Journal of Information Security Reserach ›› 2023, Vol. 9 ›› Issue (12): 1218-.

Previous Articles     Next Articles

Research and Practice on Product Security Governance

Wei Yinxing, Zhong Hong, and Zheng Jun   

  1. (ZTE Corporation, Nanjing 210012)
  • Online:2023-12-20 Published:2023-12-29



  1. (中兴通讯股份有限公司南京210012)
  • 通讯作者: 韦银星 博士.主要研究方向为安全治理、安全开发、渗透测试、安全审计.
  • 作者简介:韦银星 博士.主要研究方向为安全治理、安全开发、渗透测试、安全审计. 钟宏 首席安全官.主要研究方向为安全治理体系规划及构建、产品安全全生命周期管理. 郑均 主要研究方向为安全治理、过程评估、事件响应、安全设计体系及方法.

Abstract: This paper studies how to ensure that suppliers deliver secure and trustworthy products and services from the perspective of product security governance. First, this paper introduces the context of product security, gives the definition and objectives of product security, and proposes that product security is a security governance problem. Then this paper establishes the organizational structure of product security governance based on the threeline model, describes the roles and responsibilities of each organizational unit, and solves the problems of separation of duties and conflicts of interest from the organizational structure. Next this paper introduces the concept, framework, system and implementation approaches of product security policies, and establishes the toplevel requirements of product security system construction. Finally, the contribution of this paper is summarized and the research direction for the next step is pointed out. These research results have been applied in ZTE’s product security practices and have achieved good governance effects.

Key words: security governance, Product Security, security policy, Three-Line Model, System Lifecycle

摘要: 从产品安全治理的角度研究如何保障供应商交付安全可信的产品和服务.首先介绍产品安全的上下文,给出产品安全的定义和目标,提出产品安全是一个安全治理问题.然后建立基于三线模型的产品安全治理组织结构,描述各个组织机构的角色和职责,从组织结构上解决职责分离和利益冲突的问题.接着介绍产品安全策略的概念、框架、体系和实施方法,建立产品安全体系化建设的顶层要求.最后总结主要贡献并指出下一步的研究方向.这些研究结果已在中兴通讯的产品安全实践中得到了应用,取得了良好的治理效果.

关键词: 安全治理, 产品安全, 安全策略, 三线模型, 系统生命周期

CLC Number: