Explanation
A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business' critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyberattacks, system failures, power outages, natural disasters, equipment failures, or infrastructure damage1. A DRP aims to minimize the impact of a disaster on the business continuity, data integrity, and service delivery of the organization. A DRP also helps the organization recover from a disaster as quickly and efficiently as possible.
A DRP should include steps for obtaining replacement supplies, as this is an essential part of restoring the normal operation of the organization after a disaster. Replacement supplies may include hardware, software, data, network components, office equipment, or other resources that are needed to resume the business functions and processes that were disrupted by the disaster. Obtaining replacement supplies may involve contacting vendors, suppliers, or partners; activating backup or alternative systems; or purchasing or renting new equipment. A DRP should identify the sources, locations, and costs of the replacement supplies, as well as the procedures and responsibilities for acquiring and installing them.
The other three options are not steps that a DRP should include, as they are either part of the pre-disaster planning process or not directly related to the disaster recovery objectives. Assessing and quantifying risk is a step that should be done before creating a DRP, as it helps identify the potential threats and vulnerabilities that could affect the organization and determine the likelihood and impact of each scenario2. Negotiating contracts with disaster planning consultants is also a pre-disaster activity that may help the organization design, implement, test, and maintain a DRP with external expertise and guidance3. Identifying application control requirements is not a step in a DRP, but rather a part of the application development and maintenance process that ensures the quality, security, and reliability of the software applications used by the organization.
Therefore, obtaining replacement supplies is the correct answer.
References:
What is a Disaster Recovery Plan? + Complete Checklist
Risk Assessment - ISACA
Disaster Recovery Planning - ISACA
[Application Controls - ISACA]

Comprehensive and Detailed Step-by-Step Explanation:
A lack ofMobile Device Management (MDM) enrollmentis the biggest concern, asunmanaged devicespose a serious security risk.
* Not All Devices Enrolled in MDM (Correct Answer - C)
* Unenrolled devices can bypass security policies.
* Example:A stolen, unenrolled device may lack encryption, exposing corporate data.
* Biometric Authentication Required (Incorrect - A)
* Biometrics are anenhanced security measure, not a concern.
* VPN Not Required for Internal Network (Incorrect - B)
* VPNs are typically used for external access, not always needed internally.
* Remote Wipe Requires Internet (Incorrect - D)
* A limitation but stillless riskythan allowing unsecured devices.
References:
* ISACA CISA Review Manual
* NIST 800-124 (Mobile Device Security)