PraxIS May 2006

_______________________________________________________

Welcome to PraxIS

This issue is a little shorter and a little earlier because I shall be away for the first two weeks of May. All feedback on content is welcome!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

Microsoft April Patch problems

When I get updates from MS, I have it set to "Notify me but don't automatically download or install them" rather than just installing willy-nilly. In April I discovered a request to install a beta version of a "Microsoft Genuine Advantage" tool. Does that sound like a good idea? What it does is report your OS license status to MS. And it cannot be uninstalled (officially, anyway). Needless to say I declined to take advantage of it - who needs to install beta software?

http://support.microsoft.com/default.aspx/kb/918165 You may experience problems in Windows Explorer or in the Windows shell after you install security update MS06-015

Other articles on the April problems are:

http://windowssecrets.com/comp/060427/  Brian Livingston reports that Microsoft re-released on Apr. 25 a security patch that had been issued 14 days earlier in the company's monthly Patch Tuesday schedule. In Internet Explorer, typing www.website.com does not work. Typing website.com does not work. The only way for IE to bring you anywhere is to type http://www.website.com.

http://blog.washingtonpost.com/securityfix/2006/04/ms_expands_antipiracy_program.html With no notice, Microsoft began installing Genuine Advantage to users in English-speaking countries and Malaysia on Apr. 25.

http://news.zdnet.com/2100-1009_22-6063529.html  "In discussion forums on Microsoft's Web site, users report several issues with Outlook Express after installing the latest update .. can cause trouble on computers that run certain Hewlett-Packard photo-sharing software or the Kerio firewall." The MS06-015 update installs a new executable to validate shell extensions before they are loaded into the Windows Shell or Windows Explorer.

Security Awareness Yahoogroup

http://groups.yahoo.com/group/security-awareness/

The security awareness group provides a forum to discuss awareness program methodologies and share security awareness tips. Awareness tips are written with the average person as the intended audience. This forum often posts links to free awareness videos and training materials from governmental sources. Over the last three years, I found it a useful source of starting materials.

Open Information Systems Security Assessment Framework Draft 0.2

I mentioned OISSG in the Jan 2005 PraxIS and now they have released a 1,262 page draft update.

The Information System Security Assessment Framework (ISSAF) is a peer reviewed structured framework that details specific evaluation or testing criteria for a number of areas. A draft version of this framework is available at OISSG website at: http://www.oissg.org/issaf 

The Open Information Systems Security Group (OISSG) was established with the objective of evolving a set of Open Standards, Guidelines and Best Practices Collection in the area of information security. The ISSAF seeks to integrate the following management tools and internal control checklists:

• Evaluate the organizations information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
• Identify and assess the business dependencies on infrastructure services provided by IT
• Conduct vulnerability assessments & penetration tests to highlight system vulnerabilities that could result in potential risks to information assets
• Specify evaluation models by security domains to:
  • Find mis-configurations and rectifying them
  • Identify risks related to technologies and addressing them
  • Identify risks within people or business processes and addressing them
  • Strengthen existing processes and technologies
  • Provide best practices and procedures to support business continuity initiatives

____________________________________________________________
____________________________________________________________   

2) Quality

Unconscious Incompetence

Dunning and Kruger's 2000 Ig Nobel Prize-winning report reminds me of Ray Panko's research into overconfidence among spreadsheet users.

"Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments"
http://www.apa.org/journals/features/psp7761121.pdf

Justin Kruger and David Dunning
Cornell University
People tend to hold overly favorable views of their abilities in many social and intellectual domains. The
authors suggest that this overestimation occurs, in part, because people who are unskilled in these
domains suffer a dual burden: Not only do these people reach erroneous conclusions and make
unfortunate choices, but their incompetence robs them of the metacognitive ability to realize it. Across 4
studies, the authors found that participants scoring in the bottom quartile on tests of humor, grammar, and
logic grossly overestimated their test performance and ability. Although their test scores put them in the
12th percentile, they estimated themselves to be in the 62nd. Several analyses linked this miscalibration
to deficits in metacognitive skill, or the capacity to distinguish accuracy from error. Paradoxically,
improving the skills of participants, and thus increasing their metacognitive competence, helped them
recognize the limitations of their abilities.

Grumpy IT Managers

http://www.cutter.com/trends/fulltext/advisor/2006/btt060420.html In an article by Ken Orr, Fellow, Cutter Business Technology Council, entitled "What to Keep and What to Throw Away", he said:

"Recently, my colleagues on the Cutter Business Technology Council got into a very heated exchange on the state-of-the-art in software development. A couple of members of the Council were particularly disturbed by the level of knowledge in fundamental principles that some of their recent computer science graduates were exhibiting. [...] Almost everyone on the Council chimed in with their own disaster stories with development that involved very smart but very narrow software developers who knew a great deal about object patterns, J2EE, or Hibernate, but almost nothing about data modeling, requirements definition, or relational database theory. Some time in the last decade, major elements of what professional developers need to know somehow got dropped from the CS curriculum. "

I particularly liked his observation on a huge (600-700 pages) book on SOA, "most of which was devoted to making what is a relatively straightforward idea exceedingly obtuse."

I have a number of correspondents who also comment to me on the difficulty of managing the ever more complex software architectures of today. The Irish Computer Society have started a group of Information Architects for people who have this top-level view.

____________________________________________________________
____________________________________________________________

3) ICT news in Ireland

Irish National Developers Conference 2006

The first Irish National Developers Conference will be hosted by the Ireland Net Developers Alliance in association with the Irish Computer Society this May. The event is aimed at developers, project managers, technical architects and company directors, or anyone with an involvement in software development.

Guest speakers will share their experiences on collaborative development software and techniques and will give delegates an opportunity to hear about cutting edge advances in the field.

The keynote speaker, Scott Guthrie from Microsoft US, co-founded the ASP.NET Team and leads the design team responsible for architecting the product. Prior to ASP.NET, Scott was a member of the IIS and Windows NT development teams. He will talk on Atlas, the promising .Net technology for rich web applications.

For more information visit http://www.developers.ie

Venue: Morrison Hotel, Lwr Ormond Quay, Dublin 1 Date: Wednesday & Thursday 4th, 5th May Time: Wednesday 4th: 7pm - 9pm Thursday 5th: 9am - 6pm Cost: Registration fee 50 euro.

ICS Conferences at ICT Expo

Thursday & Friday 3rd & 4th May, RDS, Dublin

The Irish Computer Society and its training and certification body ICS SKILLS will hold annual conferences in tandem with ICT Expo 2006. The ICS events, which are open to the public, will be held in the RDS Dublin on Thursday and Friday 4th-5th May.

A multi threaded programme of conferences will cater for the interests of various special interest groups. Many of the ICS Networks are represented with conferences on issues relating to technology for the sales force, information quality, public sector and health informatics scheduled. The Annual ICS SKILLS IT Trainers Conference will bring together trainers, courseware and test providers, test centres and ICS SKILLS programme candidates.

More details on speaker topics is available at www.ics.ie/expo 

____________________________________________________________
____________________________________________________________

4) Spreadsheets

Eusprig 2006 Conference, Cambridge, UK, July 5-7, 2006

The Sixth annual conference and AGM of the European Spreadsheet Risks Interest Group ( www.eusprig.org ) will be sponsored by Mobius Systems. The Mobius offering on Spreadsheet Compliance has been described as "an answer to spreadsheet hell" by the Bloor Analyst Group on their IT-Director.com web site. 

The Eusprig conference theme is Managing Spreadsheets: Improving corporate performance, compliance and governance. The venue is Fitzwilliam College, University of Cambridge, Cambridge UK. The programme chair tells me the conference programme is already full and the papers will be announced shortly. Bookings can be made at the UWIC web site:

http://www.uwic.ac.uk/eusprig/2006/index.htm

Spreadsheet Check and Control - " a unique book"

Dennis Cantellops is the author of the US FDA Laboratory Information Bulletin 'Spreadsheet Design, Verification and Validation'. DFS/ORA. Laboratory Information Bulletin. No. 4349. It is available from http://www.wimmersystems.com/lib4349.pdf

He has said of my book:

Spreadsheet Check and Control is a unique book which encourage developers and users to use safety features in the development of spreadsheet applications. It provides techniques for the testing for accuracy to detect and prevent errors which make this book an excellent source of reference for the development of spreadsheets. Also, mention spreadsheet policies which is a must in any organization.

In the category for "Review", includes excellent sections for "Testing" and "Data Integrity". It provides useful safety procedures for testing to reduce errors.

Dennis Cantellops, QAM US FDA, San Juan District 466 Fernandez Juncos Ave. San Juan, P.R.

Spreadsheet Check and Control: 47 best practices to detect and prevent errors

http://sysmod.buy.ie/catalog/product_info.php?products_id=188  Our offer - free shipping to EU in May  2006.

http://www.sysmod.com/az.php?a=190540400X&b=Spreadsheet+Check+Control Available worldwide from Amazon.

A reader has posted this review on Amazon UK: "Asking the right questions, March 27, 2006"

This book begins by acknowledging the presence of "an elephant in the room" - that diverse herds of end-users put their careers on the line by making business critical decisions on the basis of hand-crafted spreadsheets. To those of us with self-critical faculties, however, there is a running sense of unease about the risks being run. If end-users stay up-to-date on Excel training and willingly share their insights about better quality then these problems can be kept under control - but does this sound like your work environment?

"Spreadsheet Check and Control" demonstrates painful familiarity with past mistakes and methods to minimise them in the future. It takes a "quality matters" perspective and gets down and dirty with low-level Excel details. The reader can retain his or her business expertise - this book tackles that fuzzy mix of professional skills (architect + programmer + auditor) needed to translate your business expertise to spreadsheets while sleeping easier at night over that errant error that could spell doom. If you're realistic enough to admit that you can make spreadsheet errors, then why not be proactive and try to reduce the frequency and severity of these errors by reading this book?

ScanXLS user feedback

http://www.sysmod.com/scanxls.htm  is my Excel utility to scan directories for spreadsheets, build a cross-reference of their dependencies, and help assess their quality. Recent user comments include:

• Many thanks for the fast delivery of this excellent tool. It saved me one hell of a lot of work. Well worth the money!
• I have started to use SCANXLS and it is proving very useful. My aim is to take better control of the spreadsheets used within out Health, Safety and Environment area. To start with I am using it to gather an inventory of spreadsheets.

_______________________________________________________
_______________________________________________________

FEEDBACK

Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Off Topic

Tippling and Taxes

The Annals of Improbable Research report on a study called "Violence-Related Injury and the Price of Beer in England and Wales." The study supplies (among other things) the logic for an intriguing alternative method by which the British chancellor of the exchequer might reduce the number of assaults: stop young people having jobs.

For details see http://improbable.com/2006/04/13/guardian-column-4/

_______________________________________________________
_______________________________________________________

Copyright 2006 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS/
_______________________________________________________