关于印发《企业内部控制基本规范》的通知
【时间:2008年07月10日】
为了加强和规范企业内部控制,提高企业经营管理水平和风险防范能力,促进企业可持续发展,维护社会主义市场经济秩序和社会公众利益,根据国家有关法律法规,财政部会同证监会、审计署、银监会、保监会制定了《企业内部控制基本规范》,现予印发,自2009年7月1日起在上市公司范围内施行,鼓励非上市的大中型企业执行。执行本规范的上市公司,应当对本公司内部控制的有效性进行自我评价,披露年度自我评价报告,并可聘请具有证券、期货业务资格的会计师事务所对内部控制的有效性进行审计。执行中有何问题,请及时反馈我们。 Read more…
It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?
However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds. What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers. Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…
Information is the new currency of business – a critical corporate asset whose value rises and falls at different times, and in different ways, depending on when, how, where and by whom it is placed into circulation as a medium of exchange.
Therein lie the risks. And the opportunities.
“Safeguarding the new currency of business”, Findings from the 2008 Global State of Information Security Study®, PWC
Many business units are being drawn into using cloud services by the attractive economics, bypassing IT departments to host their applications and data in the cloud directly. This creates several problems for the IT organizations with reduced internal and external control.
- From RSA Whitepaper “The Role of Security in Trustworthy Cloud Computing”.
Even they are not directly for Cloud services, but there were cases that BUs signed contracts with 3rd providers to host their applications directly, bypassing IT department. Obviously, it’s not good practice from governance perspective. It might be a head-up for CIOs at Cloud time.
If security experts do not fully understand the business, organizational roles, and people in general, they will not make the security sale. Security experts must be educators, which means they must understand human beings outside of their world, because all parties influenced and affected by security (and that’s everybody) need to understand, in a balanced fashion and in terms they understand, what security means to them.
- “Mission-Critical Security Planner”, by Eric Greenberg
Two basic kinds of online websites are online banks and online games. Unlike what we were doing for traditional system security, we must take care of both front-end servers and customers’ applications. Yeah, customer’s desktops and applications! A lot different!
No matter what mode is, C/S or B/C, we need to make sure both careless users and vulnerable applications are in good security posture. This brings by far tough challenges to security team. Un-registered game server(SiFu in Chinese), phishing website , Cheating Program(WaiGua in Chinese ), variable trojans, leaked password, or compromised users’ system , lots of servers reside in distribute IDCs , different operating systems and applications , all of this make security mess up .
Here is an economic way for your reference. Read more…
The traditional security products, including firewall, IDS, and anti-virus are very familiar to us. They are occupying most of security market share. And we know the UTM, IPS, and SOC are the ongoing stars. However, what’s about the future? From the view of ISO/OSI model, we know we have done too much on the network layer; we had focused on this layer and developed lots of products based on it.
Maybe the reason is like this: in the past, we implement the IT infrastructure without security built in it. Internet spread widely in few years as security just can’t keep up with it. This has brought a lot of breaches or exposure at the networking layer. Read more…
In general, security market has a wide range of products and services. It consists of products (FW,IDS/IPS,VPN,UTM,SOC,4A,etc.) and services, e.g. Risk Assessment, Managed Security Services(including monitoring,etc.) , consulting services for Cobit/ITIL/ISO/IATF, solutions, system hardening, penetration testing, management , training etc.
We have a hard time selling our services. Because Chinese customers have a low recognition of the services unlike the westerners do. In their mind, services should be free if I have bought your product and you should do the rest of that. On the other hand, services aren’t unified and standardized. Customers won’t pay much money for it . That’s the problem.
Howerver security services are a promising market. No one is willing to lose this market, you’d better keep an eye on this always. Some day in the near future some kinds of services will come up. Security services will end up in the form of products in China market. Actually lots of company have done this in advance.
Establishing Data Ownership is a fundamental component or building block of any Information Security Management System (ISMS). The Data Owner is the single person ultimately responsible for their data. They define policy, control who has access and may delegate some or all of their responsibility to Data Stewards. The Data Custodians (typically IT) are the instrument of the Data Owner’s policies, enforce and manage policy compliance and help manage access rights and other IT controls according to the Data Owner’s requirements.
- From one security assessment report
Recently, the famous networking website Facebook changed its policy which threatens the users’ privacy. While this seems to be an isolated case, however, it sends us strong message on how to protect our own privacy in such an information society.
Generally,we sign up a bunch of accounts at too many websites. For example, we create accounts on financial website for investing, and create another account on the other websites for emailing purpose. One month or one year later, we turned our attention to a new hot subject for one reason or another, say we like playing online game now, so we continue to create accounts, and setup another password for security purpose. We do the same things over and over again. Eventually we have created so many accounts without actually using it. So much of your personal data online without any care! (Even if you are very vigilant about the information, but it’s too long to remember the password to close your account accurately) Read more…
When we think of security ,we all think about security such as security products, security functions, control mechanism, privacy protection, implementation, maintenance, configuration, etc separately ,this causes many problems and adds up the overheads . Read more…
The world is changing quickly. It’s pleasure to see that China is now regarded as a major influence force of the whole world. That’s also true at the IT industry.
According to the report ,China is the fast-growing smartphone market. Furthermore, China has much more mobile phone subscribers than any other country in the world. Read more…
‘‘Never do today what you can put off till tomorrow if tomorrow might improve the odds.’’ – Robert Heinlein
This is very interesting point particularly for security patching. Enjoy it.
According to lots of publicly released reports ,there is conclusive evidence that security tools are used for attack purpose rather than their original purposes (proof of concept or education purpose ).
A lot of incidents of information system are related to a serious offense, especially in violation of security tools in a criminal manner.It’s easy to downlad the tools for the young guys and lots of tools are designed to be automatic.Even for a newbie,he or she is able to become a “super” hacker in cyberspace. They are attempting to shield themselves from the internet and arbitrarily attack anyone around the world they don’t like. Any viewpoints that it deems harmful to their images, they attack them too, however in nowadays, this action is more related to profit than ever. That’s the notorious Cyber Terrorism and underground economy.
SearchSecurityAsia日前推出2008年最受欢迎的10篇安全文章。这个名单是基于其网站数据库的访问量统计得出的。从名单上看,还是有相当的代表性。仅供参考。 Read more…
Recent Comments