PraxIS September 2004

04-09 Contents: Open Source IS Security, ICS Risk lectures, Blinkx, Copernic, Job Search Networking, Spreadsheets SOX, humour.

ISSN 1649-2374 This issue online at    [Previous] [Index] [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
     Open Source IS Security body of knowledge
     ICS CPD autumn lectures on Risk Management
2) Local disk drive index/search utilities
     Copernic Desktop Search
3) Will (does?) the Real Economy Stand Up?
     Job search - networking drying up? 
4) Spreadsheets
     Foundations of Spreadsheets: Workshop, Rome
     Excel range name curiosity
     Spreadsheet Control and Sarbanes-Oxley
5) Off Topic
     Business Books 
     Explorer error message ;-)
     Software Project Cartoons
18 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

To help sponsor the cost of this newsletter, make your next purchase from Amazon using one of the links below. You don't even have to buy the specific book I mention - just click on one of my links before you buy anything from Amazon! When you click, you are offered a choice of Amazon store - US, Canada, UK, France, Germany, Japan, so you can pick the one that suits you.

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Open Source IS Security body of knowledge

Balwant Rathore of the Open Information System Security Group is collating an Open Source Book on Information System Security Assessment at - I have not reviewed it yet, but I just thought I'd let you know so you can track its growth. It would be interesting to see if a volunteer effort does in fact manage to organise a useful body of knowledge.

ICS CPD autumn lectures on Risk Management

Irish Computer Society Continuous Professional Development programme for autumn 2004, free of charge for ICS members, ten euro for non-members.
A series of four lectures on Security and Risk will run fortnightly at 6-8pm on Wednesdays. The first three of these will be delivered by Eamon O'Tuathail, winner of the Microsoft EMEA Security Championship. The topics are:
1. Threat Modelling (Wed Sept 8)
2. Preventing Web Application Hacking (Wed Sept 22)
3. Practical Use of Cryptography (Wed Oct 6)

The fourth, on Wed Nov 17, is my presentation on Spreadsheet Risk Management where I talk about spreadsheet controls and testing. This lecture places auditing and testing techniques within the broader context of quality management and describes specific tools to assist and automate these tasks.

Book: Official (ISC)^2 Guide to the CISSP Exam

"Official (ISC)^2 Guide to the CISSP Exam", Susan Hansche/John Berti/Chris Hare, 2004, rrp U$70.
Robert M. Slade says in BKOIGTCE.RVW 20040618 "This guide has a significant advantage in this regard: not only do a number of the contributors produce questions for the exam itself (therefore being more than passingly familiar with the style and level of difficulty required), but the CISSP exam committee was also approached for advice and input. . . currently the best of the guides."


2) Local disk drive index/search utilities

I use Wilbur from - it's free and fast. Last month I tried two others:

Blinkx have a search tool that provides results from the web, newsgroups, video feeds, blogs, and your own hard disk. Their story shows the power of blogs and viral publicity:,3605,1260983,00.html "The blog was posted on a Friday, and by the Monday there were 5,000 links to it and people were discussing it all over the world. Since then, there have been 130,000 direct downloads, and many more through users swapping files. This week, the site - which is only launched today - has been recording 6m links or hits a day solely from word-of-mouth publicity. "
" uses artificial intelligence to rate stories, not page rankings."
It vaguely reminds me of the old AltaVista Discovery program that used to index HDs ... very slowly. I tried it for my favourite topic, "spreadsheet errors", and found that the first page, while not like the Google results, was still relevant. I think the citation method of Google probably suits academic papers better. Compare: Blinkx with Google
I could not get it to give me results from my hard disk. It appears to recognise only MS Office documents. One notable limitation is that you have to add folders one at a time. That's silly, they should have an option to include subdirectories.  I received only an autoresponder when I reported these issues to them.
Bernie Goldbach's blog has his review where he did not see the commercial imperative for it
John Battelle's Searchblog quotes a number of disappointed users.

Copernic Desktop Search

This utility searches files and Outlook e-mails. It indexes PDF content which Wilbur does not. It handles Eudora mailboxes simply as files, you can add extra file types to index. I let it index my hard disk over an evening. It indexed 31,640 files, 600MB of an index out of 16GB disk used. It responds with a list of files fairly fast, but takes a bit longer to search in a file, and sometimes freezes altogether. It does not have the "collapse" view of Wilbur which shows search hits in context. The Help again just hangs the system because it is only available online - you'd think they would (a) say so and (b) test for that. People are going to be reluctant to grant it permission to go online until we know what kind of data it's going to send back to I notice the taskbar seems to stop responding occasionally, and shutdown time is slow, probably because of a great deal of disk update activity. I have disabled "on-the-fly" indexing and set it update in the evening, so I now see less slowdown and fewer reboots. It looks promising but I'll keep using Wilbur in parallel when I want a quick search, until I figure out how to optimise Copernic. If they fix the hangups, I'll continue looking at it.
Another review:


3) Will (Does?) the Real Economy Stand Up?

It's curious that one side there are stories of surging economies and full employment, and on the other hand I get emails from IT professionals finding it very hard to get work, see that bargain hunters crowd car boot sales and eBay auctions, and hear of company closures every week in the news. Just a diverse economy, I guess.
Kevin Donlin of the Star Tribune provides job search advice. In his Aug 30 column he wrote: "Now, do you think you MIGHT get hired faster if you called to network with 120 people this month? I’ll answer that for you -- yes!" I referred him to this NY times article compares that job search approach to spam, and he promised to write soon about how to avoid that trap by not simply asking for a job over and over. 
"It's a lot like spam," said Diane DiResta, president of DiResta Communications, which assists in career development. "People keep hitting up the same contacts over and over again." 

After two years of searching, Mr. Boatwright, a 41-year-old lawyer, found that this assistance came to an end. "I found that people aren't as likely to respond after a while of looking. You can only go back to the well so many times. You ask them once or twice for a referral or a favor. But when you go three or four times, people start to get a little tired of helping. It gets uncomfortable."

Many experts are baffled as to what might work for job seekers whose networks are drying up. "Sad thing to confirm, but networking has hit burnout," said Stephanie Pinson, president of the executive search firm Gilbert Tweed, in New York.

Book: How would you move Mount Fuji? How Would You Move Mount Fuji?: Microsoft's Cult of the Puzzle by William Poundstone. rrp $15 Profiles the unique process by which Microsoft identifies its most creative employees, listing thirty-five riddles used by the company to gauge creative analytical thinking and offering advice to business leaders on how to follow Microsoft's example in order to attract top talent.


4) Spreadsheets

Foundations of Spreadsheets: Workshop, Rome

Int. Workshop on the Foundations of Spreadsheets (FOS'04) Rome, Italy, September 30, 2004 

Martin Erwig will be leading a new workshop on Foundations of Spreadsheets as a satellite workshop at IEEE VL/HCC. The purpose of the workshop is to develop a research agenda for the future research on the foundations of spreadsheets. To facilitate the exchange of ideas, the workshop is organized into several interactive discussion sessions. Invited speakers will each provide a perspective to get the discussion going, and each participant will contribute from their views and expertise. The workshop is organized around HCI, business, programming (language), and quality aspects of spreadsheets.

Eusprig members will be participating: Pat Cleary of UWIC, Grenville Croll of Frontline Systems UK. By the way, the Eusprig horror stories page has now more than fifty entries!


Excel range name curiosity

I discovered a limitation to validly formed Excel range names. I can create range names like "A1test", "B1test", but not "C1test" - I get the message "That name is not valid".
Experimentation shows me that names are invalid when the first letter is C followed by a number in the range 1-256, or R followed by 1-65536 even when followed by other letters to distinguish the name from a cell reference like C1. Also, the names R, C, and RC are invalid. So it looks like Excel thinks the Cnnn stands for Column and Rnnnnn for Row - there are 256 columns and 65536 rows in Excel. This is the convention used in the R1C1 reference style.
Other Excel oddities:


Spreadsheet Control and Sarbanes-Oxley

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act
PricewaterhouseCoopers, July 2004.
This PwC White Paper discusses the evaluation of the control environment and specific control activities that should be considered by management in evaluating the use of significant spreadsheets as part of their 404 process.
Practical Steps for Evaluating Spreadsheet Controls
Implementing a process to ensure appropriate controls over spreadsheets is a critical element of compliance with Sarbanes-Oxley Section 404. There are five high-level steps to implementing such a process:
1. Inventory spreadsheets
2. Evaluate the use and complexity of spreadsheets
3. Determine the necessary level of controls for “key” spreadsheets
4. Evaluate existing “as is” controls for each spreadsheet
5. Develop action plans for remediating control deficiencies

To learn more about how I can help you with spreadsheet modelling, model review, testing, audit and control, see

Recent news of fraud and expensive mistakes requiring compensation have prompted leading banks, financial institutions, manufacturing, and service industries to take a harder look at the risks they are exposed to from spreadsheet applications.

I have been involved with spreadsheets and modelling over many years. In the five years since the foundation of Eusprig, I have developed a particular expertise in detailed testing of spreadsheet models and their structural integrity.  In common with other practitioners, I have found that every customer is always surprised at the defects that are uncovered.

When you are reviewing  your internal controls, whether for Sarbanes-Oxley (SOX) or other compliance concerns, call on me for a thorough review of your spreadsheet applications. Phone +353 55 22294 or email me .

Book: Excel best practices Excel Best Practices for Business: Covers Excel 2003, 2002, and 2000 by Loren Abdulezer rrp $45. Also covers XML, spreadsheet portals, makeovers, and assistive technologies.



Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic

Business Books  How 51 Gorillas Can Make You Seriously Rich Or, why so many business books are awful. The formula seems to be: keep the sentences short, the wisdom homespun and the typography aggressive; offer lots of anecdotes, relevant or not; and put an animal in the title—gorillas, fish and purple cows are in vogue this year.

Explorer error message ;-)

Search for "weapons of mass destruction" in Google, click "I'm feeling lucky" and you might get "Not Found"

Software Project Cartoons

You've all seen the classic cartoon about software design where "what the client really wanted" was a tyre hung from a branch. There are variations at of which this one amused me:



Copyright 2004 Systems Modelling Limited, . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website 

   [Previous] [Index] [Next]