From: secedu@all.net
Reply-to: secedu@all.net
Organization: Information Security Educators Mailing List
Subject: Information Security Educators Mailing List 1999-04-21
<pre>---------------------------------------------
Date: Tue, 20 Apr 1999 11:14:09 -0700
From: "Randy A. Shostak" <rshostak@vse.ca>

Security Forum 1999 is an information systems security conference
organized by the CIPS Vancouver Security Special Interest Group, the
Canadian Information Processing Society (CIPS) and the Information
Systems Audit and Control Association (ISACA).  

The conference takes place on October 19, 1999 in Vancouver, British
Columbia, Canada.

We recently sent out a call for presenters and perhaps some of you would
be interested in submitting.  The URL below has more information about
the conference and submission guidelines.  Please forward it to anyone
else who may be interested.

http://www.vancouver.cips.ca/security/Call_for_Presenters.html

Regards,
Randy Shostak
Technology Information Security Officer, Vancouver Stock Exchange
President, CIPS Vancouver Security SIG
Coordinator, Security Forum 1999
---------------------------------------------
From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
Date: Wed, 21 Apr 1999 08:27:03 -0800

BKY2KRSM.RVW   990312

"Y2K Risk Management", Steven H. Goldberg/Steven C. Davis/Andrew M.
Pegalis, 1999, 0-471-33352-2, U$39.99/C$62.50
%A   Steven H. Goldberg www.dr2000.com
%A   Steven C. Davis www.davislogic.com
%A   Andrew M. Pegalis www.consult2000.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1999
%G   0-471-33352-2
%I   John Wiley & Sons, Inc.
%O   U$39.99/C$62.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com
%P   312 p.
%T   "Y2K Risk Management"

Bit late in the day for a Y2K book, wouldn't you say?  Well, as the
authors point out, some action is better than none.  And, as they also
point out, this marks your last chance to take a look at what you are
doing, and make sure you are getting the greatest benefit for your
time and effort.

Chapter one is the fairly obligatory "sell or scare" piece.  While
similar to others of the same ilk, it does stress the importance of
interconnected and interoperating systems, as well as emphasizing the
business and legal risks.  On the other hand, it doesn't do a very
good job of presenting the background and technical aspects, for
example discussing different types of computers rather than various
data structures or date usage.  In the same way as many essays on
building a Y2K team, chapter two looks at starting a risk management
project directed at Y2K.  The concepts are presented reasonably, but
the details aren't terribly useful.  Starting a project, and getting
it up to speed as quickly as possible, is covered in chapter three. 
Unfortunately, the advice consists, as usual, of "get the right
people, have the right plan, do the right things," with the
particulars left as an exercise to the reader.  Chapter four, on legal
aspects, is lengthy and detailed, usually explains the concepts well,
occasionally slips into legalese, sticks primarily to common law, but
does sometimes lapse into the US-centric black hole.  Dealing with
suppliers and providers is handled much better than in most books in
chapter five.  One issue hinted at, but not adequately covered, is the
possibility of a single point of failure removed one or more layers of
suppliers from you, such as having multiple grocery suppliers--all of
whose delivery fleets obtain fuel from the same source.

Chapter six, as did chapter three, gives the usual "do the right
thing" counsel for contingency planning.  Large corporate decisions
and Y2K are reviewed in chapter seven, but not really tied together. 
"Due diligence" was a large factor in chapter four: chapter eight
looks at proving your prudence.  Insurance issues are definitely not
made clear by chapter nine.  Chapter ten's overview of "alternative
dispute resolution" (ADR: for pity's sake, *everything* has a TLA
[Three Letter Acronym]!) will probably have value for many, although
personally I found it rather obvious.  Preparing for litigation, in
chapter eleven, has a lot of very useful background, although much of
it seems to assume you will be the suer instead of the suee.  Post Y2K
planning is brief, but touches on a number of important, and often
unregarded, issues in chapter twelve.

Risk management is not really handled all that well in this book.  A
number of risks are identified, but the control of those hazards is
left vague.  On the other hand, a number of topics dealt with here get
short shrift in other year 2000 guides.  Overall, while I couldn't
recommend it as the only reference for those just starting out, I
would say that, for those seriously into Y2K planning, the book should
handily repay the price and time spent on it.

copyright Robert M. Slade, 1999   BKY2KRSM.RVW   990312

======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
                   Verba volant, scripta manent
         Spoken words fly away, while written words stay on
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
---------------------------------------------