产品安全治理研究与实践

Research and Practice on Product Security Governance

从产品安全治理的角度研究如何保障供应商交付安全可信的产品和服务.首先介绍产品安全的上下文,给出产品安全的定义和目标,提出产品安全是一个安全治理问题.然后建立基于三线模型的产品安全治理组织结构,描述各个组织机构的角色和职责,从组织结构上解决职责分离和利益冲突的问题.接着介绍产品安全策略的概念、框架、体系和实施方法,建立产品安全体系化建设的顶层要求,最后总结主要贡献并指出下一步的研究方向.这些研究结果已在中兴通讯的产品安全实践中得到了应用,取得了良好的治理效果。

This paper studies how to ensure that suppliers deliver secure and trustworthy products and services from the perspective of product security governance.First,this paper introduces the context of product security,gives the definition and objectives of product security,and proposes that product security is a security governance problem.Then this paper establishes the organizational structure of product security governance based on the three-line model,describes the roles and responsibilities of each organizational unit,and solves the problems of separation of duties and conflicts of interest from the organizational structure.Next this paper introduces the concept,framework,system and implementation approaches of product security policies,and establishes the top-level requirements of product security system construction.Finally,the contribution of this paper is summarized and the research direction for the next step is pointed out.These research results have been applied in ZTE's product security practices and have achieved good governance effects.