My new blog at sbin.cn

January 30, 2007

Due to the publicly known reasons, this blog at wordpress.com has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.


China telecom operators and Sarbanes Oxley Act Compliance

August 10, 2006

In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.

  • Plan and Organize

Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.

  • Acquire and Implement

In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.

This page was also published at sbin.cn.

Deliciousdel.etio.us Diggdigg it


12345678! Pyramid Framework

June 14, 2006

Yesterday afternoon, WHY and I worked out a holistic enterprise internal control framework. We named it as 12345678! Pyramid Framework. It help integrate the enterprise execution, IT control and security control methodologies and countermeasures.

  1. One Priority: Execution
  2. Two Hands: Technology and Management
  3. Three Layers: Decision Makers, Managers, and Execution
  4. Four Phases: Plan, Do, Check, Act
  5. Five Layer Controls: Control Environment, Risk Assessment, Control Activities, Information and Communications, Monitoring
  6. Six Risk Elements: Assets, Threats, Vulnerabilities, Safeguards, Risks and Opportunities
  7. Seven Information Criteria: Confidentiality, Integrity, Availability, Efficiency, Effectiveness, Compliance, Reliability
  8. Eight IT Processes: Planning and Organization, Acquisition & Implementation, Delivery and Support, Monitoring and Evaluation

Do you like it? We know there has been much space left for it to be perfect. But it help guide your thinking ways when you prepare proposals or do planning. Its original form is in Chinese. Click here for more.

If you think it helpful or have any suggestions, just leave me a comment.


Identity is the foundation for everything we do

March 24, 2006

Sarbanes Oxley is bring blossoming business opportunities not only to the big 4 accounting firms, but also to a lot of software vendors, Among those technologies and products involved in SOX compliance programs, identity management is the focal point that a lot of giant vendors fight for, Microsoft, IBM, CA, BMC, HP, Oracle, Novell, Sun and …. I am very happy to see the following diagram:

GM Director of software

where John Jackson from GM said "Identity is the foundation for everything we do".

"Ten years ago, the prevailing assumption was that if you were on the GM network, then you were a GM employee," says Jackson, who is on the board of the Liberty Alliance, a consortium developing protocols for sharing identities.

"Today, we have dealers and suppliers [on the network] that are not a part of GM. Add the fact that we are completely outsourced, and it becomes critical to track who you are and what rights you have so we can make sure that people only get to the information they are allowed to get to. Identity is the foundation for everything we do," he adds.

So important is this that GM has a 12-person identity group within the security team. The group continues to consolidate internal directories while expanding its identity federation deployment and building out virtual directories and SSO capabilities.

Users and analysts agree that identity is seeping into corporate infrastructure.

"In five years, what we talk about today as identity and access management will just be another part of the infrastructure, and it won't be sold separately. It will be part of your security foundation," says Sally Hudson, a security research manager at IDC.

Technorati Tags: , , ,


[Chinese]安全经理不可忘记的五件事

February 16, 2006

安全经理,或者称为首席安全管,安全主管,这里指的是在企业组织中负责网络安全工作的经理,通常是一位中层领导,他还主管着信息系统的其他方方面面,例如运行维护,或者项目建设等。安全经理在企业组织的安全管理活动处于非常关键的地位,承上启下,分解高层对于网络安全的观点和使命,管理控制具体的安全运行和建设维护,他负责决定实际实施的技术路线和方案选型,抽象总结实际的安全工作的问题和由于其所处的位置为中层,就像“三观论”中的“中观”,企业组织的信息系统安全水平很大程度上取决于他个人对于网络安全的理解、重视与否和执行程度。

我经常对自己的愚钝、以及管理过程中的错误进行反思,看看是否可以找到一些方法来避免自己的愚钝和疏忽、固执,或者能够帮助面临自己同样境地的人。每个人都有每个人的困境,这里没有“银弹”。下面列出的不可忘记的五件事供您参考,或有一用,则善莫大焉。
Read the rest of this entry »


[Chinese]咨询的价值 - 读温伯格先生的《咨询的奥秘》

February 13, 2006

咨询的价值 - 读温伯格(Gerald M. Weinberg)先生的《咨询的奥秘》,成功提出和获得建议的指南
《The Secrects of Consulting》, by Gerald M. Weinberg

该书原版是1985年出版的,由李彤和关山松翻译,2004年清华大学出版社出版版。读后感觉该书的前四章(1 为什么咨询如此艰难、2 培养似非而是的四位框架、3 当你不知道自己在做什么时要有成效、4 看看那里有些什么),以及最后四章(11 经营你的服务、12 在你的脑门上贴上标签、13 怎样获得信任、14 让客户听从你的建议)更有趣,诙谐幽默中带来很多思考和收获,中间的5、6、7、8、9、10六章却没有留下什么印象。温伯格先生是一个思考大师,卓越的顾问。这也是一本近些年来唯一一本从头看到尾的书,还要多谢春节的假期,呵呵。为了不辜负花去的时间,把读后的一些感受和大家分享一下。

Read the rest of this entry »


SOA架构与电信业务支撑系统

January 3, 2006

光哥在CWeek论坛上发表了自己关于面向服务架构SOA与电信业务支撑系统的关系的看法,以及实施过程中的一些实际体验:

SOA并不是一种现成的技术,而是一种架构和组织IT基础结构及业务功能的方法,是一个能够长期指导业务系统规划开发的方法, SOA并不仅仅是一种开发方法,它还具有管理上的优点。例如,现在管理员可直接管理开发人员所构建的相同服务,这远胜于以往管理单个应用的方式。通过分析 服务间的交互,SOA可以帮助运营商了解何时以及为什么业务逻辑被切实执行了,这使管理员或系统分析师能够有针对性的优化现有的业务流程。可以说采用 SOA架构的业务支撑系统的最终蓝图将是模块化,流程驱动,多种渠道统一访问,业务过程实时监控,有着统一开发部署技术体系和安全管理的系统。

一石激起千层浪,后面引来很多高手关于服务目录SC、原子服务和Web Service等的精彩论述,值得一读。