Asset valuation is the process of producing a list of assets and determining their values based on common evaluation criteria. It is challenging because of the diversity of stakeholders and assets. Assets can be tangible or intangible and evaluated based on the criteria such as:
Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The software development team is implementing the web service in the RESTful style. The software testing team is testing a user story, “As a customer, I want to place an order so that I can buy a toy.” It passed in the testing/lab environment but failed in the staging environment. Which of the following is the most likely reason?
A. The firewall allows the GET method only
B. The intrusion detection system (IDS) misjudged the transaction as a CSRF attack
C. The intrusion prevention system (IPS) allows the POST method only
D. The back-end web server validates every input value
20 years ago, I should have started offering dial-up, virtual server, and hosting services as a local mini ISP (internet service provider).
What I owned is a set of simple equipment, such as a 16-port modem pool, a hardened FreeBSD as RADIUS, DNS, WWW, and mail server, Moxa Async Server as network access server or RADIUS client, a 10BaseTX switch hub, and a Cisco 1601 router.
The WAN connection is a 64Kb leased line and a Class C public IP address.
The business was closed after one and a half years of operation. It was closed because of the dot-com bubble.
That’s a good old day story!
The table above summarizes the diverse definitions of risk terms. The following diagram depicts the concept of risk acceptability and tolerability and proposes using risk terms largely aligned with the definitions mentioned in the above table.
The following is an excerpt from the CISM Review Manual, 15th Edition:
1.2.2 DETERMINING RISK CAPACITY AND ACCEPTABLE RISK (RISK APPETITE)
Every organization has a particular risk capacity, defined as the objective amount of loss an enterprise can tolerate without its continued existence being called into question. Subject to the absolute maximum imposed by this risk capacity, the owners or board of directors of an organization set the risk appetite for the organization. Risk appetite is defined as the amount of risk, on a broad basis, that an entity is willing to accept in pursuit of its
mission. In some cases, setting the risk appetite may be delegated by the board of directors to senior management as part of strategic planning.Acceptable risk determination or risk appetite and the criteria by which it can be assessed is an essential element for virtually all aspects of information security as well as most other aspects of organizational activities. It will determine many aspects of strategy including control objectives, control implementation, baseline security, cost-benefit calculations, risk management options, severity criteria determinations, required incident response capabilities, insurance requirements and feasibility assessments, among others.
Risk appetite is translated into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. These boundaries need to be regularly adjusted or confirmed. Within these boundaries, risk may be accepted, a formal and explicit process that affirms that the risk requires and warrants no additional response by the organization as long as it and the risk environment stay substantially the same and accountability for the risk is assigned to a specific owner.
Risk acceptance generally should not exceed the risk appetite of the organization, but it must not exceed the risk capacity (which would threaten the continued existence of the organization). Risk tolerance levels are deviations from risk appetite, which are not desirable but are known to be sufficiently below the risk capacity that acceptance of risk is still possible when there is compelling business need and other options are too costly. Risk tolerance may be defined using IT process metrics or adherence to defined IT procedures and policies, which are a translation of the IT goals that need to be achieved. Like risk appetite, risk tolerance is defined at the enterprise level and reflected in the policies created by senior management. Exceptions can be tolerated at lower levels of the enterprise as long as the overall exposure does not exceed the risk appetite at the enterprise level.
Source: CISM Review Manual 15th edition
The following diagram is my attempt to summarize the excerpt above:
Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The software testing team reported a bug that users cannot change passwords after signing in. The development team fixed the bug and asked for testing. However, the software testing team reported another bug that users cannot sign in to the system. Which of the following best describes the testing that should have been conducted?
A. Code review
B. Regression testing
C. Automated UI testing
D. Integration testing
Business Continuity Management is a systematic approach to develop and exercise an organization’s capability to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption. It safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
ISO 22301:2019
Business Continuity is the capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption. (ISO, 2019)
ISO 22300
Business Continuity is the capability of the organization to continue the delivery of products or services at acceptable predefined levels following a disruptive incident. (The definition has been replaced.)
International Glossary for Resiliency
Business Continuity Management is a “Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”
There are three primary business continuity related organizations. The Organization of International Standard (ISO) defines the ISO 22301 standard; the Disaster Recovery Institute (DRI) and the Business Continuity Institute (BCI) propose professional practices and administer business continuity certifications.
BCI accredits Certification of the BCI (CBCI), while DRI manages Associate Business Continuity Planner (ABCP), Certified Functional Continuity Professional (CFCP), Certified Business Continuity Professional (CBCP), and Master Business Continuity Professional (MBCP).
Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. As code quality is a priority, the development team decides to implement the unit testing. Which of the following is the best strategy in practice?
A. Task the software testing team to write unit testing code for separation of duty
B. Ask developers to write unit testing code before writing production code
C. Request developers to write unit testing code after writing production code
D. Demand the system analysts specify the unit testing specification before writing production code
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. As code quality is a priority, the development team is evaluating a solution that can identify or discover defects at the source code level in the fastest way. Which of the following the best strategy?
A. Code review
B. Regression testing
C. Pair programming
D. Unit testing
Life is a cycle of exploring the purpose, fulfilling the mission, satisfying the aspiration of knowledge, and passing on the good parts.
~ Wentz Wu