My new blog at

January 30, 2007

Due to the publicly known reasons, this blog at has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.

China telecom operators and Sarbanes Oxley Act Compliance

August 10, 2006

In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.

  • Plan and Organize

Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.

  • Acquire and Implement

In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.

This page was also published at Diggdigg it

12345678! Pyramid Framework

June 14, 2006

Yesterday afternoon, WHY and I worked out a holistic enterprise internal control framework. We named it as 12345678! Pyramid Framework. It help integrate the enterprise execution, IT control and security control methodologies and countermeasures.

  1. One Priority: Execution
  2. Two Hands: Technology and Management
  3. Three Layers: Decision Makers, Managers, and Execution
  4. Four Phases: Plan, Do, Check, Act
  5. Five Layer Controls: Control Environment, Risk Assessment, Control Activities, Information and Communications, Monitoring
  6. Six Risk Elements: Assets, Threats, Vulnerabilities, Safeguards, Risks and Opportunities
  7. Seven Information Criteria: Confidentiality, Integrity, Availability, Efficiency, Effectiveness, Compliance, Reliability
  8. Eight IT Processes: Planning and Organization, Acquisition & Implementation, Delivery and Support, Monitoring and Evaluation

Do you like it? We know there has been much space left for it to be perfect. But it help guide your thinking ways when you prepare proposals or do planning. Its original form is in Chinese. Click here for more.

If you think it helpful or have any suggestions, just leave me a comment.

Identity is the foundation for everything we do

March 24, 2006

Sarbanes Oxley is bring blossoming business opportunities not only to the big 4 accounting firms, but also to a lot of software vendors, Among those technologies and products involved in SOX compliance programs, identity management is the focal point that a lot of giant vendors fight for, Microsoft, IBM, CA, BMC, HP, Oracle, Novell, Sun and …. I am very happy to see the following diagram:

GM Director of software

where John Jackson from GM said "Identity is the foundation for everything we do".

"Ten years ago, the prevailing assumption was that if you were on the GM network, then you were a GM employee," says Jackson, who is on the board of the Liberty Alliance, a consortium developing protocols for sharing identities.

"Today, we have dealers and suppliers [on the network] that are not a part of GM. Add the fact that we are completely outsourced, and it becomes critical to track who you are and what rights you have so we can make sure that people only get to the information they are allowed to get to. Identity is the foundation for everything we do," he adds.

So important is this that GM has a 12-person identity group within the security team. The group continues to consolidate internal directories while expanding its identity federation deployment and building out virtual directories and SSO capabilities.

Users and analysts agree that identity is seeping into corporate infrastructure.

"In five years, what we talk about today as identity and access management will just be another part of the infrastructure, and it won't be sold separately. It will be part of your security foundation," says Sally Hudson, a security research manager at IDC.

Technorati Tags: , , ,


February 16, 2006


Read the rest of this entry »

[Chinese]咨询的价值 - 读温伯格先生的《咨询的奥秘》

February 13, 2006

咨询的价值 - 读温伯格(Gerald M. Weinberg)先生的《咨询的奥秘》,成功提出和获得建议的指南
《The Secrects of Consulting》, by Gerald M. Weinberg

该书原版是1985年出版的,由李彤和关山松翻译,2004年清华大学出版社出版版。读后感觉该书的前四章(1 为什么咨询如此艰难、2 培养似非而是的四位框架、3 当你不知道自己在做什么时要有成效、4 看看那里有些什么),以及最后四章(11 经营你的服务、12 在你的脑门上贴上标签、13 怎样获得信任、14 让客户听从你的建议)更有趣,诙谐幽默中带来很多思考和收获,中间的5、6、7、8、9、10六章却没有留下什么印象。温伯格先生是一个思考大师,卓越的顾问。这也是一本近些年来唯一一本从头看到尾的书,还要多谢春节的假期,呵呵。为了不辜负花去的时间,把读后的一些感受和大家分享一下。

Read the rest of this entry »


January 3, 2006


SOA并不是一种现成的技术,而是一种架构和组织IT基础结构及业务功能的方法,是一个能够长期指导业务系统规划开发的方法, SOA并不仅仅是一种开发方法,它还具有管理上的优点。例如,现在管理员可直接管理开发人员所构建的相同服务,这远胜于以往管理单个应用的方式。通过分析 服务间的交互,SOA可以帮助运营商了解何时以及为什么业务逻辑被切实执行了,这使管理员或系统分析师能够有针对性的优化现有的业务流程。可以说采用 SOA架构的业务支撑系统的最终蓝图将是模块化,流程驱动,多种渠道统一访问,业务过程实时监控,有着统一开发部署技术体系和安全管理的系统。

一石激起千层浪,后面引来很多高手关于服务目录SC、原子服务和Web Service等的精彩论述,值得一读。