在当前环境下，财务报告的产生很大程度上依赖于IT系统。财务数据的产生、记录、处理和报告等过程都与IT系统有着紧密的关系。因此，IT系统的控制与评估和财报的符合性审查一样，是SOX法案遵从性必不可少的内容。

      下图是SOX法案的控制目标与PCAOB和CoBIT的关系映射图：

坚持是一件很困难的事情，也是不能成功的原因。

坚持写Blog就是这样。

Blog的风格准备变一变了，不要将自己写得那么累，这一段时间更新的都是InfoSec这个分类，以后会多增加些My Life之类的，以随意为主。

记得上个月去IBM面试时，徐欢问我：你对潘柱廷和赵粮有什么看法？当时我以为是聊到了他们，才随意问的，后来想到他可能想借此来了解一下我对他们的信息安全观点看法、进而表述我自己对信息安全的理解。

我当时说得并不多，主要是因为我很少评论别人；另外，和不熟悉的人说话时，我一般说得很少，也尽量少表达我的个人倾向。只是忘记了当时是在面试，我应多说的，所以是失误。

其实大潘是信息安全的前辈人物，我一直将其当“偶像”看待的，他的文章我看过不少，有关方法论的东西，我也很受启发。只是无缘得见。赵粮博士也一样，经常光顾他的Blog。只是之前我一直在小公司里，客户群与他们的客户群不一样，自然方法论也不一样。

换了工作，希望眼界更宽一些，视野更远一些，也希望状态会更好一些。

我们选最好的IDC

全套Cisco和网络设备加Sun的服务器

建就建最Cool的User experience

Free account registeration

每个Account存储空间最少也得两个G

什么Ajax呀，Tag呀，RSS呀

能给他整的就全部给他整上

社区附带一个VIP区，

有牛人7*24小时蹲点帮你解惑

Blog上常驻一个叫Keso的家伙

留小辫儿，特大牛的那种

只要一打开页面，甭管有事没事都用Skype跟人家说

“你丫赶紧给我注册！”

      IBM announced on Wednesday that the technology giant has agreed to buy Internet Security Systems, an all-cash deal that the company valued at $1.3 billion, or about $28 a share.

      The acquisition, the fifth largest for IBM, makes Big Blue a stronger player in the security software and services industry, a $33 billion-per-year market, the company said. Acquiring ISS also deepens IBM's managed services and compliances businesses, the technology giant said.

      "Companies recognize that rapidly evolving security threats and complex regulatory requirements have turned security into a mission-critical priority," Val Rahmani, general manager of IBM Global Services' Infrastructure Management division. "This acquisition will help IBM to provide companies with access to trained experts and leading-edge processes and technology to evaluate and protect against threats and enforce security policies."

      The purchase is the latest deal in a trend of consolidation in the security industry. Microsoft bought up Windows systems experts Winternals and Sysinternals.com last month and plucked antivirus firm Sybari last year. Security firm McAfee purchased online Web site evaluator SiteAdvisor earlier this year, and Symantec bought enterprise backup provider Veritas in 2004. (Symantec also owns SecurityFocus.) Earlier this year, Check Point Software Technologies had to call off its deal to buy Sourcefire after the government intervened in the acquisition.

      Internet Security Systems' research arm, X-Force, has regularly researched and reported significant software vulnerabilities. A vulnerability in networking giant Cisco's products and found by an ISS researcher became the center of controversy in 2005, when the researcher resigned from the company to give a presentation at the Black Hat Security Briefings in Las Vegas.

      The deal is subject to shareholder and regulatory approval and will likely close in the fourth quarter of this year.

      美国证券交易委员会(SEC)允许小型上市公司及外国私人发行者延期执行萨班斯法案（Sarbanes-Oxley Act, 简称SOX法案）404条款。

      萨班斯法案404条款的延期执行，对在美上市的中小企业影响颇大。上面那句有两个重要词：小型上市公司（市值小于7500万）、外国私人发行者。看来，移动、网通均不在此列了！

      前一段时间看一本书：Sarbanes-Oxley IT Compliance Using CobiT and Open Source Tools，书中开始的部分，有这样一段话：

      Sarbanes-Oxley compliance requires more than documentation and/or establishment of financial controls; it also requires the assessment of a company's IT infrastructure, operations, and personnel. Unfortunately, the requirements of the Sarbanes-Oxley Act of 2002 do not scale based on the size or revenue of a company. Small to medium-sized companies (IT department) will face unique challenges, both budgetary and with personnel, in their effort to comply with the Sarbanes-Oxley Act of 2002.

      看来，SEC也意识到了这个问题。

      这两天在网上看到，不久前国家信息安全标准化技术委员会（简称信息安全标委会，TC260）发布了一个2006年以来的发布的信息安全标准汇总，内容如下：