1. An employee is caught running a cryptocurrency mining operation on company servers. The company claims the activity violated organizational policy. For this claim to be legally defensible and limit the company's liability for the employee's use of its systems, what policy document must the employee have previously acknowledged?
2. An organization's BCP document specifies that if the order management system is unavailable, orders should be taken by phone and recorded on paper forms. An auditor tests this procedure and discovers that the paper forms were redesigned two years ago but the BCP still references the old form numbers, and no staff member knows where current blank forms are stored. What BCP requirement did the organization fail to meet?
3. A ransomware attack has encrypted the primary data center servers. The organization's disaster recovery plan directs IT to restore operations at a secondary site with real-time data mirroring and fully operational infrastructure. What type of recovery site is the secondary location?
4. During a security incident, a GDPR-regulated company's compliance officer is responsible for ensuring a 72-hour breach notification is submitted to the appropriate data protection authority. Which incident response role does this responsibility belong to?
5. A software development team follows a methodology where they deliver working features every two weeks and adjust requirements based on stakeholder feedback each sprint. Security testing is integrated into each sprint cycle using automated SAST tools in the CI/CD pipeline. Which SDLC methodology is this?
6. A network engineer makes an undocumented emergency change to a firewall rule to fix a connectivity issue late Friday night. The following week, a security audit reveals that the change opened an inbound port that is now being actively exploited. What change management policy requirement was violated, and what would have prevented this?
Matching: Security Policy Concepts
Match each policy concept (1–4) to its correct description (A–D).
1RTO (Recovery Time Objective)
2Acceptable Use Policy
3Change management fallback procedure
4Business Impact Analysis (BIA)
AIdentifies which business functions are most critical, how long each can be suspended before unacceptable harm results, and what dependencies exist between functions
BThe maximum time an organization can tolerate being without a specific system or service before the business impact becomes unacceptable
CDefines permitted and prohibited uses of organizational systems; requires employee acknowledgment to limit organizational legal liability for employee misuse
DA documented rollback plan required for every system change; defines how to restore the previous state if the change fails or produces unacceptable results