Faculty of Informatics and Computer Science

Dr. Mostafa Shokry

Eng. Salma Abo-Zaid 14 March 2024

Business Continuity and Risk Management

Spring 2024
Quiz 1
“Model Answers”
Faculty of Informatics and Computer Science
Dr. Mostafa Shokry
Eng. Salma Abo-Zaid 14 March 2024

Question 1 (2 Marks)

If A remote access policy is required to be implemented to allow the offsite access only through a
company-approved and supported VPN. What is the type of policy that is required to be
implemented?
A. Enterprise Information Security Policy.
B. Issue-Specific Security Policy.
C. Systems-Specific Security Policy.

Question 2 (2 Marks)

From the attack scenario that is shown in the previous Figure. Determine the following:

1- Threat source: Attacker

2- The vulnerability: Weak Password or Weak Credential
3- The asset: Employee Data or Organization Data.

Question 3 (2 Marks)

“The organization (X) has a tolerance for risk, allowing it to achieve its business objectives in a
manner that is compliant with the laws and regulations in the jurisdiction in which it operates.

The organization (X) has a low-risk appetite for losing its business and customer data when a cyber
event occurs. The organization has a medium risk appetite for physical information security assets
and will track assets greater than US$2,000. Information assets will be protected per the
organization's data classification framework. The organization has a high-risk appetite for access
controls. All access to the organization's mission-critical systems will be controlled via biometric
authentication.”

Based on the previously mentioned risk appetite statement. Determine the risk appetites for
organization (X).
1. Low-risk appetite for losing its business and customer data when a cyber event occurs.
2. Medium risk appetite for physical information security assets.
3. high-risk appetite for access controls.
Faculty of Informatics and Computer Science
Dr. Mostafa Shokry
Eng. Salma Abo-Zaid 14 March 2024

Question 4 (2 Marks)

If any unauthorized access to the system of retail or customer payment information is restricted
with the POS security software because any data breaches or malicious activities may lead to huge
financial losses, legal liabilities, or reputational damage. What is the appropriate risk treatment
approach for this risk scenario?

A. Risk Acceptance.
B. Risk Avoidance.
C. Risk Mitigation.

Question 5 (2 Marks)

The business impact analysis step is an essential step in:

A. Risk Assessment Process.

B. Risk Management Process.
C. Contingency Plan Process.

Question 6 (2 Marks)

The timeframe within which applications and systems must be restored after an outage.

A. RTO.
B. RPO.
C. WRT.
D. MTD.

Question 7 (2 Marks)

The —— is used to collect information via individuals from a particular business area, along with
their managerial team, are brought together to brainstorm answers to the questions posed by the
BIA process.

A. Facilitated Data-Gathering Session.

B. Data Management Session.
C. System Log Session.
D. BIA Questionnaire.

Question 8 (2 Marks)
The —— provides a detailed identification and prioritization of critical business functions that
would require protection and continuity in an adverse event.

A. Business Continuity.
B. Risk Management.
C. Business Impact Analysis.
D. Risk Assessment.
Faculty of Informatics and Computer Science
Dr. Mostafa Shokry
Eng. Salma Abo-Zaid 14 March 2024

Question 9 (2 Marks)

—— is the process of keeping track of a user’s activity while accessing network resources,
including the amount of time spent in the network, the services accessed while there, and the
amount of data transferred during each session.

A. Accounting.
B. Authentication.
C. Authorization.
D. Non-repudiation.

Question 10 (2 Marks)

In a CPMT, a(n) should be a high-level manager with

influence and resources that can be used to support the project team, promote the objectives
of the CP project, and endorse the results that come from the combined effort.
A. Project Manager.
B. Champion.
C. Business Manager.
D. Information Security Manager.