In China, network and information security have been getting rising attention in these years, not only from the government and those large enterprises, but also from whole society. More and more relevant standards are issued, and internal control manuals are made and executed in FSI (Financing, Securities and Insurance) and telecom enterprises as well to strengthen their compliance management.
Since the beginning of 2006, 15 standards have been published in security domain by the technical committee TC260 (http://www.tc260.org.cn), which is responsible for the information security related standards under the government standardization organization (http://www.sac.gov.cn/), the counterpart of NIST, USA. Some of them cover the detailed management and technical requirements for classify security protection, while some of them are updates of the previous GB/T18336, which is the localized version of ISO15408 (CC). Additionally, ISO17799:2000 has been adopted as GB/T19716-2005 in 2005.
For the original publish page, check: http://www.tc260.org.cn/sy/xwzt/htmls/20060720000002.html
Click here to see my chinese comment.
Posted by Richard 
Posted by Richard 
China telecom operators and Sarbanes Oxley Act Compliance
August 10, 2006In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.
Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.
In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.
This page was also published at sbin.cn.