructure, such
as the network, in other ways.
c.Use networks to carry out any activities that harm national security and the public
interest, steal or destroy others' information and violate others' legal rights.
a.Remind the customer to conduct necessary limitation to the assess rights and comply
with principles of right- and domain-based control and least privilege.
b.Ensure that every employee has a unique user identification and password for his/her use
only.
c.Remind the customer to update all the passwords of the device regularly and ensure the
complexity of the passwords.
a.We suggest that computers used for maintenance be provided and managed by customers
if possible. If the computers cannot be provided by customers, our employees' work computers
will be used.
b.To protect the customer network and data security, our corporation has strict computer
configuration and customer network access requirements. The software in the work computers
must be installed through Huawei iDesk tool or by Huawei IT personnel.
c.The computers must meet the security requirements and standards. If a computer is
infected or suspected to be infected by viruses, the computer cannot be connected to customer
networks and must be scanned to remove the viruses.
d.Service engineer can install internal R&D software tools through directly contact with
R&D staff.
c.The R&D engineer accidentally spreads the account and password information, which
does not involve cyber security violation.
d.The R&D engineer should carefully confirm the customer authorization scope.
a.When trouble tickets in the IT system are created or handled, do not fill in the customer
service account and passwor
b.During the maintenance, important information such as the system password should be
informed by telephone, encrypted email, or fax.
c.During the network optimization delivery, the customer's personal information and
tracing information that involved in VIP experience tracing, VIP issue handling, and network
optimization in the VIP area must be used in the specified scope.
d.When the service-layer data in the data center is handled, information (such as email,
official document, salary, and personnel information) involved in data transfer and
maintenance is forbidden to be copied, reserved, or sprea
e.During service project management, the scope of customer reports and network
information to be sent must be controlled strictly.
a.Strictly follow the customer authorized purpose for customer network data transfer
operations.
b.Without the customers' consent, do not transfer customers' network data (including
personal data) out of the customers' network.
c.In case of an emergency, customer network data (including personal data) of sensitive
countries can be transferred back to China to avoid service delay.
d.Transfer of personal data from the European Economic Area (EEA) and other sensitive
countries should comply with local laws and regulations.
a.When an employee on a business trip gets to the destination, the destination department
should require the employee to study the training materials of cyber security, participate in
cyber security training, pass the cyber security test, and sign the commitment of cyber security
redlines. The destination department should keep a record of the employee's study, test, and
commitment.
b.During the employee's business trip, the destination department should regard the
employee as its own staff and implement regular cyber security management.
c.If an employee violates cyber security requirements during the business trip, the
supervisor of the destination department should bear the management liability if the supervisor
did not perform due duties in management or failed to take any measures after knowing the
violation.
d.If an employee on business trips supports a project, the department with management
responsibilities is the project team; if the employee does not enter the project, the department
with management responsibilities is the corresponding platform department.
a.Judiciously manage paper documents and storage media or devices that contain customer
network data to prevent unauthorized access or data loss.
b.Strictly control access permissions to the customer network data, and maintain
permissions regularly.
a.Before remote access, you must get customer written authorization to specify the
authorization scope and time limitation. The operation scheme of remote access should be
approved by the project team and experts.
c.The software, versions, patches, and licenses installed on the customer network in
remote access must be from the official channel of our company, including the support
website, formal email, and 3MS case library.
d.After the remote service ends, you should inform the customer to close remote service
environment on the device side, including cutting off the remote service connection through
the network and terminating the remote service software. You should also remind the customer
to change the password used during the remote service.
e.After remote service ends, you should delete the data and information obtained from the
customer network in time. If you need to reserve the data, the customer written authorization
must be obtained.
f.There must be strict recording of the server use. Every user should record the use
information in a written document or IT system.
a.Considering that the customer requirement is urgent, immediately access the customer
system for packet capture and troubleshooting.
b.First, apply to the customer for approval and obtain the written authorization for
accessing the customer system.
c.Directly access the customer system for processing after contacting the customer for
multiple times but failing to obtain any response.
d.Employee Z has a good relationship with the customer, so the employee can access the
customer system first and apply for written authorization later.
b.The Support website and the product catalog are legal publication and download
platform. All the tools (including the frontline custom tools) must be released on the legal
platform. Employees can download software from only the Support website, product catalogs,
and use software tools within the specified scope.
c.Employees are forbidden to download/use tool software from other illegal channels, for
example download a third-party software from the Internet, or obtain or use R&D tool
software from illegal channels.
a.Obtain written authorization from the customer in advance and keep the consent or
authorization record.
b.Disclose the function to the customer using product materials and describe the following
items explicitly: type of collected and handled data, purpose, handling method, deadline, the
next data receiver (if any).
c.The collection should comply with the purpose correlation, necessity, minimum, and
real-time update principles. Anonyms or pseudonyms shall be used wherever possible.
d.According to laws, personal data from cyber security sensitive countries should not be
transferred to other countries or areas including China.
a.End users' rights and freedom in processing personal data, especially privacy rights, are
protected by laws.
b.Avoid and reduce the use of personal data, anonymize the data or use pseudonyms as
much as possible according to local laws.
c.Take appropriate technical and organizational measures to protect personal data and
prevent illegal processing of the data in any form.
d.If a person has no intention but violates personal data or privacy, the personal is not
legally liable.