Huawei Cloud Data Security Management

Huawei Cloud has a comprehensive internal data security management system in place to ensure that its security capabilities and security measures are well maintained. The system is enhanced in four ways: organizational responsibilities, regulations and processes, personnel management, and measurement and supervision.

Organizational Responsibilities

Huawei Cloud has established a top-down data security management responsibility system that includes a decision-making layer, management layer, execution layer, supervision layer, and support layer.

Decision-making layer:

responsible for making decisions on Huawei Cloud data security strategies and major issues

Management layer:

the individuals and organizations that are responsible for the daily data security management

Execution layer:

the individuals who are responsible for the implementation of data security requirements, routine management, and performance on data security in the corresponding service domain

Supervision layer:

An independent inspection team is appointed to supervise the implementation of data security management and the rectification of findings in each service domain

Support layer:

organizations that support data security operations, including tool development, personnel training, and external communications

Regulations and Processes

To ensure the fulfillment of data security management requirements, Huawei Cloud has integrated data security requirements into main service processes, including R&D, O&M, operations, supply chains, marketing, sales, delivery, and technical services.

First, Huawei Cloud has established dedicated data security processes, such as data rating and review processes.

Second, Huawei Cloud has incorporated security requirements into existing service processes to make sure data security requirements are implemented end to end.

Security is a essential requirement for quality management. Huawei Cloud uses management regulations and technical specifications to ensure implementation of security controls. Huawei Cloud supervises and improves service processes through internal audits and security certification and audits carried out by independent third-party agencies.

Personnel Management

Huawei Cloud has created a comprehensive security management system for employees and partners, covering the entire lifecycle, from onboarding to resignation. Huawei Cloud continuously improves the data security awareness and security capabilities of related personnel to effectively ensure the overall security of the cloud platform.Huawei Cloud has established strict employee behavior management rules. All employees must comply with those rules. Any employees who violate security requirements will be held accountable and face disciplinary measures. Huawei Cloud also provides regular security awareness and capability training for all employees. Employees also need to participate in cyber security and privacy protection training related to their positions to reduce security and privacy risks.

In some cases, when customers use Huawei Cloud services, some services may be provided by Huawei Cloud along with the suppliers. Huawei Cloud investigates security of all suppliers and contracts with suppliers to ensure they take appropriate security measures to protect customer data. Huawei Cloud has formulated information security management regulations for outsourcing suppliers. These regulations are supplementary clauses in contracts signed with suppliers. There are specific disciplinary measures stated for any violations against these regulations.

Measurement and Supervision

Huawei Cloud has built a comprehensive system to evaluate the fulfilment of data security requirements from three layers of metrics and three lines of defense.

There are three layers of metrics: the metrics at process, operation, and result layers are used to continuously evaluate and monitor the implementation of data security controls and drive service domains to continuously improve data security management.

There are three lines of defense: service-level self-checks, independent security inspections, and company-level independent audits. These lines of defense drive each service domain to perform in-depth analysis on their data security management and ensure that the measurement data is authentic and reliable and management measures are well implemented.